No shell - but crashes ASA.....

[johnson4d]

Hey there. I tested this using IKEv2 on a Cisco ASA5510 running v8.4.1 software.

The exploit crashes the ASA "Reason: Heap memory corrupted" and simply reloads - but never attempts a shell on TCP port 4444. My ASA and attacker machine are on the same network. During the crash, I see lots of 0x41 (As) which indicate control of memory....?

I have also attached the console session output during the full crash..... Any idea what needs to be tweaked?

ciscoasa# show crashinfo | include 41 41
0xd8cb5848: 23 01 1c a1 e0 00 00 00 41 41 41 41 41 41 41 41 | #.......AAAAAAAA
0xd8cb5858: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 | AAAAAAAAAAAAAAAA
0xd8cb5868: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 | AAAAAAAAAAAAAAAA
0xd8cb5878: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 | AAAAAAAAAAAAAAAA
0xd8cb5888: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 | AAAAAAAAAAAAAAAA
0xd8cb5898: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 | AAAAAAAAAAAAAAAA
0xd8cb58a8: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 | AAAAAAAAAAAAAAAA
0xd8cb5848: 23 01 1c a1 e0 00 00 00 41 41 41 41 41 41 41 41 | #.......AAAAAAAA
0xd8cb5858: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 | AAAAAAAAAAAAAAAA
0xd8cb5868: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 | AAAAAAAAAAAAAAAA
0xd8cb5878: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 | AAAAAAAAAAAAAAAA
0xd8cb5888: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 | AAAAAAAAAAAAAAAA
0xd8cb5898: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 | AAAAAAAAAAAAAAAA
0xd8cb58a8: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 | AAAAAAAAAAAAAAAA

[johnson4d]

asa.txt

[ghost]

Were you able to get a shell? I'm also having this issue, I can't get any shell even if I waited for a long time.

[johnson4d]

No, I could not get a shell. The support for this exploit was very limited sadly, I don't know anyone that got it to actually work outside of the code writers.