F5 BIG-IP iControl REST Authentication Bypass and RCE

This repository is a multi-module Python offensive framework centered on exploiting HiSilicon DVR/NVR/IP camera devices via CVE-2020-25078, then managing compromised hosts through a Flask/SocketIO web panel. It is not a simple single-file PoC: it includes a control server (server.py), persistence and post-exploitation tooling, credential attacks, recon modules, web vulnerability scanners, network service checks, pivoting, reverse shell support, and a SQLite-backed datastore. Core exploit logic is in exploit.py and scanner.py. exploit.py probes numerous traversal/disclosure paths such as /../../.../mnt/mtd/Config/Account1 and related config/system files, parses returned content with multiple regex patterns to recover credentials, fingerprints device families, and falls back to known default credentials when disclosure succeeds but parsing does not. scanner.py operationalizes this by scanning IPs/CIDRs and common ports, checking liveness, fingerprinting likely cameras, invoking the CVE-2020-25078 checks, and storing recovered credentials in cameras.db. Post-exploitation capability is substantial. telnet_client.py provides raw Telnet login and command execution. botnet.py fans out commands across stored hosts. persistence.py installs SSH authorized_keys, cron, rc.local, init.d, systemd, inittab telnetd, and bind-shell style persistence. reverse_shell.py generates many Linux/IoT reverse shell one-liners and runs listeners. pivot_chain.py and socks_pivot.py support chained execution and local SOCKS5 pivoting through compromised hosts. Additional modules broaden scope beyond the HiSilicon exploit: brute.py and cred_spray.py perform credential attacks across Telnet, SSH, FTP, HTTP, SMB, databases, VNC, LDAP, WinRM, and more; network_exploit.py checks for exposed/misconfigured services and some well-known vulnerabilities such as MS17-010 and BlueKeep; web_exploit.py, web_cves.py, web_bugs.py, and web_brute.py scan websites for exposed files, CMS fingerprints, generic bug classes, and multiple CVE signatures. Recon/intel support includes ASN, DNS, GeoIP, JARM, WAF detection, proxy/Tor rotation, screenshot grabbing from camera snapshot endpoints, and Telegram/Discord/AbuseIPDB integrations. The repository structure is coherent and functional, with many CLI-capable modules and a central web UI in templates/index.html. Overall, this is an operational exploit-and-post-exploitation toolkit focused on HiSilicon IoT devices but expanded into a broader C2-style offensive platform.

This repository contains a Python exploit script (cve_2022_1388_exploit.py) targeting CVE-2022-1388, a critical authentication bypass and remote command execution vulnerability in F5 BIG-IP iControl REST. The exploit works by sending a specially crafted POST request to the /mgmt/tm/util/bash endpoint on the target device, using forged HTTP headers (X-F5-Auth-Token and Authorization) to bypass authentication. The script allows the attacker to execute arbitrary shell commands remotely, either as a one-off command or through an interactive shell session. The README.md provides detailed usage instructions, examples, and background on the vulnerability. The exploit is operational and can be used against any accessible, unpatched F5 BIG-IP instance with the vulnerable iControl REST interface. No detection or fake code is present; the script is a functional exploit. The only code file is the Python script, which is the main entry point and contains all exploit logic.

This repository contains a Python proof-of-concept exploit for CVE-2022-1388, a critical authentication bypass vulnerability in F5 BIG-IP's iControl REST API. The exploit script (CVE-2022-1388.py) allows an attacker to execute arbitrary shell commands on a vulnerable F5 device by sending a specially crafted HTTPS POST request to the /mgmt/tm/util/bash endpoint. The exploit sets specific HTTP headers (Host: 127.0.0.1, Authorization, X-F5-Auth-Token, Connection) to bypass authentication and gain root command execution. The README.md provides background, usage instructions, and mitigation advice. The repository is structured simply, with one exploit script and a detailed README. The main attack vector is network-based, targeting the management interface of F5 BIG-IP devices. The exploit is operational, requiring the attacker to specify the target IP and command to execute.

This repository provides an operational exploit for CVE-2022-1388, a critical unauthenticated remote code execution vulnerability in F5 BIG-IP management interfaces. The main exploit script, 'cve.py', is written in Python and allows both single-target and mass exploitation modes. It sends crafted HTTP POST requests to the management API endpoints (notably '/mgmt/tm/util/bash') with malicious JSON payloads that execute arbitrary shell commands on the target device. The exploit uses hardcoded headers to bypass authentication and demonstrates command execution by running commands such as 'id' and 'cat /etc/passwd'. The repository includes a list of possible API endpoints ('endpoint.txt') and example payloads ('api_command.txt'), as well as a requirements file for dependencies. The exploit is operational and can be used to gain remote shell access or execute arbitrary commands on vulnerable F5 BIG-IP devices.

