Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2016-9244 PoC — 多款F5 BIG-IP产品virtual server 信息泄露漏洞

Source
https://github.com/EgeBalci/Ticketbleed
Associated Vulnerability
Title:多款F5 BIG-IP产品virtual server 信息泄露漏洞 (CVE-2016-9244)
Description:A BIG-IP virtual server configured with a Client SSL profile that has the non-default Session Tickets option enabled may leak up to 31 bytes of uninitialized memory. A remote attacker may exploit this vulnerability to obtain Secure Sockets Layer (SSL) session IDs from other sessions. It is possible that other data from uninitialized memory may be returned as well.
Description
This is a tool for exploiting Ticketbleed (CVE-2016-9244) vulnerability.
Readme
# Ticketbleed [![License](https://img.shields.io/github/license/mashape/apistatus.svg?maxAge=2592000)](https://raw.githubusercontent.com/EgeBalci/Ticketbleed/master/LICENSE) [![CVE](https://img.shields.io/badge/CVE-2016--9244-red.svg)](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9244)

![](http://i.imgur.com/B9XEkvA.png)

This tool is for exploiting Ticketbleed (CVE-2016-9244) vulnerability, the Ticketbleed library inside src folder is a modified version of go's crypto/tls, it has few changes inside `handshake_client.go, tls.go, common.go` files but it is almost same. 

# BUILD

		cd Ticketbleed
        mv Ticketbleed.go.tmp Ticketbleed.go
		go get github.com/EgeBalci/Ticketbleed
		go build Ticketbleed.go


# USAGE

		    ./Ticketbleed <ip:port> <options> 
		OPTIONS:
		    -o, --out   Output filename for raw memory
		    -s, --size  Size in bytes to read (Output value may vary)
		    -h, --help  Print this message



# About CVE-2016-9244

Ticketbleed (CVE-2016-9244) is a software vulnerability in the TLS stack of certain F5 products that allows a remote attacker to extract up to 31 bytes of uninitialized memory at a time, which can contain any kind of random sensitive information, like in Heartbleed.

Founder: Filippo Valsorda

Finding Ticketbleed: https://blog.filippo.io/finding-ticketbleed/


VULNERABLE VERSIONS:

<table>
    <tr>
        <th>Product</th>
        <th>Version</th>
    </tr>
    <tr>
        <td>BIG-IP LTM</td>
        <td>12.0.0 - 12.1.2 & 11.4.0 - 11.6.1</td>
    </tr>
    <tr>
        <td>BIG-IP AAM</td>
        <td>12.0.0 - 12.1.2 & 11.4.0 - 11.6.1</td>
    </tr>
    <tr>
        <td>BIG-IP AFM</td>
        <td>12.0.0 - 12.1.2 & 11.4.0 - 11.6.1</td>
    </tr>
    <tr>
        <td>BIG-IP Analytics</td>
        <td>12.0.0 - 12.1.2 & 11.4.0 - 11.6.1</td>
    </tr>
    <tr>
        <td>BIG-IP APM</td>
        <td>12.0.0 - 12.1.2 & 11.4.0 - 11.6.1</td>
    </tr>
    <tr>
        <td>BIG-IP ASM</td>
        <td>12.0.0 - 12.1.2 & 11.4.0 - 11.6.1</td>
    </tr>
    <tr>
        <td>BIG-IP GTM</td>
        <td>11.4.0 - 11.6.1</td>
    </tr>
    <tr>
        <td>BIG-IP Link Controller</td>
        <td>12.0.0 - 12.1.2</td>
    </tr>
    <tr>
        <td>BIG-IP PEM</td>
        <td>12.0.0 - 12.1.2 & 11.4.0 - 11.6.1</td>
    </tr>
    <tr>
        <td>BIG-IP PSM</td>
        <td>11.4.0 - 11.4.1</td>
    </tr>
</table>
File Snapshot

