How can I exploit the Cisco ASA / IOS IKE Fragmentation Vulnerability? (CVE-2016-1287)

Question

Found a Cisco ASA which is vulnerable to unauthenticated remote code execution, A remote attacker can exploit this issue, via specially crafted UDP packets, to cause a buffer overflow condition, resulting in a denial of service or the execution of arbitrary code. (CVE-2016-1287).

How can I exploit this vulnerability?

Answer 1

You can use this script https://github.com/NetSPI/asa_tools to verify the presence of Cisco ASA RCE (CVE-2016-1287).

it requires python3 and the python hexdump module to be installed

sudo pip3 install hexdump

Download the script and run script.

python3 cisco_asa.py vulnerable-server:500

You will get a result like this and see the Notification data is missing and ASA is vulnerable.

This tool is used to verify the presence of CVE-2016-1287, an unauthenticated remote code execution vulnerability affecting Cisco's ASA products.
No attempt will be made to execute code, this simply observes behavior of affected versions when malformed fragments are sent to the ASA.
Continue? [y/N] 
y
[*] Sending Initiator Request
[*] Received Response
[+] Valid SA found. Moving on
[*] Sending first fragment
[*] Sending second fragment
[*] Notify Payload found. Printing Notify payload data.
    Next payload: NONE
    Critical bit Not Critical
    Payload length: 8
    Protocol ID: IKE
    SPI Size: 0
    Notify Message Type: Invalid Syntax
    Notification DATA: missing
[+] Notification data is missing.  ASA is vulnerable.
00000000: 66 53 54 71 45 49 58 64  D1 44 DA 79 2B 39 57 8E  fSTqEIXd.D.y+9W.
00000010: 29 20 22 20 00 00 00 00  00 00 00 24 00 00 00 08  ) " .......$....
00000020: 01 00 00 07