This repository provides a Python exploit script (CVE_2022_1388.py) targeting the F5 BIG-IP and BIG-IQ products vulnerable to CVE-2022-1388, a critical unauthenticated remote code execution flaw. The script allows for multiple modes: vulnerability verification, arbitrary command execution, reverse shell, and batch scanning of multiple targets. It works by sending specially crafted POST requests to the /mgmt/tm/util/bash endpoint on the target device, using specific headers to bypass authentication. The README.md details affected product versions, usage instructions, and references. The check.txt file is used for batch scanning and contains example target URLs. The exploit is operational, providing real command execution and reverse shell capabilities, and is suitable for both single and multiple target assessments.

This repository provides proof-of-concept (POC) exploit templates for CVE-2022-1388, a critical remote code execution vulnerability in F5 BIG-IP iControl REST API. The repository contains two Nuclei YAML templates: one for exploiting the RCE (bigip-icontrol-rest-rce.yaml) and another for detecting authentication bypass (f5-icontrol-rest-api-auth-bypass.yaml). The main exploit template sends a crafted POST request to the '/mgmt/tm/util/bash' endpoint with specific headers and a JSON payload to execute arbitrary shell commands on the target device. The detection template checks for authentication bypass by probing the '/mgmt/shared/authn/login' endpoint. The README provides usage instructions and references. The repository is structured for use with the Nuclei scanning framework and is intended for security testing and vulnerability verification on F5 BIG-IP devices.

This repository contains a Nuclei template (exploit-CVE-2022-1388.yaml) for exploiting CVE-2022-1388, a critical authentication bypass and remote code execution vulnerability in F5 BIG-IP's iControl REST API. The exploit leverages a crafted HTTP POST request to the /mgmt/tm/util/bash endpoint, using a manipulated 'Connection' header and a static or user-supplied authentication token to bypass authentication. The template allows dynamic command injection via Nuclei's variable system, enabling the execution of arbitrary system commands on the target device. The README provides usage instructions, including both Nuclei and manual curl-based exploitation, and references to further technical details and related exploits. The main fingerprintable endpoint is the /mgmt/tm/util/bash API path, and the template is designed for use with the Nuclei vulnerability scanning framework. The exploit is operational, providing real command execution on vulnerable targets, and is not merely a detection script.

This repository is a collection of Proof-of-Concept (POC) exploits for three critical vulnerabilities affecting F5 BIG-IP devices: CVE-2020-5902, CVE-2021-22986, and CVE-2022-1388. The code is written in Go and consists of four main files: one for each CVE and a main orchestrator (F5.go). The main entry point (F5.go) parses command-line arguments for the target URL and command to execute, then sequentially tests each vulnerability. - CVE-2020-5902 exploit attempts to read the /etc/passwd file via a crafted HTTP GET request, indicating a successful exploit if the file is retrieved. - CVE-2021-22986 and CVE-2022-1388 exploits send crafted HTTP POST requests to the /mgmt/tm/util/bash endpoint, attempting to execute arbitrary shell commands (default is 'id', but customizable via the -c flag). The repository is intended for authorized security research and includes a README with usage instructions and vulnerability descriptions. No hardcoded IPs or domains are present; the user must supply the target URL. The attack vector is network-based, targeting exposed F5 BIG-IP management interfaces over HTTPS.

This repository contains a single Python script (CVE-2022-1388.py) that exploits CVE-2022-1388, a critical vulnerability in F5 BIG-IP devices. The script allows an attacker to execute arbitrary shell commands on a vulnerable BIG-IP system by sending a crafted POST request to the management API endpoint '/mgmt/tm/util/bash' over HTTPS. It uses specific headers, including a hardcoded Host header ('127.0.0.1') and an Authorization header, to bypass authentication. The script takes the target IP address and the command to execute as arguments, prints the output of the command if successful, and notifies the user if the target does not appear vulnerable. The exploit is operational and demonstrates remote code execution via a network attack vector. The only fingerprintable endpoint is the management API URL on the target device.

