Added module auxiliary/admin/cisco/cisco_asa_extrabacon

[ghost]

We've added a module for ExtraBacon. We are adding patches for most versions of 8.x and 9.x in the near future after we test all versions on real hardware.

This is using improved shellcode, has less stages than the Equation Group version making it more reliable. This makes the SNMP payload packet ~150 less bytes. Also, the leaked version only supports 8.x, we have it working on 9.x versions.

If anyone wants to help test more version specific offsets, we have a Lina file offset finder at:

https://github.com/RiskSense-Ops/CVE-2016-6366

Supported Versions (will update list as we go):

All of the leaked versions are now in the module.

8.x

• 8.0(2)
• 8.0(3)
• 8.0(3)6
• 8.0(4)
• 8.0(4)32
• 8.0(5)
• 8.2(1)
• 8.2(2)
• 8.2(3)
• 8.2(4)
• 8.2(5)
• 8.2(5)33 *
• 8.2(5)41 *
• 8.3(1)
• 8.3(2)
• 8.3(2)39 *
• 8.3(2)40 *
• 8.3(2)-npe * **
• 8.4(1)
• 8.4(2)
• 8.4(3)
• 8.4(4)
• 8.4(4)1 *
• 8.4(4)3 *
• 8.4(4)5 *
• 8.4(4)9 *
• 8.4(6)5 *
• 8.4(7) *

9.x

• 9.0(1) *
• 9.1(1)4 *
• 9.2(1) *
• 9.2(2)8 *
• 9.2(3) *
• 9.2(4) *
• 9.2(4)13 *

* new version support not part of the original Shadow Brokers leak
** We currently can't distinguish between normal and NPE versions from the SNMP strings. We've commented out the NPE offsets, as NPE is very rare (it is for exporting to places where encryption is crappy), but in the future, we'd like to incorporate these versions. Perhaps as a bool option?

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use auxiliary/admin/cisco/cisco_asa_extrabacon
• set RHOST x.x.x.x
• check
• run
• ssh admin@x.x.x.x, you will not need a valid password
• set MODE pass-enable
• run
• ssh admin@x.x.x.x, ensure fake password does not work

This module patches the authentication functions of a Cisco ASA
to allow uncredentialed logins. Uses improved shellcode for payload.

[busterb]

do these need to exist?

[ghost]

Removed these

[busterb]

looks like you're switching between 2 and 4 character indents through the module

[ghost]

Fixed this up

[busterb]

this is a bit more readable if it's collapsed more IMO

[ghost]

Fixed

[busterb]

I'm not sure if UnsupportedVersion would really indicate a crash on the ASA

[ghost]

Made the exception handling better

[bcook-r7]

Awesome work simplifying the shell code and improving reliability. Did you happen to see the exploit module in the queue from a couple of weeks ago as well? I'd like to see how we can merge these a bit so they share where they can and we end up with the best attributes of both.

[ghost]

@bcook-r7: @jlee-r7 told us to get in contact with @wwebb-r7, I tried contacting him on Twitter about a week ago to collaborate but he hasn't been active there. I honestly didn't even see his pull request until after we submitted this one. It seems his version is a straightforward port of the original code from Python to Ruby.

I've crashed 8.2(3) in the lab running the original leaked shellcode when it failed to properly find the third stage. This new shellcode does everything in the second stage. The first -> second stage is always the same code. In the original exploit, second -> third stage required them to craft two packets and re-calculate. I have a blog post detailing why the original shellcode was so large/verbose, and easy to reduce in size: http://zerosum0x0.blogspot.com/2016/09/reverse-engineering-cisco-asa-for.html

Also, going from the second to third stage to support 9.x versions also requires fiddling with a stack offset to a pointer I'm still unsure of how to calculate (for the lina.elf auto-offset finder script). I stopped trying to figure out because it was unnecessary.

We owe William credit, without his blog post on debugging ASAs ours would still be collecting dust. I am open to any way you see fit to merge the two. I hope William will help us test new versions using the offset finder script as well.

[bcook-r7]

Thanks @zerosum0x0. Yeah, it's a bummer to have competing modules, but I see what you mean on reliability after doing some comparison testing as well.

[bcook-r7]

I don't have any more complaints here, this looks good. I'm going to give @wwebb-r7 some credit here though.

[bcook-r7]

A couple of nits before we continue. First, I'm sending you a PR with some docs. Second, can I request that you move all of this to a feature branch, and re-PR from there? When you send a PR from your local master branch, and then you later update your master branch, it breaks all of the history in this PR in github.

[ghost]

Created #7359 which merges @bcook-r7 pull request and as requested is in a feature branch