Associated Vulnerability
Title:Cisco Adaptive Security Appliance Software 远程代码执行漏洞 (CVE-2016-6366)Description:Cisco Adaptive Security Appliances(ASA,自适应安全设备)Software是美国思科(Cisco)公司的一套运行于防火墙中的操作系统。 Cisco ASA Software 9.4.2.3及之前的版本中的Simple Network Management Protocol(SNMP)代码存在远程代码执行漏洞。远程攻击者可通过发送IPv4 SNMP数据包利用该漏洞执行任意代码。运行该软件的以下产品受到影响:Cisco ASA 5500 Series Adaptive Se
Description
Public repository for improvements to the EXTRABACON exploit
Readme
# CVE-2016-6366
Public repository for improvements to the EXTRABACON exploit, a remote code execution for Cisco ASA written by the Equation Group (NSA) and leaked by the Shadow Brokers.
There is improved shellcode, a LINA offset finder script, a Metasploit module, and extrabacon-2.0.
We are adding patches for most versions of 8.x and 9.x in the near future after we test all versions on real hardware.
This is using improved shellcode, has less stages than the Equation Group version making it more reliable. This makes the SNMP payload packet ~150 less bytes. Also, the leaked version only supports 8.x, we have it working on 9.x versions.
### Supported Versions (so far)
Using the Lina offset finder script, it should be trivial to support all vulnerable x86 versions. We are working on doing just that. NOTE: x64 (9.6+?) introduces DEP and ASLR. The offset finder and generic payload will not work. It should still be possible to easily dos these versions though.
Open an issue if you would like us to support a specific version. It will move to the front of the line.
8.x
- 8.0(2)
- 8.0(3)
- 8.0(3)6
- 8.0(4)
- 8.0(4)32
- 8.0(5)
- 8.2(1)
- 8.2(2)
- 8.2(3)
- 8.2(4)
- 8.2(5)
- 8.2(5)33 `*`
- 8.2(5)41 `*`
- 8.2(5)55 `*`
- 8.3(1)
- 8.3(2)
- 8.3(2)39 `*`
- 8.3(2)40 `*`
- 8.3(2)-npe `*` `**`
- 8.4(1)
- 8.4(2)
- 8.4(3)
- 8.4(4)
- 8.4(4)1 `*`
- 8.4(4)3 `*`
- 8.4(4)5 `*`
- 8.4(4)9 `*`
- 8.4(6)5 `*`
- 8.4(7) `*`
9.x
- 9.0(1) `*`
- 9.1(1)4 `*`
- 9.2(1) `*`
- 9.2(2)8 `*`
- 9.2(3) `*`
- 9.2(4) `*`
- 9.2(4)13 `*`
`*` new version support not part of the original Shadow Brokers leak
`**` We currently can't distinguish between normal and NPE versions from the SNMP strings. We've commented out the NPE offsets, as NPE is very rare (it is for exporting to places where encryption is crappy), but in the future, we'd like to incorporate these versions. Perhaps as a bool option?
### Metasploit
`use auxiliary/admin/cisco/cisco_asa_extrabacon`
https://github.com/rapid7/metasploit-framework/pull/7359
Our initial pull request was merged into Metasploit master branch. We will still be contributing more offsets, which may be available here sooner depending on latency of future pull requests.
### Contributing
If you can test ASA versions, consider forking this project and generating payloads. We could mass-generate the payloads, but we want to test to make sure every payload exits cleanly.
You can add new payloads to the `extrabacon-2.0/improved/` folder after using `lina-offsets.py` to generate the file. Modules are named `shellcode_verstring.py`, where verstring is the version string returned by the ASA, with periods . replaced with underscores _
Also submit pull requests stripping any unnecessary Python from the ExtraBacon 2.0 code.
### Lina offset finder
`python2 ./lina-offsets.py asa_lina_XXX.elf`
Will automatically generate necessary offsets to port the exploit to other versions of ASA.
Right now, it takes us longer to load a version of ASA firmware and test it, than it does to generate offsets for a specific version.
The only thing the script doesn't calculate is FIX_EBP, which is usually 0x48 (72) or 0x58 (88). It seems like 8.4(1) and greater use 0x48.
