关联漏洞
描述
Public repository for improvements to the EXTRABACON exploit
介绍
# CVE-2016-6366
Public repository for improvements to the EXTRABACON exploit, a remote code execution for Cisco ASA written by the Equation Group (NSA) and leaked by the Shadow Brokers.
There is improved shellcode, a LINA offset finder script, a Metasploit module, and extrabacon-2.0.
We are adding patches for most versions of 8.x and 9.x in the near future after we test all versions on real hardware.
This is using improved shellcode, has less stages than the Equation Group version making it more reliable. This makes the SNMP payload packet ~150 less bytes. Also, the leaked version only supports 8.x, we have it working on 9.x versions.
### Supported Versions (so far)
Using the Lina offset finder script, it should be trivial to support all vulnerable x86 versions. We are working on doing just that. NOTE: x64 (9.6+?) introduces DEP and ASLR. The offset finder and generic payload will not work. It should still be possible to easily dos these versions though.
Open an issue if you would like us to support a specific version. It will move to the front of the line.
8.x
- 8.0(2)
- 8.0(3)
- 8.0(3)6
- 8.0(4)
- 8.0(4)32
- 8.0(5)
- 8.2(1)
- 8.2(2)
- 8.2(3)
- 8.2(4)
- 8.2(5)
- 8.2(5)33 `*`
- 8.2(5)41 `*`
- 8.2(5)55 `*`
- 8.3(1)
- 8.3(2)
- 8.3(2)39 `*`
- 8.3(2)40 `*`
- 8.3(2)-npe `*` `**`
- 8.4(1)
- 8.4(2)
- 8.4(3)
- 8.4(4)
- 8.4(4)1 `*`
- 8.4(4)3 `*`
- 8.4(4)5 `*`
- 8.4(4)9 `*`
- 8.4(6)5 `*`
- 8.4(7) `*`
9.x
- 9.0(1) `*`
- 9.1(1)4 `*`
- 9.2(1) `*`
- 9.2(2)8 `*`
- 9.2(3) `*`
- 9.2(4) `*`
- 9.2(4)13 `*`
`*` new version support not part of the original Shadow Brokers leak
`**` We currently can't distinguish between normal and NPE versions from the SNMP strings. We've commented out the NPE offsets, as NPE is very rare (it is for exporting to places where encryption is crappy), but in the future, we'd like to incorporate these versions. Perhaps as a bool option?
### Metasploit
`use auxiliary/admin/cisco/cisco_asa_extrabacon`
https://github.com/rapid7/metasploit-framework/pull/7359
Our initial pull request was merged into Metasploit master branch. We will still be contributing more offsets, which may be available here sooner depending on latency of future pull requests.
### Contributing
If you can test ASA versions, consider forking this project and generating payloads. We could mass-generate the payloads, but we want to test to make sure every payload exits cleanly.
You can add new payloads to the `extrabacon-2.0/improved/` folder after using `lina-offsets.py` to generate the file. Modules are named `shellcode_verstring.py`, where verstring is the version string returned by the ASA, with periods . replaced with underscores _
Also submit pull requests stripping any unnecessary Python from the ExtraBacon 2.0 code.
### Lina offset finder
`python2 ./lina-offsets.py asa_lina_XXX.elf`
Will automatically generate necessary offsets to port the exploit to other versions of ASA.
Right now, it takes us longer to load a version of ASA firmware and test it, than it does to generate offsets for a specific version.
The only thing the script doesn't calculate is FIX_EBP, which is usually 0x48 (72) or 0x58 (88). It seems like 8.4(1) and greater use 0x48.
