Auto-Check Cisco IOS XE Backdoor based on CVE-2023-20198 and CVE-2023-20273

2023-10-31 17:04:34 +01:00 · 2023-10-31 17:04:34 +01:00 · 4beb92b9a1
parent 98bfe07603
commit 4beb92b9a1
1 changed files with 124 additions and 0 deletions
--- a/payloads/library/Incident_Response/Auto-Check_Cisco_IOS_XE_Backdoor_based_on_CVE-2023-20198_and_CVE/payload.txt
+++ b/payloads/library/Incident_Response/Auto-Check_Cisco_IOS_XE_Backdoor_based_on_CVE-2023-20198_and_CVE/payload.txt
@ -0,0 +1,124 @@
+* REM #############################################################################################
+* REM #                                                                                           #
+* REM # Title     : Auto-Check Cisco IOS XE Backdoor based on CVE-2023-20198 and CVE-2023-20273   #
+* REM # Author    : Aleff                                                                         #
+* REM # Version	  : 1.0                                                                           #
+* REM # Category  : incident-response                                                             #
+* REM # Target	  : Cisco IOS XE                                                                  #
+* REM #                                                                                           #
+* REM #############################################################################################
+
+
+QUACK DELAY 3000
+QUACK CTRL-ALT t
+QUACK DELAY 1000
+
+
+QUACK STRING echo 'while true; do
+QUACK ENTER
+QUACK DELAY 500
+
+QUACK STRING response=$(curl -k -H "Authorization: 0ff4fbf0ecffa77ce8d3852a29263e263838e9bb" -X POST https://systemip/webui/logoutconfirm.html?logon_hash=1)
+QUACK ENTER
+QUACK DELAY 500
+
+QUACK STRING if [[ $response =~ ^[0-9a-zA-Z]+$ ]]; then
+QUACK ENTER
+QUACK DELAY 500
+
+QUACK STRING if [ $? -eq 0]; then
+QUACK ENTER
+QUACK DELAY 500
+
+QUACK STRING    # Attack detected, here you decide what to do in this moment
+QUACK ENTER
+QUACK DELAY 500
+
+QUACK STRING    # 1. Send an email to sec-team
+QUACK ENTER
+QUACK DELAY 500
+
+QUACK STRING 	# 2. Do some other ops
+QUACK ENTER
+QUACK DELAY 500
+
+QUACK STRING 	# ...
+QUACK ENTER
+QUACK DELAY 500
+
+QUACK STRING 	# 3. What do you want to do?
+QUACK ENTER
+QUACK DELAY 500
+
+QUACK STRING    #    Can you reboot the system or you need to do something else before?
+QUACK ENTER
+QUACK DELAY 500
+
+QUACK STRING    #    Do you want to close it?
+QUACK ENTER
+QUACK DELAY 500
+
+QUACK STRING 	# ...
+QUACK ENTER
+QUACK DELAY 500
+
+QUACK STRING 	# The only one way to close the backdoor is reboot the system, so don t change it (?)...
+QUACK ENTER
+QUACK DELAY 500
+
+QUACK STRING    # |-> See the Conseguence section in README
+QUACK ENTER
+QUACK DELAY 500
+
+QUACK STRING    reboot
+QUACK ENTER
+QUACK DELAY 500
+
+QUACK STRING else
+QUACK ENTER
+QUACK DELAY 500
+
+QUACK STRING 	# You are safe :-)
+QUACK ENTER
+QUACK DELAY 500
+
+QUACK STRING fi
+QUACK ENTER
+QUACK DELAY 500
+
+QUACK STRING fi
+QUACK ENTER
+QUACK DELAY 500
+
+QUACK STRING sleep 300 # wait time
+QUACK ENTER
+QUACK DELAY 500
+
+
+* REM Set the script name replacing #SCRIPT-NAME, the default name is auto-check.sh but you can change it here since is used the DuckyScript variable #SCRIPT-NAME.
+* REM Here you chould define the script path replacing #PATH-TO-SCRIPT, if you don't change it is selected the default path, so the home path. If, for istance, you have a specific path where you put some stuff like this you can edit thi DuckyScript variable with the correct path
+QUACK STRING done' > #PATH-TO-SCRIPT#SCRIPT-NAME
+QUACK ENTER
+QUACK DELAY 500
+
+* REM To avoid some bad DELAY I decided to use only one command row
+
+* REM Old script
+* REM STRINGLN sudo chmod +x #SCRIPT-NAME
+* REM DELAY 500
+* REM STRINGLN #SUDO-PSWD
+* REM DELAY 3000
+* REM STRINGLN sh #PATH-TO-SCRIPT#SCRIPT-NAME $
+* REM STRINGLN exit
+
+* REM Optimized script
+
+* REM Set the script name replacing #SCRIPT-NAME, the default name is auto-check.sh but you can change it here since is used the DuckyScript variable #SCRIPT-NAME.
+* REM Here you chould define the script path replacing #PATH-TO-SCRIPT, if you don't change it is selected the default path, so the home path. If, for istance, you have a specific path where you put some stuff like this you can edit thi DuckyScript variable with the correct path
+QUACK STRING sudo chmod +x #SCRIPT-NAME; sh #PATH-TO-SCRIPT#SCRIPT-NAME $; exit
+QUACK ENTER
+QUACK DELAY 500
+
+* REM Here you must set your sudo password that permit to give the executable permissions to the file
+QUACK STRING #SUDO-PSWD
+QUACK ENTER