Viproy 2.7.0

fozavci · Feb 20, 2015 · d6dc019 · d6dc019
1 parent d1bbc4c
commit d6dc019
Show file tree

Hide file tree

Showing 14 changed files with 201 additions and 123 deletions.
diff --git a/external/voss-xmlservice.rb b/external/voss-xmlservice.rb
@@ -3,7 +3,7 @@
 
 require 'socket'
 server = TCPServer.new(8080)
-@serverip = "192.168.0.1"
+@serverip = "10.2.0.7"
 
 @cf_devices={"SEP001795A603C1" => {"91102" => "11010001410391102","91103" => "11010001410391103"},
              "SEP001795A603C2" => {"91104" => "11010001410391104"},
@@ -252,4 +252,4 @@ def prepheaders(data,t="xml")
   end
 
   client.close
-}
+}
diff --git a/lib/msf/core/auxiliary/sip.rb b/lib/msf/core/auxiliary/sip.rb
@@ -48,7 +48,7 @@ def sipsocket_start(sockinfo)
   def sipsocket_connect
     case self.proto
       when 'udp'
-        listen_port = self.listen_port
+        listen_port = datastore["CPORT"].to_i || 5060
         while listen_port
           begin
             self.sock = Rex::Socket::Udp.create(
@@ -128,7 +128,12 @@ def printresults(results,context={})
     report << "\tServer \t\t: #{rdata['server']}\n" if rdata['server']
     report << "\tWarning \t: #{rdata['warning']}\n" if rdata['warning']
     report << "\tUser-Agent \t: #{rdata['agent']}\n"	if rdata['agent']
-    report << "\tRealm \t\t: #{rdata['digest']['realm']}\n" if rdata['digest']
+    if rdata['digest']
+      report << "\tRealm \t\t: #{rdata['digest']['realm']}\n"
+      realm = rdata['digest']['realm']
+    else
+      realm = nil
+    end
     report << "\tContact\t\t: #{rdata['contact']}\n" if rdata['resp_msg'].split(" ")[1] == "301"
 
     printdebug(results) if datastore["DEBUG"] == true
@@ -153,12 +158,12 @@ def printresults(results,context={})
       )
 
       # reporting the validated credentials
-      res = report_creds(user,password,status) if user != nil
+      res = report_creds(user,password,realm,status) if user != nil
       report << res if ! res.nil?
       print_good(report)
     else
       report << "\tCredentials\t: User => #{user} Password => #{password}\n" if user != nil and datastore['LOGIN']
-      if method == 'register'
+      if method == 'REGISTER'
         print_status(report)
       else
         vprint_status(report)
@@ -167,7 +172,7 @@ def printresults(results,context={})
   end
 
   # reporting the validated credentials
-  def report_creds(user,password,status)
+  def report_creds(user,password,realm,status)
     if status =~ /without/
       user="User=NULL,FROM=#{datastore["FROM"]},TO=#{datastore["TO"]}"
       password=nil
@@ -200,7 +205,9 @@ def printdebug(results)
 
     if self.customheaders and self.customheaders != ""
       print_debug("Custom Headers:")
-      print_debug("\t#{self.customheaders.gsub("\r\n","")}")
+      self.customheaders.split("\r\n").each {|ch|
+        print_debug("\t#{ch}")
+      }
     end
   end
 
@@ -223,10 +230,14 @@ def convert_error(err)
         return "Moved Permanently"
       when :not_found
         return "Not Found"
+      when :unsupported
+        return "Unsupported Media Type"
       when :failed
         return "Authentication Failed"
       when :send_error
         return "Request Sending is Failed"
+      when :server_unavailable
+        return "Service Available"
       when :server_error
         return "Internal Server Error"
       when :nodigest
@@ -333,26 +344,20 @@ def send_invite(req_options={})
   # Send generic request with authentication
   #
   def generic_request_withauth(method,req_options={})
+    from=req_options["from"]
+    fromname=req_options["fromname"]
+    to=req_options["to"]
+
     login = req_options["login"] || false
     loginmethod = req_options["loginmethod"] || method
 
     if login and loginmethod == "REGISTER"
-      regopts=req_options.clone
 
-      #Cisco generic Register methods requests same FROM and TO fields
-      if self.vendor == "ciscogeneric"
-        regopts['to']=regopts['from']
-      else
-        #From and TO fields should be Username for REGISTER
-        if datastore['USEREQFROM'] == true
-          regopts['from']=regopts['user']
-          regopts['to']=regopts['user']
-        end
-      end
-
-      results = send_register(regopts)
+      results = send_register(req_options)
       reg_status = results["status"]
 
