Cisco_7940G_7960G_remote_exploits

Proof of concept attacks for my zero days in Cisco VoIP phones, and other shenanigans.

The future home of a lot of POCs. The POCs are done, I'm just writing things up and requesting CVEs.

Already posted:

SIP OPTIONS packet overflow

Sipp POC of my zero day.
Affected SIP FW versions: 8.6 (and older, presumably).
Confirmed vulnerable versions: 8.6
Confirmed not vulnerable: 8.7, 8.8, 8.9.
Untested: 8.5-, 8.10, 8.11, 8.12

Coming Soon:

CallerID Name of Death -- Remote crash via malformed CallerID Name

POC of my zero day.
Affected SIP FW versions: 8.6 (and older, presumably).
Confirmed vulnerable versions: 8.6
Confirmed not vulnerable: 8.7, 8.8, 8.9.
Untested: 8.5-, 8.10, 8.11, 8.12

Invite of Death -- Remote crash via malformed INVITE address

POC of my zero day.
Vulnerable SIP FW versions: 8.6, 8.7, 8.8, 8.9.
Confirmed not vulnerable: None
Untested: 8.5-, 8.10, 8.11, 8.12

MIME boundary remote code remote execution fun

POC of a bug that already has a CVE, but no known POCs:
https://nvd.nist.gov/vuln/detail/CVE-2008-0528
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080213-phone
Vulnerable SIP FW versions: 8.7-
Confirmed vulnerable versions: 8.6
Fixed in 8.8

My POCs include:

Dump arbitrary DWORDs to the Telnet debug terminal, script to to this on a range and scrape the results
- This is how I obtained an unencrypted copy of the firmware, one DWORD at a time.
"Hello World" printed to screen
Change the outgoing CallerID name to a payload that crashes any 7940/7960 you call with this phone >:)
- Hack the TFTP server of phone config and have the rebooting phones grab that same CallerID-of-Death and spread the fun!
Change arbitrary memory and settings, e.g. set the ringer to silent, set phone to auto answer with the room mic on -- basically turn the phone into a bug in their office.
- I can probably remotely write the change to flash, too, but I've already bricked enough of these phones already, down to 2...
Set the LEDs on or off
- Turn off the activity LED when using the phone as an office bug
- Make a row of phones LED's blink like a Cylon or KITT.
Enable the Telnet debug server on phone and start it without rebooting the phone -- something Cisco CallManager/Unified Communications Manager is incapable of doing!!!
- Change the Telnet debug password to something you know, of course.
Change the background image of the phone to any image hosted online
Write arbitrary pixels to the screen. This is super slow and clunky and randomly gets erased, but I managed to display a cat with Nicholas Cage's face so well worth the effort.

skintigh / cisco_7940g_7960g_remote_exploits Goto Github PK