Giters

Atea-Redteam / CVE-2023-20198

CVE-2023-20198 Checkscript

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CVE-2023-20198

CVE-2023-20198 Checkscript based on: https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/ Including the updated where there is an Authorization header to check for the known implant.

!! Upgraded to look for upgraded implant

The script checks length of returned response with code 200, and checks if length is shorter then 32 characters. Each IP returning shorter length than 32 chars should be checked to se if device is compromised. This script only gives you an indicator, not proof that the device is compromised.

The script also checks if the implant has been upgraded, as dicovered by Fox-IT: https://github.com/fox-it/cisco-ios-xe-implant-detection

Run:

python cve-2023-20198.py


and enter you desired subnet to scan. For example:

python CVE-2023-20198


Enter the subnet (CIDR notation): 10.0.0.0/22

IP: 10.0.0.94 - Error: no reply

IP: 10.0.0.94 - Error: no reply

IP: 10.0.0.96 - Status: 200

IP: 10.0.0.96 - Response is a potentially suspicious: 


IPs with status code 200, suspicious length, should be checked:

['10.0.0.96']

IPs with status code 200, but no IOC:

[]

About

CVE-2023-20198 Checkscript

Languages

Language:Python 100.0%