Cisco IOS XE Web UI Authentication Bypass and Privileged Account Creation

This repository is a small standalone Python proof-of-concept exploit for CVE-2023-20198 affecting Cisco IOS XE Web UI/WSMA exposure. The repo contains four files: a single executable Python script (CVE-2023-20198-poc.py), a short README describing the vulnerability, a LICENSE file, and a standard Python .gitignore. The exploit logic is entirely contained in the Python script. The script accepts either a single target IP or a file of target IPs and supports multiple mutually exclusive actions: check vulnerability, retrieve running configuration, execute an arbitrary IOS CLI command, add a privileged user, or delete a user. It constructs SOAP XML payloads for either WSMA exec or WSMA config operations and sends them with requests.post() to a double-encoded endpoint path intended to bypass front-end path filtering and reach the internal WSMA service. The code disables TLS verification warnings and does not require authentication. Operationally, the exploit can do more than simple detection: it can execute commands remotely and alter device configuration. The most notable capability is unauthenticated creation of a privilege-15 account using default credentials shellsmoke/pwned unless overridden by arguments. It can also dump configuration via 'sh run', run arbitrary attacker-supplied CLI commands, and remove a user. Responses are parsed as XML for exec actions and may be appended to an output file. There are no hardcoded external C2 servers or third-party callback endpoints. The only network targets are operator-supplied Cisco device IPs accessed over HTTP or HTTPS at the crafted WSMA path. Overall, this is a real, functional exploit PoC with basic but impactful post-exploitation capability against vulnerable Cisco IOS XE devices.

This repository is a small standalone Python proof-of-concept exploit for CVE-2023-20198 affecting Cisco IOS XE Web UI / WSMA. The repository contains three files: a README with usage and vulnerability context, a requirements file listing requests and colorama, and a single executable script, main.py, which implements the exploit logic. The main capability is unauthenticated network exploitation via crafted SOAP POST requests to Cisco WSMA endpoints. The script maintains a list of candidate encoded WSMA paths and probes them to find a working vulnerable endpoint. Once a valid endpoint is found, it can send two classes of SOAP payloads: an exec payload using the urn:cisco:wsma-exec namespace for remote CLI command execution, and a config payload using the urn:cisco:wsma-config namespace for configuration changes. Operationally, the script supports four user-facing actions through command-line arguments: vulnerability checking, arbitrary command execution, administrative user creation, and user deletion. The vulnerability check uses a hardcoded test command ("uname -a") to determine whether the target responds successfully through the bypassed WSMA interface. Command execution allows the operator to run Cisco IOS XE CLI commands remotely. The account-management features appear to build configuration commands and submit them through the configApply SOAP mechanism, enabling creation of a privilege-15 administrative account or deletion of an existing account. The exploit is not part of a larger framework such as Metasploit or Nuclei. It is a direct Python implementation using requests.post with TLS verification disabled. Response handling parses returned XML with ElementTree and extracts text from the WSMA exec response. Based on the available code and README, this is a real exploit rather than a detector-only script, and it provides practical post-bypass actions against exposed vulnerable Cisco devices.

This repository contains a single Python script, 'exploit.py', which is a proof-of-concept exploit for CVE-2023-20198, a critical vulnerability in Cisco IOS XE devices. The script allows an attacker to: - Check if a target device is vulnerable - Execute arbitrary commands on the device - Retrieve the running configuration - Add or remove privileged (level 15) users The exploit works by sending crafted SOAP/XML payloads to the Cisco IOS XE web interface (typically at the '/webui/wsma' endpoint) over HTTP or HTTPS. The script supports targeting a single IP or a list of IPs, and provides command-line options to select the desired action (check, execute command, get config, add/remove user). The payloads are based on public PoCs and research from ProjectDiscovery and Horizon3.ai. The script is operational and can be used to gain privileged access or execute commands on vulnerable Cisco IOS XE devices. No hardcoded IP addresses or credentials are present; the user supplies the target(s) and, optionally, new user credentials. The script is self-contained and does not rely on external frameworks.

This repository provides a functional exploit for CVE-2023-20198, a critical authentication bypass vulnerability in Cisco IOS XE's web interface. The exploit consists of a single Python script ('exploit.py') and a detailed README. The script allows an unauthenticated attacker to: - Check if a target is vulnerable (by executing 'uname -a') - Retrieve the running configuration ('sh run') - Execute arbitrary IOS commands - Add or remove privilege 15 users on the device The exploit works by sending crafted XML SOAP payloads to the webui_wsma_http/https endpoint, bypassing authentication and leveraging the 'urn:cisco:wsma-exec' and 'urn:cisco:wsma-config' SOAP actions. The script supports both single-target and batch modes, and can optionally use HTTPS. The README provides usage instructions, examples, and references to original research and other PoCs. The exploit is operational and can be used to gain full control over vulnerable Cisco IOS XE devices remotely via the network.