+      callopts = results["callopts"]
+
       printdebug(results) if datastore["DEBUG"] == true
 
       req_options['callopts']=callopts if callopts != nil
@@ -366,6 +371,10 @@ def generic_request_withauth(method,req_options={})
       end
     end
 
+    req_options["from"]=from
+    req_options["fromname"]=fromname
+    req_options["to"]=to
+
     print_debug("No authentication performed.") if datastore['DEBUG']
 
     if method == "MESSAGE" and datastore["DOS_COUNT"]
@@ -379,7 +388,7 @@ def generic_request_withauth(method,req_options={})
     end
 
     if results["rawdata"].nil?
-      print_error("No response recieved!")
+      print_error("No response received!")
       return
     else
       printdebug(results) if datastore["DEBUG"] == true
@@ -458,8 +467,12 @@ def parse_rescode(rdata)
         result=:cred_required
       when "486"
         result=:user_busy
+      when "415"
+        result=:unsupported
       when /^60/
         result=:decline_error
+      when /503/
+        result=:service_unavailable
       when /^50/
         result=:server_error
       else
@@ -496,6 +509,20 @@ def generic_request(method,req_options={},no_response=false)
   # Authentication
   #
   def auth(method,req_options,results)
+
+
+    #Cisco generic Register methods requests same FROM and TO fields
+    if self.vendor == "ciscogeneric" and method == 'REGISTER'
+      req_options['to'] = req_options['from']
+    else
+      #From and TO fields should be Username for REGISTER
+      if datastore['USEREQFROM'] == true and method == 'REGISTER'
+        req_options['from'] = req_options['user']
+        req_options['fromname'] = nil
+        req_options['to'] = req_options['user']
+      end
+    end
+
     initmslync = results["initmslync"] || false
 
     case
@@ -512,9 +539,6 @@ def auth(method,req_options,results)
 
     req_options['callopts'] = results["callopts"] if results["callopts"] != nil
 
-    #Cisco generic Register methods requests same FROM and TO fields
-    req_options['to'] = req_options['from'] if self.vendor == "ciscogeneric"
-
     #Sending Request with Nonce or NTLM request
     results["callopts"],send_state=send_data(method,req_options)
     if send_state == :error
@@ -540,11 +564,14 @@ def auth(method,req_options,results)
         results["status"] = :succeed
       when /^40/
         results["status"] = :failed
+      when "415"
+        results["status"] = :unsupported
       when /^301/
         results["status"] = :failed
       else
         results["status"] = :authorization_error
     end
+
     return results
   end
 
@@ -577,12 +604,13 @@ def recv_data
   # Response Check
   #
   def resp_get(method,rdebug=[])
-    possible= /^18|^20|^30|^40|^48|^60|^50/
+    possible= /^18|^20|^30|^40|415|503|^48|^60|^50/
     rdata,rawdata=recv_data
     rdebug << rdata
 
     while (rdata != nil and !(rdata['resp'] =~ possible))
       rdata,rawdata=recv_data
+      vprint_status("Nonce: #{rdata["digest"]["nonce"]}") if datastore["DELAY"] != "0" and rdata != nil and rdata["digest"] != nil
       break if rdebug.length > 9
     end
 
@@ -602,31 +630,46 @@ def auth_calc(digestopts)
     cnonce=Rex::Text.rand_text_alphanumeric(10)
     nc="00000001"
 
