-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathiosxe-scanner.py
128 lines (108 loc) · 4.83 KB
/
iosxe-scanner.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
#!/usr/bin/env python3
#CVE-2023-20198
#CVE-2023-20273
#Cisco Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
#Author: https://twitter.com/Shadow0pz or https://github.com/Shadow0ps
#Project Url: https://github.com/Shadow0ps/CVE-2023-20198-Scanner
#Please review the README.md for details on usage of this script.
#Shout out to mRr3b00t AKA @UK_Daniel_Card (Twitter/X) for all his great analysis of this exploit.
import sys
import argparse
import requests
import ipaddress
import urllib3 # Import this to disable SSL warnings
from termcolor import colored
from tqdm import tqdm
import threading
import time
# Disable SSL Warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# Import and handle missing packages
try:
from requests.exceptions import RequestException
except ImportError:
print("Could not find required packages. Please run `pip install requests termcolor tqdm`.")
sys.exit(1)
# Create a global lock for thread-safe file writing
file_lock = threading.Lock()
# Check for a specified IOC.txt file. If not found then set the default IOC's.
def read_iocs_from_file(iocs_file):
try:
with open(iocs_file, "r") as f:
return f.read().splitlines()
except FileNotFoundError:
return ["<h1>404 Not Found</h1>", "openresty", "nginx"]
# Modified is_compromised function with added timeout
def is_compromised(session, url, headers, proxies, iocs, timeout=10) -> bool:
try:
response = session.get(url, headers=headers, verify=False, proxies=proxies, timeout=timeout)
for ioc in iocs:
if ioc in response.text:
return True
except RequestException as e:
print(f" Error: {e}")
return False
# Log all the things.
def log_to_file(logfile, message):
with file_lock:
with open(logfile, "a") as f:
f.write(message + "\n")
# This is where the work is done.
def check_target(target, args, session, iocs):
time.sleep(args.rate_limit)
http_url = f"http://{target.strip()}/%25"
https_url = f"https://{target.strip()}/%25"
headers = {"User-Agent": args.user_agent}
proxies = {
"http": args.proxy,
"https": args.proxy,
} if args.proxy else None
print(f"[!] Scanner is Checking {http_url}")
if is_compromised(session, http_url, headers, proxies, iocs):
print(colored(" WARNING: Possible implant found on HTTP! Please perform a forensic investigation!", "red"))
log_to_file("logfile.txt", f"{http_url} - Possible implant")
print(f"[!] Scanner is Checking {https_url}")
if is_compromised(session, https_url, headers, proxies, iocs):
print(colored(" WARNING: Possible implant found on HTTPS! Please perform a forensic investigation!", "red"))
log_to_file("logfile.txt", f"{https_url} - Possible implant detected!")
else:
print(colored(f"[*] The Scanner did not find any sign of compromise for either {http_url} or {https_url}. ", "green"))
def get_ips_from_cidr(cidr):
return [str(ip) for ip in ipaddress.IPv4Network(cidr)]
def main():
parser = argparse.ArgumentParser()
parser.add_argument("--target_file", help="File containing a list of Cisco IOS XE Device IPs or hostnames")
parser.add_argument("--cidr", help="CIDR range to scan")
parser.add_argument("--ip", help="Single IP to scan")
parser.add_argument("--user_agent", default="CISCO-IOS-Shell-Scanner-cisco-sa-iosxe-webui-privesc-j22SaA4z", help="Custom User-Agent header")
parser.add_argument("--rate_limit", type=float, default=1.0, help="Rate limit in seconds between requests")
parser.add_argument("--proxy", help="HTTP Proxy to use for requests")
parser.add_argument("--iocs_file", default="IOCS.txt", help="File containing Indicators of Compromise (IoCs) to look for in the response text")
args = parser.parse_args()
targets = []
if args.target_file:
try:
with open(args.target_file, "r") as f:
targets = f.readlines()
except FileNotFoundError:
print("Error: Target file not found. Please specify a different file path.")
sys.exit(1)
elif args.cidr:
targets = get_ips_from_cidr(args.cidr)
elif args.ip:
targets = [args.ip]
if not targets:
print("Error: No targets specified. Please provide a list of targets, CIDR or a single IP to scan.")
sys.exit(1)
iocs = read_iocs_from_file(args.iocs_file)
session = requests.Session()
session.verify = False
threads = []
for target in tqdm(targets, desc="Scanning Targets"):
thread = threading.Thread(target=check_target, args=(target, args, session, iocs))
threads.append(thread)
thread.start()
for thread in threads:
thread.join()
if __name__ == "__main__":
sys.exit(main())