Cisco ASA Research

This repository contains slides and code presented at Black Hat USA 2022 and DEF CON 30. The following can be found:

• Slides
  • DEF CON 30 and Black Hat slide decks. The DEF CON deck is slightly longer due to a longer time slot.
• theway - a tool for creating malicious/distributable ASDM packages for the Cisco ASA (CVE-2022-20829).
• whatsup - a tool for creating malicious/distributable Cisco FirePOWER module installation packages (No CVE).
• pinchme - a tool for creating malicious/distributable Cisco FirePOWER boot images (No CVE).
• slowcheetah - a tool for uploading FirePOWER module boot images to Cisco ASA-X and catching reverse shells.
• staystaystay - an exploit for CVE-2021-1585, an unath RCE vulnerability affecting Cisco ASDM.
• asdm_version_scanner - a tool for scanning ASA ASDM web interfaces and collecting versions. The repository contains results from an internet scan conducted on June 17, 2022.
• getchoo - a tool for extracting the contents of an ASDM sgz file.
• modules/ (Metasploit):
  • An RCE module for CVE-2022-20828: Remote ASDM -> FirePOWER root.
  • An RCE module for CVE-2021-1585: Unauthenticated RCE affecting ASDM client.
  • An RCE module that installs a Cisco FirePOWER boot image, roots it, and grabs a meterpreter root shell (No CVE).
  • A PackRat post-exploitation module to extract credentials from ASDM client log files (CVE-2022-20651)
  • An ASDM (HTTP) brute-force authentication module.
  • A module for dumping the ASA running-config over ASDM (HTTP).
• yara/ contains YARA rules to help identify malicious files or exploitation.
• slides/ contains the slide decks presented at BH USA 2022 and DEF CON 30.