You can extract Lina like this:
`binwalk -e asaXXX-k8.bin`
`cd _asaXXX-extracted`
`cpio -idv < rootfs.img`
`cp asa/bin/lina /tmp/linaXXX`
### Licenses
- ExtraBacon 2.0 Python code is GPLv2 (as it uses Scapy)
- Metasploit module is MSF license (3-clause BSD)
- Everything else is MIT
### References
- http://zerosum0x0.blogspot.com/2016/09/reverse-engineering-cisco-asa-for.html
- https://blog.silentsignal.eu/2016/08/25/bake-your-own-extrabacon/
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
文件快照
[4.0K] /data/pocs/19cb5d28b348fb98d055e68b9adeda19c397b961
├── [4.0K] extrabacon-2.0
│ ├── [9.9K] extrabacon_2.0.py
│ ├── [4.0K] improved
│ │ ├── [1.4K] grep-offsets.py
│ │ ├── [ 435] shellcode_8_0(2).py
│ │ ├── [ 437] shellcode_8_0(3)6.py
│ │ ├── [ 441] shellcode_8_0(3).py
│ │ ├── [ 435] shellcode_8_0(4)32.py
│ │ ├── [ 443] shellcode_8_0(4).py
│ │ ├── [ 437] shellcode_8_0(5).py
│ │ ├── [ 439] shellcode_8_2(1).py
│ │ ├── [ 437] shellcode_8_2(2).py
│ │ ├── [ 435] shellcode_8_2(3).py
│ │ ├── [ 439] shellcode_8_2(4).py
│ │ ├── [ 445] shellcode_8_2(5)33.py
│ │ ├── [ 439] shellcode_8_2(5)41.py
│ │ ├── [ 446] shellcode_8_2(5)55.py
│ │ ├── [ 437] shellcode_8_2(5).py
│ │ ├── [ 445] shellcode_8_3(1).py
│ │ ├── [ 447] shellcode_8_3(2)39.py
│ │ ├── [ 445] shellcode_8_3(2)40.py
│ │ ├── [ 439] shellcode_8_3(2).py
│ │ ├── [ 435] shellcode_8_4(1).py
│ │ ├── [ 439] shellcode_8_4(2).py
│ │ ├── [ 439] shellcode_8_4(3).py
│ │ ├── [ 445] shellcode_8_4(4)1.py
│ │ ├── [ 437] shellcode_8_4(4)3.py
│ │ ├── [ 437] shellcode_8_4(4)5.py
│ │ ├── [ 441] shellcode_8_4(4)9.py
│ │ ├── [ 445] shellcode_8_4(4).py
│ │ ├── [ 439] shellcode_8_4(6)5.py
│ │ ├── [ 433] shellcode_8_4(7).py
│ │ ├── [ 441] shellcode_9_0(1).py
│ │ ├── [ 443] shellcode_9_1(1)4.py
│ │ ├── [ 441] shellcode_9_2(1).py
│ │ ├── [ 439] shellcode_9_2(2)8.py
│ │ ├── [ 439] shellcode_9_2(3).py
│ │ ├── [ 441] shellcode_9_2(4)13.py
│ │ └── [ 435] shellcode_9_2(4).py
│ ├── [4.0K] Mexeggs
│ │ ├── [ 43] all.py
│ │ ├── [ 80K] argparse.py
│ │ ├── [ 680] hexdump.py
│ │ ├── [ 0] __init__.py
│ │ ├── [ 10K] loglib.py
│ │ ├── [ 293] log.py
│ │ ├── [ 30K] sploit.py
│ │ └── [2.2K] version.py
│ ├── [4.0K] scapy
│ │ ├── [ 865] all.py
│ │ ├── [3.9K] ansmachine.py
│ │ ├── [4.0K] arch
│ │ │ ├── [ 241] bsd.py
│ │ │ ├── [2.3K] __init__.py
│ │ │ ├── [ 16K] linux.py
│ │ │ ├── [ 13K] pcapdnet.py
│ │ │ ├── [ 315] solaris.py
│ │ │ ├── [5.6K] unix.py
│ │ │ └── [4.0K] windows
│ │ │ └── [ 19K] __init__.py
│ │ ├── [4.0K] asn1
│ │ │ ├── [8.6K] asn1.py
│ │ │ ├── [ 11K] ber.py
│ │ │ ├── [ 336] __init__.py
│ │ │ └── [4.3K] mib.py
│ │ ├── [9.7K] asn1fields.py
│ │ ├── [ 599] asn1packet.py
│ │ ├── [3.1K] as_resolvers.py
│ │ ├── [ 27K] automaton.py
│ │ ├── [4.1K] autorun.py
