Proof of concept for CVE-2017-6640 as burp extension# CVE-2017-6640-POC
Proof of concept for CVE-2017-6640 as burp extension
Cisco Prime Data Center Network Manager (DCNM) implements a static credentials. See also:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-dcnm2
More specifically, the Web UI requires users to authenticate using HTTP Digest Auth. This burp extension simply makes use of the hard-coded HA1 and completes the digest auth challenge-response:
```
HA1 = MD5(username:realm:password)
HA2 = MD5(method:digestURI)
response = MD5(HA1:nonce:HA2)
```
## How to use
Load the extension in burp and browse to the Cisco DCNM management web interface. When prompted for credentials, enter whatever. The plugin will complete the authentication.
Proceed with uploading and deploying an enterprise app.
## Limitations
This POC does not do quality of protection (QOP).
[4.0K] /data/pocs/057d021096b67bbcade7e48f475cf4dace33006c
├── [4.0K] burp
│ ├── [4.9K] BurpExtender.java
│ ├── [3.8K] IBurpCollaboratorClientContext.java
│ ├── [1.4K] IBurpCollaboratorInteraction.java
│ ├── [ 42K] IBurpExtenderCallbacks.java
│ ├── [1007] IBurpExtender.java
│ ├── [1.4K] IContextMenuFactory.java
│ ├── [6.0K] IContextMenuInvocation.java
│ ├── [1.7K] ICookie.java
│ ├── [ 14K] IExtensionHelpers.java
│ ├── [ 976] IExtensionStateListener.java
│ ├── [1.5K] IHttpListener.java
│ ├── [2.9K] IHttpRequestResponse.java
│ ├── [ 784] IHttpRequestResponsePersisted.java
│ ├── [1.7K] IHttpRequestResponseWithMarkers.java
│ ├── [1016] IHttpService.java
│ ├── [4.2K] IInterceptedProxyMessage.java
│ ├── [ 826] IIntruderAttack.java
│ ├── [1.4K] IIntruderPayloadGeneratorFactory.java
│ ├── [1.8K] IIntruderPayloadGenerator.java
│ ├── [1.7K] IIntruderPayloadProcessor.java
│ ├── [1.2K] IMenuItemHandler.java
│ ├── [1.8K] IMessageEditorController.java
│ ├── [2.5K] IMessageEditor.java
│ ├── [1.5K] IMessageEditorTabFactory.java
│ ├── [3.8K] IMessageEditorTab.java
│ ├── [3.1K] IParameter.java
│ ├── [1.4K] IProxyListener.java
│ ├── [2.6K] IRequestInfo.java
│ ├── [2.3K] IResponseInfo.java
│ ├── [1.9K] IResponseKeywords.java
│ ├── [2.3K] IResponseVariations.java
│ ├── [4.0K] IScanIssue.java
│ ├── [3.7K] IScannerCheck.java
│ ├── [6.3K] IScannerInsertionPoint.java
│ ├── [1.4K] IScannerInsertionPointProvider.java
│ ├── [1023] IScannerListener.java
│ ├── [2.5K] IScanQueueItem.java
│ ├── [ 784] IScopeChangeListener.java
│ ├── [2.1K] ISessionHandlingAction.java
│ ├── [1.1K] ITab.java
│ ├── [ 892] ITempFile.java
│ └── [2.8K] ITextEditor.java
├── [ 22K] Cisco-POC.jar
├── [ 34K] LICENSE
└── [ 872] README.md
1 directory, 45 files