Module: Msf::Exploit::Remote::Asterisk

Includes:
Auxiliary::Report, Tcp
Defined in:
lib/msf/core/exploit/remote/asterisk.rb

Instance Attribute Summary

Attributes included from Tcp

#sock

Instance Method Summary collapse

Methods included from Auxiliary::Report

#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Methods included from Metasploit::Framework::Require

optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines

Methods included from Tcp

#chost, #cleanup, #connect, #connect_timeout, #cport, #disconnect, #handler, #lhost, #lport, #peer, #print_prefix, #proxies, #rhost, #rport, #set_tcp_evasions, #shutdown, #ssl, #ssl_cipher, #ssl_verify_mode, #ssl_version

Instance Method Details

#get_asterisk_versionGem::Version

Attempt to get the asterisk version number

Returns:

  • (Gem::Version)

    version response from the server. False on error



47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
 
# File 'lib/msf/core/exploit/remote/asterisk.rb', line 47

def get_asterisk_version
  vprint_status 'Checking Asterisk version'

  req = "action: command\r\n"
  req << "command: core show version\r\n"
  req << "\r\n"
  res = send_command req

  return false if res =~ /Response: Error/

  # example output
  # Response: Success
  # Message: Command output follows
  # Output: Asterisk 19.8.0 built by mockbuild @ jenkins7 on a x86_64 running Linux on 2023-01-16 07:07:49 UTC

  # https://rubular.com/r/e2LvocVBeKaiVo
  if res =~ /^Output: Asterisk (.*?) built/
    return ::Regexp.last_match(1)
  end

  false
end

#initialize(info = {}) ⇒ Object 



8
9
10
11
12
13
14
15
16
17
18
 
# File 'lib/msf/core/exploit/remote/asterisk.rb', line 8

def initialize(info = {})
  super

  register_options(
    [
      Opt::RPORT(5038),
      OptString.new('USERNAME', [true, 'The username for Asterisk Access', '']),
      OptString.new('PASSWORD', [true, 'The password for the specified username', '']),
    ], self.class
  )
end

#login(username, password) ⇒ Boolean

Handler for logging in to AMI

Parameters:

  • username (String)

    username of the user

  • password (String)

    password of the user

Returns:

  • (Boolean)

    true on success, false on failure



77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
 
# File 'lib/msf/core/exploit/remote/asterisk.rb', line 77

def (username, password)
  vprint_status "Authenticating as '#{username}'"

  req = "action: login\r\n"
  req << "username: #{username}\r\n"
  req << "secret: #{password}\r\n"
  req << "events: off\r\n"
  req << "\r\n"
  res = send_command req

  return false unless res =~ /Response: Success/

  report_cred user: username,
              password: password,
              proof: 'Response: Success'

  report_service host: rhost,
                 port: rport,
                 proto: 'tcp',
                 name: 'asterisk'
  true
end

#report_cred(opts) ⇒ Object 



100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
 
# File 'lib/msf/core/exploit/remote/asterisk.rb', line 100

def report_cred(opts)
  service_data = {
    address: rhost,
    port: rport,
    service_name: 'asterisk_manager',
    protocol: 'tcp',
    workspace_id: myworkspace_id
  }

  credential_data = {
    origin_type: :service,
    module_fullname: fullname,
    username: opts[:username],
    private_data: opts[:password],
    private_type: :password
  }.merge service_data

   = {
    core: create_credential(credential_data),
    status: Metasploit::Model::Login::Status::UNTRIED,
    proof: opts[:proof]
  }.merge service_data

   
end

#send_command(cmd = '') ⇒ String

Handler for sending AMI commands

Parameters:

  • cmd (String) (defaults to: '')

    command to send

Returns:

  • (String)

    response from the server



26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
 
# File 'lib/msf/core/exploit/remote/asterisk.rb', line 26

def send_command(cmd = '')
  sock.put cmd

  res = ''
  timeout = 15
  Timeout.timeout(timeout) do
    res << sock.get_once while res !~ /\r?\n\r?\n/
  end

  res
rescue Timeout::Error
  print_error "Timeout (#{timeout} seconds)"
rescue StandardError => e
  print_error e.message
end