-
pfSense Diag Routes Web Shell Upload
Disclosure Date: 2022-02-23First seen: 2022-12-23exploit/unix/http/pfsense_diag_routes_webshellThis module exploits an arbitrary file creation vulnerability in the pfSense HTTP interface (CVE-2021-41282). The vulnerability affects versions <= 2.5.2 and can be exploited by an authenticated user if they have the "WebCfg - Diagnostics: Routing tables" privilege. This module uses the vulnerability to create a web shell and execute payloads with root privileges. Authors: - Abdel Adim "smaury" Oisfi of Shielder - jbaines-r7 -
pfSense authenticated graph status RCE
Disclosure Date: 2016-04-18First seen: 2020-04-26exploit/unix/http/pfsense_graph_injection_execpfSense, a free BSD based open source firewall distribution, version <= 2.2.6 contains a remote command execution vulnerability post authentication in the _rrd_graph_img.php page. The vulnerability occurs via the graph GET parameter. A non-administrative authenticated attacker can inject arbitrary operating system commands and execute them as the root user. Verified against 2.2.6, 2.2.5, and 2.1.3. Authors: - Security-Assessment.com - Milton Valencia - Jared Stephens
2 metasploit modules found
Please note: Metasploit modules are only matched by CVE numbers.
Visit metasploit web site for more details