{"id":13842076,"url":"https://github.com/0xInfection/PewSWITCH","last_synced_at":"2025-07-11T13:33:50.313Z","repository":{"id":38345098,"uuid":"432716321","full_name":"0xInfection/PewSWITCH","owner":"0xInfection","description":"A FreeSWITCH specific scanning and exploitation toolkit for CVE-2021-37624 and CVE-2021-41157.","archived":false,"fork":false,"pushed_at":"2021-12-05T16:54:16.000Z","size":3501,"stargazers_count":29,"open_issues_count":0,"forks_count":10,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-11-07T18:53:11.927Z","etag":null,"topics":["exploitation-framework","freeswitch","security","sip-security","unauthenticated-requests","voip-telephony-providers"],"latest_commit_sha":null,"homepage":"https://0xinfection.github.io/posts/analyzing-freeswitch-vulns/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0xInfection.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-11-28T13:12:38.000Z","updated_at":"2024-10-03T05:15:56.000Z","dependencies_parsed_at":"2022-09-05T08:00:20.917Z","dependency_job_id":null,"html_url":"https://github.com/0xInfection/PewSWITCH","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xInfection%2FPewSWITCH","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xInfection%2FPewSWITCH/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xInfection%2FPewSWITCH/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xInfection%2FPewSWITCH/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0xInfection","download_url":"https://codeload.github.com/0xInfection/PewSWITCH/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225729835,"owners_count":17515175,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["exploitation-framework","freeswitch","security","sip-security","unauthenticated-requests","voip-telephony-providers"],"created_at":"2024-08-04T17:01:26.953Z","updated_at":"2024-11-21T12:30:50.880Z","avatar_url":"https://github.com/0xInfection.png","language":"Go","readme":"# PewSWITCH\nA FreeSWITCH specific scanning and exploitation toolkit for CVE-2021-37624 and CVE-2021-41157.\n\n\u003e Related blog: https://0xinfection.github.io/posts/analyzing-freeswitch-vulns/\n\n## Usage\nThe help statement of the tool is as below:\n```groovy\n$ ./pewswitch --help\n\n     ___    .        ____       _ __      __\n    / _ \\___|\\    __/ __/|   __(_) /_____/ /\n   / ___/ -_) |/|/ /\\ \\| |/|/ / / __/ __/ _ \\\n  /_/   \\__/|__,__/___/|__,__/_/\\__/\\__/_//_/  v0.1\n\n       \"where we pew pew pew freeswitch\"\n\nUsage of ./pewswitch:\n  -cve string\n        Specify a specific CVE to scan. Both vulns are tested by default.\n  -delay int\n        Delay in seconds between subsequent requests. (default 0)\n  -events string\n        Comma-separated list of events to be subscribed to. All events are monitored by default.\n  -expires int\n        Maximum value of the 'Expires' header for SUBSCRIBE requests. (default 60)\n  -ext-file string\n        Specify a file containing extensions instead of '-exts'.\n  -exts string\n        Comma separated list of extensions to scan.\n  -msg-file string\n        Specify a CSV file containing messages to be sent (if found vulnerable to CVE-2021-37624).\n  -out-dir string\n        Output directory to write the results to. (default \"./pewswitch-results/\")\n  -out-format string\n        Output format type of the results. Can be either 'json' or 'csv'. (default \"json\")\n  -threads int\n        Number of threads to use while scanning. (default 2)\n  -user-agent string\n        Custom user-agent string to use. (default \"pewswitch/0.1\")\n```\n\n### Scanning for a specific vulnerability\nBy default the tool scans for both vulnerabilites. If you want to test for a specific vulnerability, you can use the `-cve` flag to test for a specific vulnerability.\n\nExample:\n```groovy\n./pewswitch -cve 'cve-2021-37624' -exts 1000 freeserver.voip.com\n```\n\n### Specifying extensions\nTo specify extensions, you can choose either of the methods:\n- Specify a comma separated list of extensions via the `-exts` argument.\n\n    Example:\n    ```powershell\n    ./pewswitch -exts 1000,1001 freeserver.voip.com freeserver1.voip.com:5060\n    ```\n    This will make the tool to test for combinations of pairs for each extension with every host. So the end targets that will be tested in the above command are: `1000@freeserver.voip.com`, `1001@freeserver.voip.com`, `1000@freeserver1.voip.com:5060` and `1001@freeserver1.voip.com:5060`.