This is Public repository for improvements to the EXTRABACON v2 exploit, a remote code execution for Cisco ASA written by the Equation Group (NSA) and leaked by the Shadow Brokers.
on this repository has been adding patches for most versions of 8.x and 9.x in the near future after we test all versions on real hardware. There is improved shellcode, a LINA offset finder script, a Metasploit module, and extrabacon-2.0. This is using improved shellcode, has less stages than the Equation Group version making it more reliable. This makes the SNMP payload packet ~150 less bytes. Also, the leaked version only supports 8.x, we have it working on 9.x versions.
* Lina offset finder
– python2 ./lina-offsets.py asa_lina_XXX.elf
Will automatically generate necessary offsets to port the exploit to other versions of ASA.
Right now, it takes us longer to load a version of ASA firmware and test it, than it does to generate offsets for a specific version.
The only thing the script doesn’t calculate is FIX_EBP, which is usually 0x48 (72) or 0x58 (88). It seems like 8.4(1) and greater use 0x48.
+ Metasploit Framework
+ Python 2.7.x
+ Python Scapy Modules
Use and Download:
sudo apt-get install nasm
(makesure you have metasploit framework on your system)
git clone https://github.com/RiskSense-Ops/CVE-2016-6366 && cd CVE-2016-6366
nasm shellcode.nasm (for execute shellcode)
then now you can compile
python2 lina-offsets.py Your_asa_lina_XXX.elf