Authentication Bypass and RCE in F5 BIG-IP TMUI

This repository is a multi-module Python offensive framework centered on exploiting HiSilicon DVR/NVR/IP camera devices via CVE-2020-25078, then managing compromised hosts through a Flask/SocketIO web panel. It is not a simple single-file PoC: it includes a control server (server.py), persistence and post-exploitation tooling, credential attacks, recon modules, web vulnerability scanners, network service checks, pivoting, reverse shell support, and a SQLite-backed datastore. Core exploit logic is in exploit.py and scanner.py. exploit.py probes numerous traversal/disclosure paths such as /../../.../mnt/mtd/Config/Account1 and related config/system files, parses returned content with multiple regex patterns to recover credentials, fingerprints device families, and falls back to known default credentials when disclosure succeeds but parsing does not. scanner.py operationalizes this by scanning IPs/CIDRs and common ports, checking liveness, fingerprinting likely cameras, invoking the CVE-2020-25078 checks, and storing recovered credentials in cameras.db. Post-exploitation capability is substantial. telnet_client.py provides raw Telnet login and command execution. botnet.py fans out commands across stored hosts. persistence.py installs SSH authorized_keys, cron, rc.local, init.d, systemd, inittab telnetd, and bind-shell style persistence. reverse_shell.py generates many Linux/IoT reverse shell one-liners and runs listeners. pivot_chain.py and socks_pivot.py support chained execution and local SOCKS5 pivoting through compromised hosts. Additional modules broaden scope beyond the HiSilicon exploit: brute.py and cred_spray.py perform credential attacks across Telnet, SSH, FTP, HTTP, SMB, databases, VNC, LDAP, WinRM, and more; network_exploit.py checks for exposed/misconfigured services and some well-known vulnerabilities such as MS17-010 and BlueKeep; web_exploit.py, web_cves.py, web_bugs.py, and web_brute.py scan websites for exposed files, CMS fingerprints, generic bug classes, and multiple CVE signatures. Recon/intel support includes ASN, DNS, GeoIP, JARM, WAF detection, proxy/Tor rotation, screenshot grabbing from camera snapshot endpoints, and Telegram/Discord/AbuseIPDB integrations. The repository structure is coherent and functional, with many CLI-capable modules and a central web UI in templates/index.html. Overall, this is an operational exploit-and-post-exploitation toolkit focused on HiSilicon IoT devices but expanded into a broader C2-style offensive platform.

This repository provides a fully automated exploit for CVE-2023-46747, a critical unauthenticated remote code execution vulnerability in F5 BIG-IP (versions 13.x through 17.x). The exploit is available in two forms: a standalone Python script ('f5-bigip-cve-2023-46747-revshell.py') and a Nuclei YAML template ('CVE-2023-46747-revshell.yaml'). Both versions exploit an AJP + HTTP request smuggling flaw to create a hidden admin user on the target device, change its password, authenticate, and then execute a reverse shell payload that connects back to the attacker's specified host and port. The Python script is the recommended method, providing clean output with credentials and token information. The exploit requires the attacker to specify the target URL, their own host (LHOST), and port (LPORT) for the reverse shell. The README provides clear usage instructions and legal warnings. The main endpoints targeted are the F5 management API paths used to create users, authenticate, and execute commands. The exploit is operational and provides root shell access if successful.

This repository provides a fully automated exploit for CVE-2023-46747, a critical unauthenticated remote code execution vulnerability in F5 BIG-IP (versions 13.x through 17.x). The exploit is available in two forms: a standalone Python script ('f5-bigip-cve-2023-46747-revshell.py') and a Nuclei YAML template ('CVE-2023-46747-revshell.yaml'). Both versions exploit an AJP + HTTP request smuggling flaw to create a hidden admin user on the target device, change its password, authenticate, and then execute a reverse shell payload that connects back to the attacker's specified host and port. The Python script is the recommended method, providing clean output with credentials and token information. The exploit requires the attacker to specify the target URL, their own host (LHOST), and port (LPORT) for the reverse shell. The README provides clear usage instructions and legal warnings. The main endpoints targeted are the F5 management API paths used to create users, authenticate, and execute commands. The exploit is operational and provides root shell access if successful.