-    if digestopts['algorithm'] == 'MD5-sess'
-      h1 = Digest::MD5.hexdigest("#{digestopts['username']}:#{digestopts['realm']}:#{digestopts['password']}")
-      hash1 = Digest::MD5.hexdigest("#{h1}:#{digestopts['nonce']}:#{cnonce}")
+    case digestopts['algorithm']
+      when 'MD5-sess'
+        h1 = Digest::MD5.hexdigest("#{digestopts['username']}:#{digestopts['realm']}:#{digestopts['password']}")
+        hash1 = Digest::MD5.hexdigest("#{h1}:#{digestopts['nonce']}:#{cnonce}")
+      when 'MD5'
+        hash1 = Digest::MD5.hexdigest("#{digestopts['username']}:#{digestopts['realm']}:#{digestopts['password']}")
     else
-      hash1 = Digest::MD5.hexdigest("#{digestopts['username']}:#{digestopts['realm']}:#{digestopts['password']}")
+      print_error("ERROR 1: UNKNOWN ALGORITHM REQUESTED IN THE AUTHENTICATION")
+      return
     end
 
-    hash2 = Digest::MD5.hexdigest("#{digestopts['req_type']}:#{digestopts['uri']}")
 
-    if digestopts['qop'] =~ /auth/
-      response=Digest::MD5.hexdigest("#{hash1}:#{digestopts['nonce']}:#{nc}:#{cnonce}:#{digestopts['qop']}:#{hash2}")
-    else
-      response=Digest::MD5.hexdigest("#{hash1}:#{digestopts['nonce']}:#{hash2}")
+    case digestopts['qop']
+      when "auth"
+        hash2 = Digest::MD5.hexdigest("#{digestopts['req_type']}:#{digestopts['uri']}")
+        response=Digest::MD5.hexdigest("#{hash1}:#{digestopts['nonce']}:#{nc}:#{cnonce}:#{digestopts['qop']}:#{hash2}")
+      when "auth-in"
+        # HA2=MD5(method:digestURI:MD5(entityBody))
+        print_error("ERROR 2: ONLY AUTH-INT REQUESTED IN THE AUTHENTICATION")
+        return
+      else
+        hash2 = Digest::MD5.hexdigest("#{digestopts['req_type']}:#{digestopts['uri']}")
+        response=Digest::MD5.hexdigest("#{hash1}:#{digestopts['nonce']}:#{hash2}")
     end
 
+
     authdata = "username=\"#{digestopts['username']}\", realm=\"#{digestopts['realm']}\", nonce=\"#{digestopts['nonce']}\", uri=\"#{digestopts['uri']}\", response=\"#{response}\""
     if digestopts['algorithm']
       authdata << ", algorithm=#{digestopts['algorithm']}"
     else
       authdata << ", algorithm=MD5"
     end
-    authdata << ", cnonce=\"#{cnonce}\"" if digestopts['algorithm'] == "MD5-sess" or digestopts['qop'] =~ /auth/
-    authdata << ", qop=#{digestopts['qop']}, nc=#{nc}" if digestopts['qop'] =~ /auth/
+
+
+    #There could be a bug here. This will be tested for the multiple QOP options.
+    #authdata << ", qop=#{digestopts['qop']}, nc=#{nc}" if digestopts['qop'] =~ /auth/
+    authdata << ", cnonce=\"#{cnonce}\", qop=\"auth\", nc=\"#{nc}\"" if digestopts['algorithm'] == "MD5-sess" or digestopts['qop'] == "auth"
 
     return authdata
+
   end
 
 
@@ -921,7 +964,7 @@ def getcustomheaders
 
       pid = pid+"@"+self.dest_addr if ! (pid =~ /@/)
 
-      customheader << "P-Asserted-Identity: <sip:#{pid}>;party=called;screen=no;privacy=off\r\n"
+      customheader << "P-Asserted-Identity: <sip:#{pid}>;party=called;screen=yes;privacy=off\r\n"
     end
 
     if datastore['Remote-Party-ID'] != nil
@@ -936,7 +979,7 @@ def getcustomheaders
 
       pid = pid+"@"+self.dest_addr if ! (pid =~ /@/)
 
-      customheader << "Remote-Party-ID: <sip:#{pid}>;party=called;screen=no;privacy=off\r\n"
+      customheader << "Remote-Party-ID: <sip:#{pid}>;party=called;screen=yes;privacy=off\r\n"
     end
 
 
@@ -947,33 +990,30 @@ def getcustomheaders
     return customheader
   end
 
-
+  #There is a Bug in this function for WWW-Authentication !!!!!
   # Parse the authentication
   def parse_auth(data)
     result={}
-    str=""
+    str = ""
     var = nil
     quote = 0
     data.each_char { |c|
       quote += 1 if c == '"'
       if c == "="
-        var = str
+        var = str.gsub(" ","")
         val = nil
         str = ""
       else
-        case quote
-          when 0
-            if c != ","
+        if quote % 2 == 0
+            if c != "," and c != '"'
               str << c
             else
               result[var]=str
               var = nil
               str = ""
             end
-          when 1
-            str << c if c != '"'
-          when 2
-            quote = 0
+        else
+            str << c if c != '"' and c != '"'
         end
       end
     }

diff --git a/modules/auxiliary/voip/viproy_sip_bruteforce.rb b/modules/auxiliary/voip/viproy_sip_bruteforce.rb
@@ -42,10 +42,11 @@ def initialize
     [
       Opt::CHOST,
       Opt::CPORT(5065),
+      OptString.new('DELAY',   [true, 'Delay in seconds',"0"]),
       OptString.new('USERAGENT',   [ false, "SIP user agent" ]),
       OptBool.new('USER_AS_FROM_and_TO', [true, 'Try the username as the from/to for all users', true]),
       OptBool.new('DEREGISTER', [true, 'De-Register After Successful Login', false]),
-      OptString.new('REALM',   [ true, "The login realm to probe", "realm.com.tr"]),
+      OptString.new('REALM',   [ false, "The login realm to probe at each host", nil]),
       OptString.new('TO',   [ false, "The destination username to probe", "1000"]),
       OptString.new('FROM',   [ false, "The source username to probe", "1000"]),
       OptString.new('MACADDRESS',   [ false, "MAC Address for Vendor", "000000000000"]),
@@ -65,7 +66,7 @@ def run
     # Socket parameters
     sockinfo["listen_addr"] = datastore['CHOST']
     sockinfo["listen_port"] = datastore['CPORT']
-    sockinfo["dest_addr"] =datastore['RHOST']
+    sockinfo["dest_addr"] = dest_addr = datastore['RHOST']
     sockinfo["dest_port"] = datastore['RPORT']
 
     method = datastore['METHOD']
@@ -106,6 +107,7 @@ def run
   def do_login(user,password,from,to,dest_addr,method)
 
     realm = datastore['REALM']
+    Rex.sleep(datastore['DELAY'].to_i)
 
     results = send_register(
       'login'  	  => true,
@@ -128,8 +130,9 @@ def do_login(user,password,from,to,dest_addr,method)
 
       if datastore['DEBUG'] != true
         # reporting the validated credentials
-        res=report_creds(user,password,results["status"])
-        print_good(res.gsub("\tC","C"))
+        res=report_creds(user,password,realm,results["status"])
+        #print_good(res.gsub("\tC","C"))
+        print_good("IP:Realm: #{dest_addr}:#{realm}\t User: #{user} \tPassword: #{password} \tResult: #{convert_error(results["status"])}")
       end
 
       # Sending de-register
@@ -147,7 +150,7 @@ def do_login(user,password,from,to,dest_addr,method)
       end
     else
       if results["rdata"] !=nil
-        vprint_status("User: #{user} \tPassword: #{password} \tResult: #{convert_error(results["status"])}")
+        print_status("IP:Realm: #{dest_addr}:#{realm}\t User: #{user} \tPassword: #{password} \tResult: #{convert_error(results["status"])}")
       else
         vprint_status("No response received from #{dest_addr}")
       end