You can extract Lina like this:
`binwalk -e asaXXX-k8.bin`
`cd _asaXXX-extracted`
`cpio -idv < rootfs.img`
`cp asa/bin/lina /tmp/linaXXX`
### Licenses
- ExtraBacon 2.0 Python code is GPLv2 (as it uses Scapy)
- Metasploit module is MSF license (3-clause BSD)
- Everything else is MIT
### References
- http://zerosum0x0.blogspot.com/2016/09/reverse-engineering-cisco-asa-for.html
- https://blog.silentsignal.eu/2016/08/25/bake-your-own-extrabacon/
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
File Snapshot
[4.0K] /data/pocs/19cb5d28b348fb98d055e68b9adeda19c397b961
├── [4.0K] extrabacon-2.0
│ ├── [9.9K] extrabacon_2.0.py
│ ├── [4.0K] improved
│ │ ├── [1.4K] grep-offsets.py
│ │ ├── [ 435] shellcode_8_0(2).py
│ │ ├── [ 437] shellcode_8_0(3)6.py
│ │ ├── [ 441] shellcode_8_0(3).py
│ │ ├── [ 435] shellcode_8_0(4)32.py
│ │ ├── [ 443] shellcode_8_0(4).py
│ │ ├── [ 437] shellcode_8_0(5).py
│ │ ├── [ 439] shellcode_8_2(1).py
│ │ ├── [ 437] shellcode_8_2(2).py
│ │ ├── [ 435] shellcode_8_2(3).py
│ │ ├── [ 439] shellcode_8_2(4).py
│ │ ├── [ 445] shellcode_8_2(5)33.py
│ │ ├── [ 439] shellcode_8_2(5)41.py
│ │ ├── [ 446] shellcode_8_2(5)55.py
│ │ ├── [ 437] shellcode_8_2(5).py
│ │ ├── [ 445] shellcode_8_3(1).py
│ │ ├── [ 447] shellcode_8_3(2)39.py
│ │ ├── [ 445] shellcode_8_3(2)40.py
│ │ ├── [ 439] shellcode_8_3(2).py
│ │ ├── [ 435] shellcode_8_4(1).py
│ │ ├── [ 439] shellcode_8_4(2).py
│ │ ├── [ 439] shellcode_8_4(3).py
│ │ ├── [ 445] shellcode_8_4(4)1.py
│ │ ├── [ 437] shellcode_8_4(4)3.py
│ │ ├── [ 437] shellcode_8_4(4)5.py
│ │ ├── [ 441] shellcode_8_4(4)9.py
│ │ ├── [ 445] shellcode_8_4(4).py
│ │ ├── [ 439] shellcode_8_4(6)5.py
│ │ ├── [ 433] shellcode_8_4(7).py
│ │ ├── [ 441] shellcode_9_0(1).py
│ │ ├── [ 443] shellcode_9_1(1)4.py
│ │ ├── [ 441] shellcode_9_2(1).py
│ │ ├── [ 439] shellcode_9_2(2)8.py
│ │ ├── [ 439] shellcode_9_2(3).py
│ │ ├── [ 441] shellcode_9_2(4)13.py
│ │ └── [ 435] shellcode_9_2(4).py
│ ├── [4.0K] Mexeggs
│ │ ├── [ 43] all.py
│ │ ├── [ 80K] argparse.py
│ │ ├── [ 680] hexdump.py
│ │ ├── [ 0] __init__.py
│ │ ├── [ 10K] loglib.py
│ │ ├── [ 293] log.py
│ │ ├── [ 30K] sploit.py
│ │ └── [2.2K] version.py
│ ├── [4.0K] scapy
│ │ ├── [ 865] all.py
│ │ ├── [3.9K] ansmachine.py
│ │ ├── [4.0K] arch
│ │ │ ├── [ 241] bsd.py
│ │ │ ├── [2.3K] __init__.py
│ │ │ ├── [ 16K] linux.py
│ │ │ ├── [ 13K] pcapdnet.py
│ │ │ ├── [ 315] solaris.py
│ │ │ ├── [5.6K] unix.py
│ │ │ └── [4.0K] windows
│ │ │ └── [ 19K] __init__.py
│ │ ├── [4.0K] asn1
│ │ │ ├── [8.6K] asn1.py
│ │ │ ├── [ 11K] ber.py
│ │ │ ├── [ 336] __init__.py
│ │ │ └── [4.3K] mib.py
│ │ ├── [9.7K] asn1fields.py
│ │ ├── [ 599] asn1packet.py
│ │ ├── [3.1K] as_resolvers.py
│ │ ├── [ 27K] automaton.py
│ │ ├── [4.1K] autorun.py
