CVE-2017-6736 是一个影响 Cisco IOS 系统的远程命令执行漏洞。攻击者可以通过发送精心构造的 SNMP 包,利用该漏洞远程执行代码或使系统重启。
漏洞影响范围: 该漏洞存在于 Cisco IOS 12.0 到 12.4 和 15.0 到 15.6 版本,以及 IOS XE 2.2 到 3.17 版本中。
设备层 → 网络层 → 系统层
可远程执行命令,危及设备的安全性。
攻击者可以通过发送经过特殊构造的 SNMP 请求包,利用漏洞在目标系统上执行任意代码。SNMP 请求的目的地通常是设备的 SNMP 服务(默认端口 161)。漏洞的根本原因是 SNMP 协议处理不当,导致攻击者能够在设备上执行命令。
此漏洞验证的基本原理是发送一个 SNMP GET 请求,触发系统返回特定的描述信息,从而验证目标系统的漏洞。
from pysnmp.hlapi.v3arch.asyncio import *
from pocsuite3.api import Output, POCBase, register_poc
class CVE2017_6736_POC(POCBase):
vulID = "CVE-2017-6736"
author = ['zhb', 'tzh00203']
name = "RCE by sending crafted SNMP packet"
desc = '''The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS 12.0 through 12.4 and 15.0 through 15.6 and IOS XE 2.2 through 3.17 contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6. '''
reference = "https://www.cve.org/CVERecord?id=CVE-2017-6736"
def _options(self):
o = {
'port': OptString(default='161', description='Port to connect to the target', require=False),
}
return o
def _verify(self):
result = asyncio.run(self.snmpget())
return self.parse_output(result)
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
def _attack(self):
return self._verify()
async def snmpget(self):
hostname = self.target
port = self.get_option('port')
result = {}
snmpEngine = SnmpEngine()
iterator = get_cmd(
snmpEngine,
CommunityData("public", mpModel=0),
await UdpTransportTarget.create((hostname, port)),
ContextData(),
ObjectType(ObjectIdentity("SNMPv2-MIB", "sysDescr", 0)),
)
errorIndication, errorStatus, errorIndex, varBinds = await iterator
if errorIndication:
pass
elif errorStatus:
pass
else:
for varBind in varBinds:
desc = " = ".join([x.prettyPrint() for x in varBind])
if ("Cisco IOS" in desc and (any(f"12.{i}" in desc for i in range(5)) or any(f"15.{i}" in desc for i in range(7)))) or\
("IOS XE" in desc and (any(f"2.{i}" in desc for i in range(2,10)) or any(f"3.0{i}" in desc for i in range(10)) or any(f"3.1{i}" in desc for i in range(8)))):
result['VerifyInfo'] = {}
result['VerifyInfo']['Target'] = f"{hostname}:{port}"
snmpEngine.close_dispatcher()
return result
snmpEngine.close_dispatcher()
return result
register_poc(CVE2017_6736_POC)
📝 作者:tzh00203 📧 邮箱:tian-zh24@mails.tsinghua.edu.cn 🏫 单位:Tsinghua Uni. NISL 📅 最后更新时间:2025-08-04