This repository provides a working exploit for CVE-2023-46747, a critical unauthenticated remote code execution (RCE) vulnerability in F5 BIG-IP devices (versions 13.x through 17.x). The exploit is available in two forms: a standalone Python script ('f5-bigip-cve-2023-46747-revshell.py') and a Nuclei YAML template ('CVE-2023-46747-revshell.yaml'). Both versions automate the exploitation process, which involves: 1. Sending a crafted AJP/HTTP request smuggling payload to create a hidden admin user on the target device. 2. Changing the password for the new admin user. 3. Logging in as the new admin to obtain an authentication token. 4. Using the token to execute a bash reverse shell command, connecting back to the attacker's specified host and port. The Python script is the recommended method, supporting both IP and domain targets, and provides clear output including credentials and tokens. The Nuclei template offers an alternative for automated scanning. The exploit requires the attacker to set up a listener (e.g., netcat) to receive the reverse shell. The README provides detailed usage instructions and legal warnings. No fake or detection-only scripts are present; both code files are functional exploits.

This repository provides a Python3 exploit script (bigrce.py) targeting the unauthenticated remote code execution vulnerability CVE-2023-46747 in F5 BIG-IP appliances (tested on v16.x.x). The exploit works by sending a specially crafted chunked HTTP request to the /tmui/login.jsp endpoint to create a new admin user, resetting its password, obtaining an authentication token via the management API, and then executing arbitrary bash commands or providing an interactive shell to the attacker. The script supports both single-target and bulk-target modes (via targets.txt), multithreading, proxy support, and can check for vulnerable targets or provide shell access. The included dork.txt provides a Shodan query for finding potential targets. The targets.txt file contains a list of example vulnerable endpoints. The exploit is operational, providing real RCE capabilities, and is intended for use by security professionals for testing and research purposes.

This repository contains a Python exploit script (test_cve-2023-46747.py) targeting F5 BIG-IP devices vulnerable to CVE-2023-46747. The script connects to a specified host over HTTPS (port 443), sends a specially crafted raw HTTP POST request to the /tmui/login.jsp endpoint, and attempts to create a new administrator account ('User1' with password '0penSesame!!'). After sending the exploit payload, the script verifies exploitation by attempting to authenticate to the /mgmt/tm/ltm endpoint using the new credentials. If successful, it confirms the target is vulnerable. The repository also includes a brief README and an MIT license. The exploit is operational, providing a working payload that results in privilege escalation on unpatched F5 BIG-IP systems.

This repository contains a Python exploit script (exploit.py) targeting the F5 BIG-IP TMUI remote code execution vulnerability (CVE-2023-46747). The exploit is fully operational and allows an unauthenticated attacker to create a new user on the target F5 BIG-IP system, obtain an authentication token, and execute arbitrary shell commands via the management REST API. The script is run from the command line, requiring the target URL and optionally a proxy. The main exploit steps are: (1) generate random credentials, (2) create a user via a crafted POST request to /tmui/login.jsp, (3) retrieve a session token from /mgmt/shared/authn/login, and (4) execute arbitrary commands through /mgmt/tm/util/bash. The repository consists of a detailed README.md and a single Python exploit file, with no extraneous files or framework dependencies. The exploit is intended for research and educational purposes only.

This repository contains a Python exploit script (exploit.py) targeting CVE-2023-46747, a pre-authentication remote code execution vulnerability in F5 BIG-IP products. The exploit works by sending a specially crafted HTTP POST request to the /tmui/login.jsp endpoint on the target device, leveraging chunked transfer encoding and a custom payload to achieve code execution. The script supports both single and multiple targets (via domain or file list), allows the attacker to specify arbitrary shell commands (defaulting to 'cat /etc/passwd'), and can route requests through a proxy for analysis or evasion. The repository includes a README with usage instructions, a requirements.txt for dependencies, and a standard MIT license. The exploit is operational, providing real RCE capabilities, and is not part of a larger framework. No hardcoded IPs or domains are present; the user supplies targets at runtime. The main fingerprintable endpoint is the /tmui/login.jsp path on F5 BIG-IP devices.

This repository contains a Python exploit script (CVE-2023-46747-RCE.py) targeting the F5 BIG-IP TMUI remote code execution vulnerability (CVE-2023-46747). The exploit works by sending a specially crafted HTTP request to create a new administrative user without authentication, resetting the password, obtaining an authentication token, and then using the management API to execute arbitrary bash commands on the target system. The script provides an interactive shell for the attacker to run commands. The README.md provides usage instructions, affected versions, and references. The requirements.txt lists the Python dependencies (urllib3, requests). The exploit is operational and provides full RCE if the target is vulnerable. Several fingerprintable endpoints are used, including /tmui/login.jsp, /mgmt/tm/auth/user/{user}, /mgmt/shared/authn/login, and /mgmt/tm/util/bash. The attack vector is network-based, requiring access to the management interface of the target F5 BIG-IP device.