pfsense_xmlrpc_backdoor - a PHP backdoor on a pfSense firewall over xmlrpc.php.

pfsense_xmlrpc_backdoor – a PHP backdoor on a pfSense firewall over xmlrpc.php.

pfsense_xmlrpc_backdoor is a sample payload and example use of abusing pfSense’s xmlrpc.php functions to establish a backdoor and get root level access to pfSense firewalls.

The backdoor in use at SECCDC

The backdoor in use at SECCDC

This exploit is post-auth (for the admin account) and as it stands is considered a non-issue according to the pfSense security team, since this password is shared for both the web and ssh services (ssh wasn’t WAN accessible when this was used). This authentication method bypasses security rules that apply to auth attempts against the web and is treated as a local_backed authentication attempt. Any PHP shells that are dropped to web root will run with full root perms. It is also worth noting the web server appears to be single threaded so spinning up a long running exec (such as a loop or ping without count) will effectively DoS the web server and stop web based authentication and administration.

The XML PHP backdoor payload :
This payload can be sent to the pfSense box, it will utilize the pfsense.exec_php method to write a very simple php backdoor named ignore.php to the webroot on the firewall.

The XML DoS :
This payload can be sent to the pfSense box, it will lock up the web server so web based authentication and administration will not function.

Usage :

Download : Master.zip  | Clone Url
Source : https://github.com/chadillac