This whitepaper demonstrates leveraging cross site scripting and polyglot exploitation in an exploit called COOLHANDLUKE to violate network segmentation / layer 2 VLAN policies while routing and sending a file between isolated, air gapped networks without a router. This issue affects HPE Procurve, Aruba Networks, Cisco, Dell, and Netgear products.
1ec58f30e8a0a21c51d095c930eb3fc00827e2d07118a62f2dd3d6f7154a73ceThis Metasploit module exploits a stack buffer overflow in the Cisco RV series router's SSL VPN functionality. The default SSL VPN configuration is exploitable, with no authentication required and works over the Internet! The stack is executable and no ASLR is in place, which makes exploitation easier. Successful execution of this module results in a reverse root shell. A custom payload is used as Metasploit does not have ARMLE null free shellcode. This vulnerability was presented by the Flashback Team in Pwn2Own Austin 2021 and OffensiveCon 2022. For more information check the referenced advisory. This module has been tested in firmware versions 1.0.03.15 and above and works with around 65% reliability. The service restarts automatically so you can keep trying until you pwn it. Only the RV340 router was tested, but other RV series routers should work out of the box.
619682621429d96cd23a1e1bcd69a008398c5244223265886c52e2e417242d02THC-Hydra is a high quality parallelized login hacker for Samba, Smbnt, Cisco AAA, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco and more. Includes SSL support, parallel scans, and is part of Nessus.
3977221a7eb176cd100298c6d47939999a920a628868ae1aceed408a21e04013This Metasploit module exploits an authentication bypass (CVE-2021-1472) and command injection (CVE-2021-1473) in the Cisco Small Business RV series of VPN/routers. The device does not adequately verify the credentials in the HTTP Authorization field when requests are made to the /upload endpoint. Then the upload.cgi binary will use the contents of the HTTP Cookie field as part of a curl request aimed at an internal endpoint. The curl request is executed using popen and allows the attacker to inject commands via the Cookie field. A remote and unauthenticated attacker using this module is able to achieve code execution as www-data. This module affects the RV340, RV340w, RV345, and RV345P using firmware versions 1.0.03.20 and below.
d5c273af97dd2e97fb770967821e9b90847b04e11e1abb75510669721ee38b45Cisco IP Phone Series 78x1, 88x5, 88x1, 7832, 8832, 8821 and 3905 suffer from an insecure password storage vulnerability.
448c7c5cfcae3fc7bd414ad5be07cfbb1b7d955c723ac1c0f73d5e456f4c69e5Cisco Small Business RV130W version 1.0.3.44 exploit that injects counterfeit routers.
9ed47dde50d98da582e5d59d6001b33156cd31eb809f23d7ab77bd1c630c5a6aCisco Modeling Labs version 2.1.1-b19 remote command execution exploit.
29df00cdf8fbbcafabb5f3a4cccb147529145b52b4f8832dee4e09e3d2d05d94This Metasploit module exploits an unauthenticated file upload vulnerability in Cisco HyperFlex HX Data Platform's /upload endpoint to upload and execute a payload as the Tomcat user.
f5c93c1dbb7c46d018f80b02b7e8b65d92e05da4eaa8f1ef27222f385aefb954This Metasploit module exploits an unauthenticated command injection in Cisco HyperFlex HX Data Platform's /storfs-asup endpoint to execute shell commands as the Tomcat user.
0a1aa0b824e15e84195c2385f8bf0e7dc95224435e2865997906be79faf81ba6Cisco SD-WAN vManage version 19.2.2 remote root shell proof of concept exploit that leverages multiple vulnerabilities.
a39fed0dc5f1a0ca97a329bad76e86ccb0fe30addc423eef4129602dce1d82e6Cisco RV-series routers suffer from an authentication bypass vulnerability. The RV34X series are also affected by a command injection vulnerability in the sessionid cookie, when requesting the /upload endpoint. A combination of these issues would allow any person who is able to communicate with the web interface to run arbitrary system commands on the router as the www-data user. Vulnerable versions include RV16X/RV26X versions 1.0.01.02 and below and RV34X versions 1.0.03.20 and below.
f3c8685d841186aca43bc22f8ed2b32e8512c7730129f2ed6fe20f360378fa91THC-Hydra is a high quality parallelized login hacker for Samba, Smbnt, Cisco AAA, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco and more. Includes SSL support, parallel scans, and is part of Nessus.