│ │ ├── [7.2K] base_classes.py
│ │ ├── [ 13K] config.py
│ │ ├── [4.0K] crypto
│ │ │ ├── [ 88K] cert.py
│ │ │ └── [ 219] __init__.py
│ │ ├── [2.9K] dadict.py
│ │ ├── [6.0K] data.py
│ │ ├── [1.8K] error.py
│ │ ├── [ 26K] fields.py
│ │ ├── [ 279] __init__.py
│ │ ├── [4.0K] layers
│ │ │ ├── [ 499] all.py
│ │ │ ├── [6.7K] bluetooth.py
│ │ │ ├── [ 69K] dhcp6.py
│ │ │ ├── [ 12K] dhcp.py
│ │ │ ├── [9.9K] dns.py
│ │ │ ├── [ 19K] dot11.py
│ │ │ ├── [ 458] gprs.py
│ │ │ ├── [ 837] hsrp.py
│ │ │ ├── [112K] inet6.py
│ │ │ ├── [ 54K] inet.py
│ │ │ ├── [ 198] __init__.py
│ │ │ ├── [1.4K] ir.py
│ │ │ ├── [ 14K] isakmp.py
│ │ │ ├── [ 17K] l2.py
│ │ │ ├── [ 979] l2tp.py
│ │ │ ├── [2.3K] llmnr.py
│ │ │ ├── [1.6K] mgcp.py
│ │ │ ├── [1.6K] mobileip.py
│ │ │ ├── [ 11K] netbios.py
│ │ │ ├── [1.5K] netflow.py
│ │ │ ├── [2.5K] ntp.py
│ │ │ ├── [2.8K] pflog.py
│ │ │ ├── [ 16K] ppp.py
│ │ │ ├── [3.1K] radius.py
│ │ │ ├── [1.1K] rip.py
│ │ │ ├── [1.4K] rtp.py
│ │ │ ├── [4.5K] sebek.py
│ │ │ ├── [5.4K] skinny.py
│ │ │ ├── [ 17K] smb.py
│ │ │ ├── [8.6K] snmp.py
│ │ │ ├── [ 14K] tftp.py
│ │ │ └── [3.0K] x509.py
│ │ ├── [ 18K] LICENSE
│ │ ├── [9.0K] main.py
│ │ ├── [4.0K] modules
│ │ │ ├── [1.8K] geoip.py
│ │ │ ├── [ 198] __init__.py
│ │ │ ├── [6.4K] nmap.py
│ │ │ ├── [ 18K] p0f.py
│ │ │ ├── [2.8K] queso.py
│ │ │ └── [4.0K] voip.py
│ │ ├── [ 42K] packet.py
│ │ ├── [ 19K] plist.py
│ │ ├── [3.3K] pton_ntop.py
│ │ ├── [9.6K] route6.py
│ │ ├── [5.2K] route.py
│ │ ├── [ 21K] sendrecv.py
│ │ ├── [3.3K] supersocket.py
│ │ ├── [10.0K] themes.py
│ │ ├── [4.0K] tools
│ │ │ ├── [2.8K] check_asdis.py
│ │ │ ├── [ 198] __init__.py
│ │ │ └── [ 20K] UTscapy.py
│ │ ├── [ 26K] utils6.py
│ │ ├── [ 22K] utils.py
│ │ └── [ 20K] volatile.py
│ └── [4.0K] versions
│ ├── [4.0K] converter.py
│ ├── [4.4K] shellcode_asa802.py
│ ├── [4.4K] shellcode_asa803_6.py
│ ├── [4.4K] shellcode_asa803.py
│ ├── [4.4K] shellcode_asa804_32.py
│ ├── [4.4K] shellcode_asa804.py
│ ├── [4.4K] shellcode_asa805.py
│ ├── [4.4K] shellcode_asa821.py
│ ├── [4.4K] shellcode_asa822.py
│ ├── [4.4K] shellcode_asa823.py
│ ├── [4.4K] shellcode_asa824.py
│ ├── [4.4K] shellcode_asa825.py
│ ├── [4.4K] shellcode_asa831.py
│ ├── [4.4K] shellcode_asa832.py
│ ├── [4.4K] shellcode_asa841.py
│ ├── [4.4K] shellcode_asa842.py
│ ├── [4.4K] shellcode_asa843.py
│ └── [4.4K] shellcode_asa844.py
├── [1.0K] LICENSE
├── [8.2K] lina-offsets.py
├── [4.0K] metasploit
│ ├── [ 11K] cisco_asa_extrabacon.rb
│ └── [1.8K] cisco_asa_snmpoverflow.rb
├── [3.7K] README.md
└── [4.0K] shellcode
├── [ 892] clean.nasm
├── [1.0K] egg.nasm
├── [ 257] genshellcode.py
├── [3.4K] shellcode.nasm
└── [1.3K] writebytes.nasm
14 directories, 154 files
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.