OS: Linux IP: 10.10.10.7
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)25/tcp open smtp Postfix smtpd80/tcp open http Apache httpd 2.2.3110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4111/tcp open rpcbind 2 (RPC #100000)143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS))993/tcp open ssl/imap Cyrus imapd995/tcp open pop3 Cyrus pop3d3306/tcp open mysql MySQL (unauthorized)4445/tcp open upnotifyp?10000/tcp open http MiniServ 1.570 (Webmin httpd)
This attack exploits FreePBX version 2.10.0,2.9.0 and possibly older. Due to the way callme_page.php handles the 'callmenum' parameter, it is possible to inject code to the '$channel' variable in function callme_startcall in order to gain remote code execution. Please note in order to use this module properly, you must know the extension number, which can be enumerated or bruteforced, or you may try some of the default extensions such as 0 or 200.
Also, the call has to be answered (or go to voice). Tested on both Elastix and FreePBX ISO image installs.
User is allowed to run an old version of nmap --interactive using sudo which can then drop the low privileged user into a root shell.
Port 443 is running elastix which has a common vulnerability.
Set up unix/http/freepbx_callmenum with the following options in metasploit.
Execute the exploit and wait a while as it runs. After a while you will get a shell.
Interact with the session and start enumerating the machine.
Unusual entry in sudo -l
Use sudo nmap --interactive to get root.