1a28f064763f9144f8ec574416a56ef51c0ab1ae2276e35a89ceed4f594ec5d2Cisco UCS Manager version 2.2(1d) remote command execution exploit. An unspecified CGI script in Cisco FX-OS before 1.1.2 on Firepower 9000 devices and Cisco Unified Computing System (UCS) Manager before 2.2(4b), 2.2(5) before 2.2(5a), and 3.0 before 3.0(2e) allows remote attackers to execute arbitrary shell commands via a crafted HTTP request, aka Bug ID CSCur90888.
f3fab9befb8e7cbad15afa31a69504a465f274122e534cebcbde38a7d8f6288eCisco RV110W version 1.2.1.7 vpn_account denial of service proof of concept exploit.
d17a98598deaf9e49e4b5b6d4987373b9fff15aa4200a8930baafc922e80ba62Cisco ASA version 9.14.1.10 and FTD version 6.6.0.1 path traversal exploit. Original discovery of this vulnerability is attributed to 3ndG4me in October of 2020.
dfe0fcf7f0c733ce87bf53173ca792e20086cc5828ba3e9907aa3993b08bf8feCisco 7937G suffers from denial of service and privilege escalation vulnerabilities.
1a85b1824e9e138ebbade8a3b9f4aa8efdff5e15d8a48bb3135fca92e2eff047Cisco ASA and FTD version 9.6.4.42 suffer from a path traversal vulnerability.
dbeb67abac718b9d4521c2ea7ce46740e7ea1eaa75cf4abed2e9f85cfff2fec7The installer component of Cisco AnyConnect Secure Mobility Client for Windows prior to 4.8.02042 is vulnerable to path traversal and allows local attackers to create/overwrite files in arbitrary locations with system level privileges. The installer component of Cisco AnyConnect Secure Mobility Client for Windows prior to 4.9.00086 is vulnerable to a DLL hijacking and allows local attackers to execute code on the affected machine with with system level privileges. Both attacks consist in sending a specially crafted IPC request to the TCP port 62522 on the loopback device, which is exposed by the Cisco AnyConnect Secure Mobility Agent service.
74ae12d312c6c46fa9f122b2a106d803de515d0b707dfe34720c066dd56a2680Two denial of service exploits for Cisco 7937G versions SIP-1-4-5-7 and below.
6329ae271427ebdd4aca842b16c5bf3f67949255d490ea35dafca48866d48d98Cisco 7947G versions SIP-1-4-5-7 and below privilege escalation exploit.
34708347a6cf94b31172406fb4db70445cf77dffd562fe392a73bb2f32ce2da0This exploit is an all-in-one tool that leverages vulnerabilities described in CVE-2020-16139, CVE-2020-16138, and CVE-2020-16137 against Cisco 7937G devices versions SIP-1-4-5-7 and below.
7724dcf86fe3eda058a8dbe264a07cb05296015350554358dc98f2cdd4cc6be1THC-Hydra is a high quality parallelized login hacker for Samba, Smbnt, Cisco AAA, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco and more. Includes SSL support, parallel scans, and is part of Nessus.
ce08a5148c0ae5ff4b0a4af2f7f15c5946bc939a57eae1bbb6dda19f34410273Cisco Adaptive Security Appliance Software version 9.7 unauthenticated arbitrary file deletion exploit.
9bff9df7bc31ade0ee6b87d153b448191f71eeb26ef4d1d4589e805582f16722This Python script checks whether the target server is vulnerable to CVE-2020-3452, a vulnerability in Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) products that can allow for remote file disclosure.
f3d076dbbf728c5d5918c4039d0eaa629b5d9f90b1358b60f76542b5b020352cThe installer component of Cisco AnyConnect Secure Mobility Client for Windows prior to version 4.8.02042 is vulnerable to path traversal and allows local attackers to create/overwrite files in arbitrary locations with system level privileges. The attack consists in sending a specially crafted IPC request to the TCP port 62522 on the loopback device, which is exposed by the Cisco AnyConnect Secure Mobility Agent service. This service will then launch the vulnerable installer component (vpndownloader), which copies itself to an arbitrary location before being executed with system privileges. Since vpndownloader is also vulnerable to DLL hijacking, a specially crafted DLL (dbghelp.dll) is created at the same location vpndownloader will be copied to get code execution with system privileges. This exploit has been successfully tested against Cisco AnyConnect Secure Mobility Client versions 4.5.04029, 4.5.05030 and 4.7.04056 on Windows 10 version 1909 (x64) and Windows 7 SP1 (x86).
b6d44c2b494378ff342fef57be9d4be4564327103eadabb01ff166ae6dae9bff
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Subscribe to an RSS Feed