## Vulnerable Application

This vulnerability affects any pfSense versions prior to 2.4.2-RELEASE.

## Vulnerable Setup

The victim should be able to access the WebGUI & must be logged in as admin in order for this exploit to work. Possibly the WebGUI's TLS certificate must be trusted in the browser.

## Verification Steps

  1. `use exploit/unix/http/pfsense_clickjacking`
  2. `set TARGETURI https://<ip WebGUI>`
  3. `exploit`
  4. Browse to the URL returned by MSF
  5. Click anywhere on the returned page
  6. Note that a new Meterpreter sessions was started.


## Options

**TARGETURI**

The base path of the WebGUI. The default base path is https://192.168.1.1/