Cisco IOS XE Web UI Post-Authentication Command Injection / Privilege Escalation

This repository is a small Cisco IOS XE exploitation toolkit focused on the 2023 Web UI/WSMA vulnerability cluster. It contains 4 files: a minimal README and three Python scripts. scripts/exp.py and scripts/poc.py are effectively duplicates: both are standalone command-line exploit scripts that take a target URL and command, then send crafted SOAP envelopes to the encoded WSMA endpoint /%2577ebui_wsma_http or /%2577ebui_wsma_https. They support two modes: 'common' for execCLI command execution and 'super' for configApply/privileged configuration commands. Returned XML is parsed with xmltodict and command output or error information is printed. scripts/exploit.py is the more capable staged exploit. Based on visible code and comments, it targets CVE-2023-20273 and references CVE-2023-20198 as part of the broader attack chain against Cisco IOS XE Web UI. It abuses /webui/rest/softwareMgmt/installAdd by injecting shell syntax into the JSON ipaddress field. The script includes helpers for base64-encoded command execution, writing files to /var/www/ for retrieval through /webui/, and dropping/executing a self-deleting bash reverse shell that connects back to an attacker-controlled host and port. It also references /usr/binos/conf/mcp_chvrf.sh to execute shell content in the global VRF context. Overall purpose: provide practical remote code execution against vulnerable Cisco IOS XE devices, ranging from direct WSMA CLI execution to staged Web UI command injection with output retrieval and reverse shell capability. The code is operational rather than just demonstrative, but it is not part of a major exploitation framework.

This repository provides a Proof-of-Concept (PoC) exploit for CVE-2023-20273, a command injection vulnerability in Cisco IOS XE WebUI. The repository contains two files: a detailed README.md with usage instructions and exploit.py, a Python script implementing the exploit logic. The exploit targets Cisco IOS XE devices with the WebUI enabled and requires valid credentials. It works by sending a crafted POST request to the /webui/rest/softwareMgmt/installAdd endpoint, injecting arbitrary shell commands via the ipaddress field. The script supports both direct command execution and reverse shell payloads, with options to retrieve command output via the target's web server. The exploit is confirmed to work on several Cisco Catalyst models and IOS XE versions, with filesystem space being a potential limiting factor. The code is a functional PoC, not weaponized, and is intended for security testing and research.