\n\n- Specify a file containing extensions. Note that when using a file, you need to specify both user and host. This is especially useful when you have to test specific extensions on specific servers. An example of such a file (e.g. [`extensions-sample.txt`](extensions-sample.txt)) could look like this:\n    ```\n    1000@freeserver.voip.com\n    1001@freeserver1.voip.com:5060\n    1002@freeserver01.voip.com:5660\n    ...\n    ```\n\n    Example:\n    ```groovy\n    ./pewswitch -ext-file extensions-sample.txt\n    ```\n\nNote that if any port is not specified with the host, port 5060 will be used by default as the destination port.\n\n### Output\nThe tool can output in 2 different formats, namely JSON and CSV. The default output format is JSON. Output format can be changed using the `-out-format` switch.\n\nExample:\n```groovy\n./pewswitch -exts 1000 -out-format csv freeserver.voip.com \n```\n\nYou can find samples of reports in [`json`](pewswitch-results/sample-report.json) as well as [`csv`](pewswitch-results/sample-report.csv) format in the `./pewswitch-results/` directory.\n\nThe destination output directory can be changed using the `-out-dir` argument. By default the output directory is `./pewswitch-results/` which is created in the current working directory while running the tool.\n\nExample:\n```groovy\n./pewswitch -ext-file extensions-sample.txt -out-dir /tmp\n```\n\n### Request Specific Settings\nThere are some additional packet specific settings in the tool that allows customization of requests during vulnerability validation/exploitation.\n\n#### MESSAGE packets\nIf a server is found _vulnerable_ to CVE-2021-37624, by default a sample message from name `FBI` and number `022-324-3000` is sent to the target extension. The contents of the message looks like this: `FBI here. Open your door!`\n\nThis behaviour can be changed by making use of the `-msg-file` argument. This accepts a CSV file containing the name of the sender, the phone number and lastly the message contents to be sent. An example of such a file is [`messages-sample.csv`](messages-sample.csv).\n```\nsender_name,sender_phone,message\nFBI,022-324-3000,FBI here. Open your door!\n0xInfection,000-000-0000,Hi. Just confirming the vulnerability.\nSPAMMY SALESMAN,BAD-GUY-9999,BUY MY STUFF!\n```\nExample:\n```groovy\n./pewswitch -cve 'cve-2021-27624' -msg-file messages-sample.csv -exts 1000 freeserver.voip.com \n```\n\n#### SUBSCRIBE requests\nBy default, the tool sends SUBSCRIBE requests with a `Expires` header set at 60 seconds. It is for the same time-frame the tool will continue to listen for NOTIFY messages from the server. The value can be changed by making use of the `-expires` flag. \n\nExample:\n```groovy\n./pewswitch -expires 600 -ext-file extensions-sample.txt\n```\n\nThe tool also monitors for NOTIFY messages by subscribing to *__all__* events. A list of all events is below:\n- `talk`\n- `hold`\n- `conference`\n- `as-feature-event`\n- `dialog`\n- `line-seize`\n- `call-info`\n- `sla`\n- `include-session-description`\n- `presence`\n- `presence.winfo`\n- `message-summary`\n- `refer`\n\nThis behaviour can be changed by the `-events` flag which takes a comma separated list of events to monitor. Example:\n```groovy\n./pewswitch -cve 'cve-2021-41157' -events message-summary,presence -exts 1000,1002 freeserver.voip.com\n```\n\n### Setup\nYou can make use of the pre-built binaries from the [Releases](https://github.com/0xInfection/PewSWITCH/releases) section. Or, if you prefer to compile the code yourself, you'll need Go \u003e 1.13. To build the tool, you can run `go build` which will give you a binary to run.\n\n### Version and License\nThe tool is available under MIT License. Feel free to do whatever you want to do with it. :)\n\nCurrently, PewSWITCH is at v0.1.\n\n### Bugs and features requests\nNew requests and features? Feel free to create an [issue](https://github.com/0xInfection/pewswitch/issues/new/) or a [pull request](https://github.com/0xInfection/pewswitch/pulls).\n\nIf you have anything to discuss you can reach out to me via twitter/email on my profile.\n\n\u003e Created with ♡ by [Pinaki](https://twitter.com/0xInfection).","funding_links":[],"categories":["Go"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xInfection%2FPewSWITCH","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0xInfection%2FPewSWITCH","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xInfection%2FPewSWITCH/lists"}