extrabacon v2

Cisco ASA SNMP Remote Code Execution Vulnerability(CVE-2016-6366).

This is Public repository for improvements to the EXTRABACON v2 exploit, a remote code execution for Cisco ASA written by the Equation Group (NSA) and leaked by the Shadow Brokers.
on this repository has been adding patches for most versions of 8.x and 9.x in the near future after we test all versions on real hardware. There is improved shellcode, a LINA offset finder script, a Metasploit module, and extrabacon-2.0. This is using improved shellcode, has less stages than the Equation Group version making it more reliable. This makes the SNMP payload packet ~150 less bytes. Also, the leaked version only supports 8.x, we have it working on 9.x versions.

extrabacon v2

extrabacon v2

* Lina offset finder
– python2 ./lina-offsets.py asa_lina_XXX.elf

Will automatically generate necessary offsets to port the exploit to other versions of ASA.
Right now, it takes us longer to load a version of ASA firmware and test it, than it does to generate offsets for a specific version.

The only thing the script doesn’t calculate is FIX_EBP, which is usually 0x48 (72) or 0x58 (88). It seems like 8.4(1) and greater use 0x48.

+ Metasploit Framework
+ Python 2.7.x
+ Python Scapy Modules

Use and Download:

Source: https://github.com/RiskSense-Ops