 [4.0K]  /data/pocs/64bb117243e471f6983495b65324847030af408f
├── [2.6K]  alert.go
├── [ 10K]  cipher_suites.go
├── [ 22K]  common.go
├── [ 30K]  conn.go
├── [5.5K]  conn_test.go
├── [2.2K]  example_test.go
├── [4.3K]  generate_cert.go
├── [ 19K]  handshake_client.go
├── [ 18K]  handshake_client_test.go
├── [ 31K]  handshake_messages.go
├── [6.5K]  handshake_messages_test.go
├── [ 21K]  handshake_server.go
├── [ 38K]  handshake_server_test.go
├── [4.2K]  handshake_test.go
├── [ 12K]  key_agreement.go
├── [1.0K]  LICENSE
├── [ 11K]  prf.go
├── [5.3K]  prf_test.go
├── [2.3K]  README.md
├── [4.0K]  testdata
│   ├── [9.8K]  Client-TLSv10-ClientCert-ECDSA-ECDSA
│   ├── [9.1K]  Client-TLSv10-ClientCert-ECDSA-RSA
│   ├── [9.7K]  Client-TLSv10-ClientCert-RSA-ECDSA
│   ├── [9.0K]  Client-TLSv10-ClientCert-RSA-RSA
│   ├── [6.5K]  Client-TLSv10-ECDHE-ECDSA-AES
│   ├── [6.9K]  Client-TLSv10-ECDHE-RSA-AES
│   ├── [5.8K]  Client-TLSv10-RSA-RC4
│   ├── [6.7K]  Client-TLSv11-ECDHE-ECDSA-AES
│   ├── [7.1K]  Client-TLSv11-ECDHE-RSA-AES
│   ├── [5.8K]  Client-TLSv11-RSA-RC4
│   ├── [6.0K]  Client-TLSv12-AES128-GCM-SHA256
│   ├── [6.0K]  Client-TLSv12-AES256-GCM-SHA384
│   ├── [6.9K]  Client-TLSv12-ALPN
│   ├── [6.7K]  Client-TLSv12-ALPN-NoMatch
│   ├── [ 10K]  Client-TLSv12-ClientCert-ECDSA-ECDSA
│   ├── [9.2K]  Client-TLSv12-ClientCert-ECDSA-RSA
│   ├── [ 10K]  Client-TLSv12-ClientCert-RSA-AES256-GCM-SHA384
│   ├── [ 10K]  Client-TLSv12-ClientCert-RSA-ECDSA
│   ├── [9.2K]  Client-TLSv12-ClientCert-RSA-RSA
│   ├── [6.7K]  Client-TLSv12-ECDHE-ECDSA-AES
│   ├── [6.3K]  Client-TLSv12-ECDHE-ECDSA-AES256-GCM-SHA384
│   ├── [6.3K]  Client-TLSv12-ECDHE-ECDSA-AES-GCM
│   ├── [7.1K]  Client-TLSv12-ECDHE-RSA-AES
│   ├── [5.8K]  Client-TLSv12-RSA-RC4
│   ├── [8.4K]  Client-TLSv12-SCT
│   ├── [5.8K]  Server-SSLv3-RSA-3DES
│   ├── [5.9K]  Server-SSLv3-RSA-AES
│   ├── [5.5K]  Server-SSLv3-RSA-RC4
│   ├── [6.2K]  Server-TLSv10-ECDHE-ECDSA-AES
│   ├── [5.5K]  Server-TLSv10-RSA-3DES
│   ├── [5.7K]  Server-TLSv10-RSA-AES
│   ├── [5.3K]  Server-TLSv10-RSA-RC4
│   ├── [1.2K]  Server-TLSv11-FallbackSCSV
│   ├── [5.3K]  Server-TLSv11-RSA-RC4
│   ├── [8.2K]  Server-TLSv12-ALPN
│   ├── [8.1K]  Server-TLSv12-ALPN-NoMatch
│   ├── [7.3K]  Server-TLSv12-CipherSuiteCertPreferenceECDSA
│   ├── [7.8K]  Server-TLSv12-CipherSuiteCertPreferenceRSA
│   ├── [8.8K]  Server-TLSv12-ClientAuthRequestedAndECDSAGiven
│   ├── [8.7K]  Server-TLSv12-ClientAuthRequestedAndGiven
│   ├── [5.6K]  Server-TLSv12-ClientAuthRequestedNotGiven
│   ├── [6.5K]  Server-TLSv12-ECDHE-ECDSA-AES
│   ├── [6.2K]  Server-TLSv12-IssueTicket
│   ├── [6.2K]  Server-TLSv12-IssueTicketPreDisable
│   ├── [2.6K]  Server-TLSv12-Resume
│   ├── [6.2K]  Server-TLSv12-ResumeDisabled
│   ├── [5.7K]  Server-TLSv12-RSA-3DES
│   ├── [6.0K]  Server-TLSv12-RSA-AES
│   ├── [6.4K]  Server-TLSv12-RSA-AES256-GCM-SHA384
│   ├── [6.4K]  Server-TLSv12-RSA-AES-GCM
│   ├── [5.4K]  Server-TLSv12-RSA-RC4
│   ├── [4.7K]  Server-TLSv12-SNI
│   ├── [4.7K]  Server-TLSv12-SNI-GetCertificate
│   └── [4.7K]  Server-TLSv12-SNI-GetCertificateNotFound
├── [2.8M]  Ticketbleed
├── [4.5K]  Ticketbleed.go.tmp
├── [4.7K]  ticket.go
├── [ 11K]  tls.go
└── [ 13K]  tls_test.go

1 directory, 78 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →