Subscribe via feed.

Grandstream GXV31XX settimezone Unauthenticated Command Execution

Posted by deepcore on February 10, 2022 – 2:41 pm

This Metasploit module exploits a command injection vulnerability in Grandstream GXV31XX IP multimedia phones. The settimezone action does not validate input in the timezone parameter allowing injection of arbitrary commands. A buffer overflow in the phonecookie cookie parsing allows authentication to be bypassed by providing an alphanumeric cookie 93 characters in length. This module was tested successfully on Grandstream models: GXV3175v2 hardware revision V2.6A with firmware version 1.0.1.19; and GXV3140 hardware revision V0.4B with firmware version 1.0.1.27.


This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.