# Issabel PBX 4.0.0 Remote Code Execution (Authenticated) - CVE-2024-0986

## Description/Summary

Issabel PBX 4.0.0 allows a logged in user to use `asterisk_cli` console to create files with `xmldoc` and `dump` commands. 
This allows to execute remote commands based on the name of the uploaded files abusing `restore.php` file.

This PoC script is based on [this PoC Video](

## Usage

$ python3 -u <user> -p <password> -t <ip-address> -c <UNIX command>

For example:
$ python3 -u 'johncena' -p 'ucantseem3' -t '' -c 'id'

![PoC image](images/PoC.png)

## Notes

- This will create a file located at `/var/www/backup` called `x|<command>`. It is suggested to remove all those files after testing.
- Commands that are too long might not be executed.

## More info
This script was tested on `Issabel PBX 4.0.0`.

More CVE-2024-0986 info:
- [](
- [](
- [](

## Disclaimer
The owner of this repository is not responsible for the usage of this software. It was made for educational purposes only.

## Licence