This repository provides a proof-of-concept (PoC) exploit for CVE-2022-1388, a critical authentication bypass and remote code execution vulnerability in F5 BIG-IP's iControl REST API. The main exploit is implemented in Rust (src/main.rs) and acts as both a scanner and an interactive shell for exploiting vulnerable F5 BIG-IP devices. It sends crafted HTTP POST requests to the /mgmt/tm/util/bash endpoint with specific headers to bypass authentication and execute arbitrary shell commands on the target. The exploit supports both single-command execution and an interactive shell mode. The repository also includes a LAB-PoC directory containing a Python FastAPI application (main.py) that emulates the vulnerable endpoint for testing purposes. This lab environment can be run locally or via Docker, allowing safe testing of the exploit without targeting real devices. Key files: - src/main.rs: Main Rust exploit code, providing scanning and interactive shell capabilities. - LAB-PoC/main.py: Python FastAPI app simulating the vulnerable endpoint for local testing. - README.md: Detailed usage instructions, PoC request format, and mitigation advice. The exploit targets F5 BIG-IP devices vulnerable to CVE-2022-1388 and requires network access to the iControl REST API. The payload is a crafted HTTP request that results in remote command execution if the target is vulnerable.

This repository provides an exploit and detection toolkit for CVE-2022-1388, a critical remote code execution vulnerability in F5 BIG-IP devices. The main exploit script, CVE_2022_1388.py, allows an attacker to check if a target is vulnerable, execute arbitrary shell commands on a vulnerable device, or scan a list of targets in batch mode. The exploit works by sending specially crafted HTTP POST requests to the /mgmt/tm/util/bash endpoint of the iControl REST API, using specific headers to bypass authentication and authorization. The payload is customizable, allowing the attacker to execute any shell command, and the script suggests a reverse shell command for post-exploitation. The masscheck.py script is a detection tool that checks if the iControl REST API is exposed on a list of targets by probing the /mgmt/shared/authn/login endpoint. The README provides usage instructions, affected product versions, and detection advice. The repository is structured with two main Python scripts (exploit and mass checker), a README, and CODEOWNERS files. The exploit is operational and can be used for both vulnerability verification and exploitation.

This repository is a proof-of-concept (POC) exploit for CVE-2022-1388, a critical vulnerability in F5 BIG-IP devices. The repository contains two files: a README.md with a description and example HTTP request, and poc.txt containing a raw HTTP POST request. The exploit demonstrates how to send a specially crafted POST request to the /mgmt/tm/util/bash endpoint on a vulnerable F5 BIG-IP device, using a specific set of headers and a JSON body to execute arbitrary commands (in this case, 'id'). The README also provides a Shodan query to help identify potential targets. No executable code is present; the exploit is a manual POC showing the required HTTP request structure. The main capability is remote command execution via the management interface of F5 BIG-IP devices.

This repository contains a Python exploit script (CVE-2022-1388.py) targeting the F5 BIG-IP iControl REST API vulnerability (CVE-2022-1388). The exploit allows an attacker to check if a target is vulnerable and, if so, execute arbitrary system commands on the device. The script supports both single and multiple target modes, as well as custom command execution. It uses crafted HTTP headers to bypass authentication and sends POST requests to the '/mgmt/tm/util/bash' endpoint to run commands. The exploit is operational and can be used to gain remote code execution, including spawning a reverse shell. The repository also includes a README.md with usage instructions. No hardcoded external endpoints are present, but the script references local proxy settings and the relevant F5 management API endpoints.

This repository provides a Python proof-of-concept exploit for CVE-2022-1388, a critical authentication bypass vulnerability in F5 BIG-IP products. The main file, CVE-2022-1388.py, allows an attacker to test if a target is vulnerable and, if so, to execute arbitrary system commands as root via the F5 iControl REST API. The exploit works by sending specially crafted POST requests to the /mgmt/tm/util/bash endpoint with specific headers that bypass authentication. The script supports both single-command execution (for testing) and an interactive shell mode, enabling ongoing command execution on the compromised device. The README.md provides detailed usage instructions, technical background, and mitigation advice. The requirements.txt lists the necessary Python dependencies (requests and urllib3). No hardcoded IPs or domains are present; the target is specified by the user at runtime. The exploit is operational, providing real command execution capabilities, but is not part of a larger exploitation framework.

This repository provides proof-of-concept (PoC) bash scripts to exploit CVE-2022-1388, a critical remote code execution vulnerability in F5 BIG-IP devices. The repository contains two main scripts: one for targeting a single IP address (CVE-2022-1388-single-ip.sh) and another for targeting multiple IPs listed in a file (CVE-2022-1388-multi-ips.sh). Both scripts use curl to send a specially crafted HTTP POST request to the '/mgmt/tm/util/bash' endpoint on the target device, leveraging improper authentication handling to execute arbitrary commands (in this case, 'id') as the root user. The README.md provides version information for affected BIG-IP products. The exploit demonstrates remote code execution but does not provide a weaponized or fully automated attack chain. No hardcoded IPs or credentials are present; the attacker must supply target IPs.

