A FreeSWITCH specific scanning and exploitation toolkit for CVE-2021-37624 and CVE-2021-41157.

> Related blog:

## Usage
The help statement of the tool is as below:
$ ./pewswitch --help

     ___    .        ____       _ __      __
    / _ \___|\    __/ __/|   __(_) /_____/ /
   / ___/ -_) |/|/ /\ \| |/|/ / / __/ __/ _ \
  /_/   \__/|__,__/___/|__,__/_/\__/\__/_//_/  v0.1

       "where we pew pew pew freeswitch"

Usage of ./pewswitch:
  -cve string
        Specify a specific CVE to scan. Both vulns are tested by default.
  -delay int
        Delay in seconds between subsequent requests. (default 0)
  -events string
        Comma-separated list of events to be subscribed to. All events are monitored by default.
  -expires int
        Maximum value of the 'Expires' header for SUBSCRIBE requests. (default 60)
  -ext-file string
        Specify a file containing extensions instead of '-exts'.
  -exts string
        Comma separated list of extensions to scan.
  -msg-file string
        Specify a CSV file containing messages to be sent (if found vulnerable to CVE-2021-37624).
  -out-dir string
        Output directory to write the results to. (default "./pewswitch-results/")
  -out-format string
        Output format type of the results. Can be either 'json' or 'csv'. (default "json")
  -threads int
        Number of threads to use while scanning. (default 2)
  -user-agent string
        Custom user-agent string to use. (default "pewswitch/0.1")

### Scanning for a specific vulnerability
By default the tool scans for both vulnerabilites. If you want to test for a specific vulnerability, you can use the `-cve` flag to test for a specific vulnerability.

./pewswitch -cve 'cve-2021-37624' -exts 1000

### Specifying extensions
To specify extensions, you can choose either of the methods:
- Specify a comma separated list of extensions via the `-exts` argument.

    ./pewswitch -exts 1000,1001
    This will make the tool to test for combinations of pairs for each extension with every host. So the end targets that will be tested in the above command are: ``, ``, `` and ``.

- Specify a file containing extensions. Note that when using a file, you need to specify both user and host. This is especially useful when you have to test specific extensions on specific servers. An example of such a file (e.g. [`extensions-sample.txt`](extensions-sample.txt)) could look like this:

    ./pewswitch -ext-file extensions-sample.txt

Note that if any port is not specified with the host, port 5060 will be used by default as the destination port.

### Output
The tool can output in 2 different formats, namely JSON and CSV. The default output format is JSON. Output format can be changed using the `-out-format` switch.

./pewswitch -exts 1000 -out-format csv 

You can find samples of reports in [`json`](pewswitch-results/sample-report.json) as well as [`csv`](pewswitch-results/sample-report.csv) format in the `./pewswitch-results/` directory.

The destination output directory can be changed using the `-out-dir` argument. By default the output directory is `./pewswitch-results/` which is created in the current working directory while running the tool.

./pewswitch -ext-file extensions-sample.txt -out-dir /tmp

### Request Specific Settings
There are some additional packet specific settings in the tool that allows customization of requests during vulnerability validation/exploitation.

#### MESSAGE packets
If a server is found _vulnerable_ to CVE-2021-37624, by default a sample message from name `FBI` and number `022-324-3000` is sent to the target extension. The contents of the message looks like this: `FBI here. Open your door!`

This behaviour can be changed by making use of the `-msg-file` argument. This accepts a CSV file containing the name of the sender, the phone number and lastly the message contents to be sent. An example of such a file is [`messages-sample.csv`](messages-sample.csv).
FBI,022-324-3000,FBI here. Open your door!
0xInfection,000-000-0000,Hi. Just confirming the vulnerability.
./pewswitch -cve 'cve-2021-27624' -msg-file messages-sample.csv -exts 1000 

#### SUBSCRIBE requests
By default, the tool sends SUBSCRIBE requests with a `Expires` header set at 60 seconds. It is for the same time-frame the tool will continue to listen for NOTIFY messages from the server. The value can be changed by making use of the `-expires` flag. 

./pewswitch -expires 600 -ext-file extensions-sample.txt

The tool also monitors for NOTIFY messages by subscribing to *__all__* events. A list of all events is below:
- `talk`
- `hold`
- `conference`
- `as-feature-event`
- `dialog`
- `line-seize`
- `call-info`
- `sla`
- `include-session-description`
- `presence`
- `presence.winfo`
- `message-summary`
- `refer`

This behaviour can be changed by the `-events` flag which takes a comma separated list of events to monitor. Example:
./pewswitch -cve 'cve-2021-41157' -events message-summary,presence -exts 1000,1002

### Setup
You can make use of the pre-built binaries from the [Releases]( section. Or, if you prefer to compile the code yourself, you'll need Go > 1.13. To build the tool, you can run `go build` which will give you a binary to run.

### Version and License
The tool is available under MIT License. Feel free to do whatever you want to do with it. :)

Currently, PewSWITCH is at v0.1.

### Bugs and features requests
New requests and features? Feel free to create an [issue]( or a [pull request](

If you have anything to discuss you can reach out to me via twitter/email on my profile.

> Created with โ™ก by [Pinaki](