This repository provides a Python proof-of-concept exploit for CVE-2023-20198, a critical vulnerability in Cisco IOS XE devices' web UI. The main script, 'cve-2023-20198.py', supports two modes: 'check' and 'exploit'. In 'check' mode, it sends a POST request to the '/webui/logoutconfirm.html' endpoint to determine if the device may be compromised, based on the response content. In 'exploit' mode, it creates a new local user account on the target device via the '/webui/create_user' endpoint and attempts to install a configuration implant using the '/webui/cisco_service.conf' endpoint. The script is configurable via command-line arguments, allowing the user to specify the target, credentials, and implant configuration. The repository includes a README with usage instructions, a requirements file for dependencies, and standard project files. The exploit targets Cisco IOS XE devices with the vulnerable web UI enabled and accessible over HTTP or HTTPS.

This repository contains a Python proof-of-concept exploit script (CVE-2023-20198.py) and a README file. The script targets Cisco IOS XE Web UI vulnerabilities (CVE-2023-20198 and CVE-2021-1435) to perform a multi-step attack: it creates a local user account, installs a malicious configuration (implant), restarts the web server to activate the implant, checks for the implant's presence, and finally deletes the created user account as cleanup. The script uses hardcoded placeholder URLs (https://target.com/...) which must be replaced with actual target details. The exploit demonstrates a network-based attack vector, leveraging HTTP POST and GET requests to the target's web interface endpoints. The payload is a configuration implant, the content of which must be supplied by the user. The repository is structured simply, with one main exploit script and a README providing usage instructions and a disclaimer.

This repository provides a functional proof-of-concept exploit for CVE-2023-20198, a critical authentication bypass vulnerability in Cisco IOS XE's web interface. The repository contains two files: a detailed README.md explaining the vulnerability, usage, and references, and exploit.py, a Python script implementing the exploit logic. The script allows attackers to check for the vulnerability, execute arbitrary IOS commands, retrieve the running configuration, and add or remove Privilege 15 users on vulnerable Cisco devices. It does so by sending crafted XML SOAP payloads to the web endpoint '/%2577eb%2575i_%2577sma_Http', targeting the 'cisco:wsma-exec' and 'cisco:wsma-config' SOAP endpoints. The exploit is operational and can be used for both vulnerability checking and post-exploitation actions. No hardcoded IPs or credentials are present; the script is parameterized for attacker-supplied targets and options. The code is standalone, not part of a framework, and is written in Python.

This repository provides a Python-based exploitation and detection tool for CVE-2023-20198, a critical authentication bypass vulnerability in Cisco IOS XE Web UI. The main script, 'exploit.py', supports two modes: 'Detect' (to identify vulnerable devices or implants) and 'Exploit' (to attempt exploitation by sending a user-supplied malicious XML payload to the target's Web UI endpoint). The tool can operate on single domains or lists of domains, supports proxying (e.g., via Burp Suite), and allows output to be saved to a file. The exploit is based on the theoretical POC by Horizon3 and requires the user to provide the actual malicious XML payload for exploitation. The repository is structured with a single main code file, a requirements.txt for dependencies, and documentation in the README. The primary attack vector is network-based, targeting the Web UI endpoint of Cisco IOS XE devices. The endpoint '/%2577ebui_%2577sma_Http' is specifically targeted for exploitation. The tool is a proof-of-concept and not fully weaponized, as it relies on user-supplied payloads and does not automate the full exploitation chain.

This repository is a Proof-of-Concept (PoC) exploit for CVE-2023-20198, a critical privilege escalation vulnerability in Cisco IOS XE's web UI. The repository contains three files: a LICENSE, a README.md with detailed usage instructions and context, and a main Python script (main.py) that implements the exploit logic. The exploit automates the process of creating a privileged local user on the target device, installing a configuration implant, restarting the web server to activate the implant, and checking the implant's status. The script requires a list of target URLs and interacts with several web UI endpoints on the target device. Results, including credentials and login links, are saved to a results file. The exploit is intended for educational and research purposes and is not weaponized, as it requires manual configuration of the implant content and does not include advanced evasion or post-exploitation features.

This repository contains a Python exploit script (CVE-2023-20198-RCE.py) targeting Cisco IOS XE devices vulnerable to CVE-2023-20198. The exploit leverages unauthenticated access to the web UI's SOAP/XML endpoints (/webui_wsma_https and /webui_wsma_Http, URL-encoded as /%2577ebui_wsma_https and /%2577ebui_wsma_Http) to execute arbitrary OS or CLI commands, as well as to add or delete users with privilege 15. The script supports multiple modes: executing OS commands, executing CLI commands, adding users, and deleting users. It accepts command-line arguments for the target URL, proxy, user management, and command execution. The README provides usage instructions and example commands. The exploit is operational and can provide full device compromise if the target is vulnerable and accessible.

This repository provides a Python proof-of-concept exploit script (CVE_CISCO_20198_V2.py) targeting Cisco IOS XE Web UI vulnerabilities CVE-2023-20198 and CVE-2021-1435. The script automates the process of exploiting these vulnerabilities to create a local user account, install a configuration implant, restart the web server to activate the implant, verify the implant's presence, and finally clean up by deleting the created user account. The main exploit logic is contained in a single Python file, which uses hardcoded endpoints and credentials for demonstration. The repository also includes a README with usage instructions and a GPLv3 license. The attack vector is network-based, requiring access to the target's web interface. The endpoints used in the script are fingerprintable and correspond to typical administrative actions on Cisco web interfaces.