Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/0xInfection/PewSWITCH

A FreeSWITCH specific scanning and exploitation toolkit for CVE-2021-37624 and CVE-2021-41157.
https://github.com/0xInfection/PewSWITCH

exploitation-framework freeswitch security sip-security unauthenticated-requests voip-telephony-providers

Last synced: 3 months ago
JSON representation

A FreeSWITCH specific scanning and exploitation toolkit for CVE-2021-37624 and CVE-2021-41157.

Host: GitHub
URL: https://github.com/0xInfection/PewSWITCH
Owner: 0xInfection
License: mit
Created: 2021-11-28T13:12:38.000Z (almost 3 years ago)
Default Branch: master
Last Pushed: 2021-12-05T16:54:16.000Z (almost 3 years ago)
Last Synced: 2024-05-13T16:33:55.800Z (6 months ago)
Topics: exploitation-framework, freeswitch, security, sip-security, unauthenticated-requests, voip-telephony-providers
Language: Go
Homepage: https://0xinfection.github.io/posts/analyzing-freeswitch-vulns/
Size: 3.34 MB
Stars: 27
Watchers: 2
Forks: 10
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-hacking-lists - 0xInfection/PewSWITCH - A FreeSWITCH specific scanning and exploitation toolkit for CVE-2021-37624 and CVE-2021-41157. (Go)

README

# PewSWITCH
A FreeSWITCH specific scanning and exploitation toolkit for CVE-2021-37624 and CVE-2021-41157.

> Related blog: https://0xinfection.github.io/posts/analyzing-freeswitch-vulns/

## Usage
The help statement of the tool is as below:
```groovy
$ ./pewswitch --help

___ . ____ _ __ __
/ _ \___|\ __/ __/| __(_) /_____/ /
/ ___/ -_) |/|/ /\ \| |/|/ / / __/ __/ _ \
/_/ \__/|__,__/___/|__,__/_/\__/\__/_//_/ v0.1

"where we pew pew pew freeswitch"

Usage of ./pewswitch:
-cve string
Specify a specific CVE to scan. Both vulns are tested by default.
-delay int
Delay in seconds between subsequent requests. (default 0)
-events string
Comma-separated list of events to be subscribed to. All events are monitored by default.
-expires int
Maximum value of the 'Expires' header for SUBSCRIBE requests. (default 60)
-ext-file string
Specify a file containing extensions instead of '-exts'.
-exts string
Comma separated list of extensions to scan.
-msg-file string
Specify a CSV file containing messages to be sent (if found vulnerable to CVE-2021-37624).
-out-dir string
Output directory to write the results to. (default "./pewswitch-results/")
-out-format string
Output format type of the results. Can be either 'json' or 'csv'. (default "json")
-threads int
Number of threads to use while scanning. (default 2)
-user-agent string
Custom user-agent string to use. (default "pewswitch/0.1")
```

### Scanning for a specific vulnerability
By default the tool scans for both vulnerabilites. If you want to test for a specific vulnerability, you can use the `-cve` flag to test for a specific vulnerability.

Example:
```groovy
./pewswitch -cve 'cve-2021-37624' -exts 1000 freeserver.voip.com
```

### Specifying extensions
To specify extensions, you can choose either of the methods:
- Specify a comma separated list of extensions via the `-exts` argument.

Example:
```powershell
./pewswitch -exts 1000,1001 freeserver.voip.com freeserver1.voip.com:5060
```
This will make the tool to test for combinations of pairs for each extension with every host. So the end targets that will be tested in the above command are: `[email protected]`, `[email protected]`, `[email protected]:5060` and `[email protected]:5060`.

- Specify a file containing extensions. Note that when using a file, you need to specify both user and host. This is especially useful when you have to test specific extensions on specific servers. An example of such a file (e.g. [`extensions-sample.txt`](extensions-sample.txt)) could look like this:
```
[email protected]
[email protected]:5060
[email protected]:5660
...
```

Example:
```groovy
./pewswitch -ext-file extensions-sample.txt
```

Note that if any port is not specified with the host, port 5060 will be used by default as the destination port.

### Output
The tool can output in 2 different formats, namely JSON and CSV. The default output format is JSON. Output format can be changed using the `-out-format` switch.

Example:
```groovy
./pewswitch -exts 1000 -out-format csv freeserver.voip.com
```

You can find samples of reports in [`json`](pewswitch-results/sample-report.json) as well as [`csv`](pewswitch-results/sample-report.csv) format in the `./pewswitch-results/` directory.

The destination output directory can be changed using the `-out-dir` argument. By default the output directory is `./pewswitch-results/` which is created in the current working directory while running the tool.

Example:
```groovy
./pewswitch -ext-file extensions-sample.txt -out-dir /tmp
```

### Request Specific Settings
There are some additional packet specific settings in the tool that allows customization of requests during vulnerability validation/exploitation.

#### MESSAGE packets
If a server is found _vulnerable_ to CVE-2021-37624, by default a sample message from name `FBI` and number `022-324-3000` is sent to the target extension. The contents of the message looks like this: `FBI here. Open your door!`

This behaviour can be changed by making use of the `-msg-file` argument. This accepts a CSV file containing the name of the sender, the phone number and lastly the message contents to be sent. An example of such a file is [`messages-sample.csv`](messages-sample.csv).
```
sender_name,sender_phone,message
FBI,022-324-3000,FBI here. Open your door!
0xInfection,000-000-0000,Hi. Just confirming the vulnerability.
SPAMMY SALESMAN,BAD-GUY-9999,BUY MY STUFF!
```
Example:
```groovy
./pewswitch -cve 'cve-2021-27624' -msg-file messages-sample.csv -exts 1000 freeserver.voip.com
```

#### SUBSCRIBE requests
By default, the tool sends SUBSCRIBE requests with a `Expires` header set at 60 seconds. It is for the same time-frame the tool will continue to listen for NOTIFY messages from the server. The value can be changed by making use of the `-expires` flag.

Example:
```groovy
./pewswitch -expires 600 -ext-file extensions-sample.txt
```

The tool also monitors for NOTIFY messages by subscribing to *__all__* events. A list of all events is below:
- `talk`
- `hold`
- `conference`
- `as-feature-event`
- `dialog`
- `line-seize`
- `call-info`
- `sla`
- `include-session-description`
- `presence`
- `presence.winfo`
- `message-summary`
- `refer`

This behaviour can be changed by the `-events` flag which takes a comma separated list of events to monitor. Example:
```groovy
./pewswitch -cve 'cve-2021-41157' -events message-summary,presence -exts 1000,1002 freeserver.voip.com
```

### Setup
You can make use of the pre-built binaries from the [Releases](https://github.com/0xInfection/PewSWITCH/releases) section. Or, if you prefer to compile the code yourself, you'll need Go > 1.13. To build the tool, you can run `go build` which will give you a binary to run.

### Version and License
The tool is available under MIT License. Feel free to do whatever you want to do with it. :)

Currently, PewSWITCH is at v0.1.

### Bugs and features requests
New requests and features? Feel free to create an [issue](https://github.com/0xInfection/pewswitch/issues/new/) or a [pull request](https://github.com/0xInfection/pewswitch/pulls).

If you have anything to discuss you can reach out to me via twitter/email on my profile.

> Created with ♡ by [Pinaki](https://twitter.com/0xInfection).