This repository contains a Python exploit script (Exploit-F5-BigIP-CVE-2022-1388.py) targeting the unauthenticated remote code execution vulnerability in F5 BIG-IP devices (CVE-2022-1388). The exploit abuses the management API endpoint '/mgmt/tm/util/bash' over HTTPS, sending specially crafted headers to bypass authentication and execute arbitrary shell commands on the target device. The script takes the target IP address and a shell command as arguments, then prints the command output. The README provides usage instructions and an example command. The exploit is operational and can be used to gain root-level command execution on vulnerable F5 BIG-IP systems (versions 11-16) with exposed management interfaces.

This repository provides a full exploit for CVE-2022-1388, a critical remote code execution vulnerability in F5 BIG-IP iControl REST. The main exploit is implemented in Java (src/ directory), with a supporting Python-based lab (CVE2022-1388_LAB/) for local testing. The Java code allows scanning single or multiple targets for vulnerability, and if vulnerable, provides an interactive shell to execute arbitrary commands on the target device via the /mgmt/tm/util/bash endpoint. The exploit works by sending crafted POST requests with specific headers and JSON payloads to the iControl REST API, bypassing authentication. The Python lab simulates the vulnerable endpoint for testing purposes. The repository is well-structured, with clear separation between the exploit code and the test lab, and includes documentation for setup and usage. No hardcoded IPs or domains are present; the target is user-supplied. The exploit is operational, providing real command execution capabilities against vulnerable F5 BIG-IP devices.

This repository provides a working exploit for CVE-2022-1388, a critical remote code execution vulnerability in F5 BIG-IP devices. The main exploit script, CVE_2022_1388.py, is a Python tool that allows an attacker to execute arbitrary shell commands on a vulnerable BIG-IP device by sending a specially crafted POST request to the /mgmt/tm/util/bash endpoint. The script supports both single-target and mass exploitation modes, accepting either a single URL or a file containing a list of targets. The exploit works by bypassing authentication using specific HTTP headers and sending a command to be executed on the target system. The README.md provides usage instructions, detection tips, and lists the affected BIG-IP versions. The parser_zoomeye.py script is a utility for parsing Zoomeye search results, aiding in the identification of potential targets. Overall, the repository is operational and provides a practical tool for exploiting vulnerable F5 BIG-IP devices over the network.

This repository contains a proof-of-concept exploit for CVE-2022-1388, targeting F5 BIG-IP devices. The main file, 'exploit.py', is a Python script that sends a crafted HTTPS POST request to the '/mgmt/tm/util/bash' management endpoint of a target F5 BIG-IP device. The exploit leverages a vulnerability that allows unauthenticated remote command execution by abusing specific HTTP headers and a hardcoded Authorization value. The script takes a target IP and a shell command as arguments, executes the command on the target device, and prints the output. The repository is minimal, with only a README and the exploit script, and is focused solely on demonstrating the vulnerability and providing a working exploit.

This repository contains a Python exploit script (CVE-2022-1388.py) and a README for CVE-2022-1388, a critical authentication bypass and remote code execution vulnerability in F5 BIG-IP iControl REST. The exploit targets the /mgmt/tm/util/bash endpoint on the management interface of vulnerable F5 BIG-IP devices. It works by sending specially crafted HTTP POST requests with specific headers (including 'X-F5-Auth-Token' and 'Authorization') to bypass authentication and execute arbitrary shell commands as root. The script supports both single-target and batch scanning modes, allowing users to check if a device is vulnerable and, if so, execute arbitrary commands. Results of successful exploitation are printed to the console, and vulnerable URLs can be saved to a file. The exploit is operational, providing real command execution on the target. No hardcoded payloads are present; the user can specify any command to execute. The repository is well-structured, with clear usage instructions and examples in the README.

This repository provides both a detection script (check.py) and a full exploit (exp.py) for CVE-2022-1388, a critical remote code execution vulnerability in F5 BIG-IP's iControl REST API. The check.py script allows users to verify if a target is exposing the vulnerable API endpoint, either individually or in bulk. The exp.py script is a more advanced exploit tool that supports multiple modes: verification, arbitrary command execution, reverse shell, and bulk scanning. The exploit works by sending specially crafted HTTP POST requests to the /mgmt/tm/util/bash endpoint with specific headers (including X-F5-Auth-Token and Authorization) and a JSON payload that instructs the system to execute arbitrary shell commands. The repository is structured with clear separation between detection and exploitation, and is written in Python. No hardcoded IPs or domains are present; the user supplies target URLs. The exploit is operational and can be used to gain remote code execution on vulnerable F5 BIG-IP devices.