This Metasploit module exploits a pre-auth directory traversal in the Pulse Secure VPN server to dump an arbitrary file. Dumped files are stored in loot. If the "Automatic" action is set, plaintext and hashed credentials, as well as session IDs, will be dumped. Valid sessions can be hijacked by setting the "DSIG" browser cookie to a valid session ID. For the "Manual" action, please specify a file to dump via the "FILE" option. /etc/passwd will be dumped by default. If the "PRINT" option is set, file contents will be printed to the screen, with any unprintable characters replaced by a period. Please see related module exploit/linux/http/pulse_secure_cmd_exec for a post-auth exploit that can leverage the results from this module.
9434228fa1dc2af2393abd6886ea6161415b95086765f63406754e8064f448e0
Pulse Secure versions 8.1R15.1, 8.2, 8.3, and 9.0 SSL VPN remote code execution exploit.
428ddb0b67961d1a87be1c6c6acc41e678e23d1cbb23562598e8a6d6caf8b149
This Metasploit module exploits Pulse Secure SSL VPN versions 8.1R15.1, 8.2, 8.3, and 9.0 which suffer from an arbitrary file disclosure vulnerability.
c4c06bbd40df833eb2f186640de391e2da4dc98aaffb460369cdb39d17627ab0