This is a proof of concept for CVE-2022-41622, which is a CSRF in F5 Big-IP that leads to remote code execution. Using this is a bit finnicky, but I'll walk you through my favourite usecases. The vulnerability The core vulnerability is a cross-site request forgery in F5 Big-IP's SOAP interface, which is accessed via /iControl/iControlPortal.cgi, which runs as root. But despite being root, we're restricted by an SELinux policy, which makes this difficult to exploit. We'll show some bypasses below, though. The SOAP interface has no CSRF protection, which means an attacker can leverage an authenticated user's session to perform any SOAP request supported. The full list of WSDL files is included, and we've created payloads for some of the important ones. Basic usage The basic usage is: ruby f5-soap-exploit.rb [username:password] The username:password is purely for testing – it takes a valid admin account and sends the SOAP request directly to the server. This isn't an exploit or PoC at all, it's simply using the endpoint as intended. If you don't provide a username:password, it will print a CSRF payload. To exploit the bug, an authenticated admin will have to visit a site containing that payload. Their browser will be redirected and the action will happen in the background. Note that the actual payloads aren't pretty or hidden in any way – to exploit this forreal, you'll probably have to put some effort in. Scenarios We'll demonstrate these using an actual account, but…Read More