2014-04-14 23:11:17 +00:00
|
|
|
##
|
|
|
|
|
# This module requires Metasploit: http//metasploit.com/download
|
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
|
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
|
super(update_info(info,
|
|
|
|
|
'Name' => 'F5 Bigip Backend IP/PORT Cookie Disclosure.',
|
|
|
|
|
'Description' => %q{
|
2014-04-28 09:32:46 +00:00
|
|
|
This module identify F5 BigIP SLB and decode sticky cookies which leak
|
2014-04-14 23:11:17 +00:00
|
|
|
backend IP and port.
|
|
|
|
|
},
|
2014-04-28 09:32:46 +00:00
|
|
|
'Author' => [ 'Thanat0s <thanspam[at]trollprod.org>' ],
|
2014-04-15 00:48:55 +00:00
|
|
|
'References' =>
|
|
|
|
|
[
|
|
|
|
|
['URL', 'http://support.f5.com/kb/en-us/solutions/public/6000/900/sol6917.html'],
|
|
|
|
|
['URL', 'http://support.f5.com/kb/en-us/solutions/public/7000/700/sol7784.html?sr=14607726']
|
|
|
|
|
],
|
2014-04-14 23:11:17 +00:00
|
|
|
'License' => MSF_LICENSE
|
|
|
|
|
))
|
|
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
|
[
|
|
|
|
|
OptString.new('TARGETURI', [true, 'The URI path to test', '/']),
|
2014-04-15 00:48:55 +00:00
|
|
|
OptInt.new('RETRY', [true, 'Number of requests to try to find backends', 10])
|
2014-04-14 23:11:17 +00:00
|
|
|
], self.class)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def cookie_decode(cookie_value)
|
|
|
|
|
m = cookie_value.match(/(\d+)\.(\d+)\./)
|
|
|
|
|
host = (m.nil?) ? nil : m[1]
|
|
|
|
|
port = (m.nil?) ? nil : m[2]
|
|
|
|
|
port = (("%04X" % port).slice(2,4) << ("%04X" % port).slice(0,2)).hex.to_s
|
|
|
|
|
byte1 = ("%08X" % host).slice(6..7).hex.to_s
|
|
|
|
|
byte2 = ("%08X" % host).slice(4..5).hex.to_s
|
|
|
|
|
byte3 = ("%08X" % host).slice(2..3).hex.to_s
|
|
|
|
|
byte4 = ("%08X" % host).slice(0..1).hex.to_s
|
|
|
|
|
host = byte1 << "." << byte2 << "." << byte3 << "." << byte4
|
|
|
|
|
return host,port
|
|
|
|
|
end
|
|
|
|
|
|
2014-04-28 09:32:46 +00:00
|
|
|
def get_cookie # request a page and extract a F5 looking cookie.
|
2014-04-14 23:11:17 +00:00
|
|
|
res = send_request_raw({
|
|
|
|
|
'method' => 'GET',
|
|
|
|
|
'uri' => @uri
|
|
|
|
|
})
|
2014-04-28 10:39:32 +00:00
|
|
|
id,value = nil
|
2014-04-28 21:26:29 +00:00
|
|
|
# Get the SLB session ID, like "TestCookie=2263487148.3013.0000"
|
|
|
|
|
m = res.get_cookies.match(/([\-\w\d]+)=((?:\d+\.){2}\d+)(?:$|,|;|\s)/)
|
|
|
|
|
unless m.nil?
|
2014-04-14 23:11:17 +00:00
|
|
|
id = (m.nil?) ? nil : m[1]
|
|
|
|
|
value = (m.nil?) ? nil : m[2]
|
2014-04-28 10:39:32 +00:00
|
|
|
return id, value
|
2014-04-14 23:11:17 +00:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def run
|
2014-04-28 21:26:29 +00:00
|
|
|
host_port = []
|
2014-04-14 23:11:17 +00:00
|
|
|
@uri = normalize_uri(target_uri.path)
|
|
|
|
|
print_status("Starting request #{@uri}")
|
2014-04-28 21:26:29 +00:00
|
|
|
for i in 0...datastore['RETRY']
|
|
|
|
|
id, value = get_cookie() # Get the cookie
|
|
|
|
|
# If the cookie is not found, stop process
|
|
|
|
|
unless id
|
|
|
|
|
print_error("F5 SLB cookie not found")
|
|
|
|
|
return
|
|
|
|
|
end
|
|
|
|
|
# Print the cookie name on the first request
|
|
|
|
|
if i == 0
|
|
|
|
|
print_status("F5 cookie \"#{id}\" found")
|
|
|
|
|
end
|
2014-04-14 23:11:17 +00:00
|
|
|
host, port = cookie_decode(value)
|
2014-04-28 10:52:46 +00:00
|
|
|
unless host_port.include? (host+":"+port)
|
|
|
|
|
host_port.push(host+":"+port)
|
2014-04-28 21:26:29 +00:00
|
|
|
print_status("Backend #{host}:#{port}")
|
2014-04-14 23:11:17 +00:00
|
|
|
end
|
|
|
|
|
end
|
2014-04-28 21:26:29 +00:00
|
|
|
# Reporting found backends in database
|
2014-04-28 10:16:49 +00:00
|
|
|
report_note(
|
2014-04-28 21:26:29 +00:00
|
|
|
:host => rhost,
|
2014-04-28 10:16:49 +00:00
|
|
|
:type => "F5_Cookie_Backends",
|
2014-04-28 21:26:29 +00:00
|
|
|
:data => host_port
|
2014-04-28 10:16:49 +00:00
|
|
|
)
|
2014-04-14 23:11:17 +00:00
|
|
|
end
|
|
|
|
|
end
|