│ │ ├── [7.2K] base_classes.py
│ │ ├── [ 13K] config.py
│ │ ├── [4.0K] crypto
│ │ │ ├── [ 88K] cert.py
│ │ │ └── [ 219] __init__.py
│ │ ├── [2.9K] dadict.py
│ │ ├── [6.0K] data.py
│ │ ├── [1.8K] error.py
│ │ ├── [ 26K] fields.py
│ │ ├── [ 279] __init__.py
│ │ ├── [4.0K] layers
│ │ │ ├── [ 499] all.py
│ │ │ ├── [6.7K] bluetooth.py
│ │ │ ├── [ 69K] dhcp6.py
│ │ │ ├── [ 12K] dhcp.py
│ │ │ ├── [9.9K] dns.py
│ │ │ ├── [ 19K] dot11.py
│ │ │ ├── [ 458] gprs.py
│ │ │ ├── [ 837] hsrp.py
│ │ │ ├── [112K] inet6.py
│ │ │ ├── [ 54K] inet.py
│ │ │ ├── [ 198] __init__.py
│ │ │ ├── [1.4K] ir.py
│ │ │ ├── [ 14K] isakmp.py
│ │ │ ├── [ 17K] l2.py
│ │ │ ├── [ 979] l2tp.py
│ │ │ ├── [2.3K] llmnr.py
│ │ │ ├── [1.6K] mgcp.py
│ │ │ ├── [1.6K] mobileip.py
│ │ │ ├── [ 11K] netbios.py
│ │ │ ├── [1.5K] netflow.py
│ │ │ ├── [2.5K] ntp.py
│ │ │ ├── [2.8K] pflog.py
│ │ │ ├── [ 16K] ppp.py
│ │ │ ├── [3.1K] radius.py
│ │ │ ├── [1.1K] rip.py
│ │ │ ├── [1.4K] rtp.py
│ │ │ ├── [4.5K] sebek.py
│ │ │ ├── [5.4K] skinny.py
│ │ │ ├── [ 17K] smb.py
│ │ │ ├── [8.6K] snmp.py
│ │ │ ├── [ 14K] tftp.py
│ │ │ └── [3.0K] x509.py
│ │ ├── [ 18K] LICENSE
│ │ ├── [9.0K] main.py
│ │ ├── [4.0K] modules
│ │ │ ├── [1.8K] geoip.py
│ │ │ ├── [ 198] __init__.py
│ │ │ ├── [6.4K] nmap.py
│ │ │ ├── [ 18K] p0f.py
│ │ │ ├── [2.8K] queso.py
│ │ │ └── [4.0K] voip.py
│ │ ├── [ 42K] packet.py
│ │ ├── [ 19K] plist.py
│ │ ├── [3.3K] pton_ntop.py
│ │ ├── [9.6K] route6.py
│ │ ├── [5.2K] route.py
│ │ ├── [ 21K] sendrecv.py
│ │ ├── [3.3K] supersocket.py
│ │ ├── [10.0K] themes.py
│ │ ├── [4.0K] tools
│ │ │ ├── [2.8K] check_asdis.py
│ │ │ ├── [ 198] __init__.py
│ │ │ └── [ 20K] UTscapy.py
│ │ ├── [ 26K] utils6.py
│ │ ├── [ 22K] utils.py
│ │ └── [ 20K] volatile.py
│ └── [4.0K] versions
│ ├── [4.0K] converter.py
│ ├── [4.4K] shellcode_asa802.py
│ ├── [4.4K] shellcode_asa803_6.py
│ ├── [4.4K] shellcode_asa803.py
│ ├── [4.4K] shellcode_asa804_32.py
│ ├── [4.4K] shellcode_asa804.py
│ ├── [4.4K] shellcode_asa805.py
│ ├── [4.4K] shellcode_asa821.py
│ ├── [4.4K] shellcode_asa822.py
│ ├── [4.4K] shellcode_asa823.py
│ ├── [4.4K] shellcode_asa824.py
│ ├── [4.4K] shellcode_asa825.py
│ ├── [4.4K] shellcode_asa831.py
│ ├── [4.4K] shellcode_asa832.py
│ ├── [4.4K] shellcode_asa841.py
│ ├── [4.4K] shellcode_asa842.py
│ ├── [4.4K] shellcode_asa843.py
│ └── [4.4K] shellcode_asa844.py
├── [1.0K] LICENSE
├── [8.2K] lina-offsets.py
├── [4.0K] metasploit
│ ├── [ 11K] cisco_asa_extrabacon.rb
│ └── [1.8K] cisco_asa_snmpoverflow.rb
├── [3.7K] README.md
└── [4.0K] shellcode
├── [ 892] clean.nasm
├── [1.0K] egg.nasm
├── [ 257] genshellcode.py
├── [3.4K] shellcode.nasm
└── [1.3K] writebytes.nasm
14 directories, 154 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。