![]() ![]() This feature allows you to set a script to be executed, which is quite appealing for red teamers or malicious actors. Pulse secure connect contains the functionality to allow an administrator to setup user clients to automatically execute locally hosted files upon the user logging in or out of their VPN instance. Abusing the log-on script feature to pop shells In later blog post I’ll be discussing how Mimir, and I were able to create a proof of concept for CVE-2019–11510 that was later used to tbuild to an exploit module created by Justin Wagner. We’ll be focusing on two topics, primarily expanding capabilities of the initial proof of concept that Orange Tsai demonstrated on file execution upon client log-in and demonstrating how we can use CVE-2019–11539 to gain an SSH shell with root privileges. We additionally got help from Rich Warren ( buffaloverflow) for the automation of the exploit. The research was conducted primarily by Alyssa Herrera ( Alyssa_Herrera_), Justin Wagner ( 0xDezzy), and Mimir ( XMPPwocky). This write-up is the collective efforts of collaborating with various hackers on exploring and furthering research that was presented by Orange Tsai ( orange_8361) and Meh Chang ( mehqq_) on attacking Pulse Secure SSL VPN. Red Teamer’s Guide to Pulse Secure SSL VPN Introduction ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |