1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
|
---
-- A minimalistic Asterisk IAX2 (Inter-Asterisk eXchange v2) VoIP protocol implementation.
-- The library implements the minimum needed to perform brute force password guessing.
--
-- @author Patrik Karlsson <patrik@cqure.net>
--
local math = require "math"
local nmap = require "nmap"
local os = require "os"
local stdnse = require "stdnse"
local string = require "string"
local openssl = stdnse.silent_require "openssl"
local table = require "table"
_ENV = stdnse.module("iax2", stdnse.seeall)
IAX2 = {
FrameType = {
IAX = 6,
},
SubClass = {
ACK = 0x04,
REGACK = 0x0f,
REGREJ = 0x10,
REGREL = 0x11,
CALLTOKEN = 0x28,
},
InfoElement = {
USERNAME = 0x06,
CHALLENGE = 0x0f,
MD5_RESULT = 0x10,
CALLTOKEN = 0x36,
},
PacketType = {
FULL = 1,
},
-- The IAX2 Header
Header = {
-- Creates a new Header instance
-- @param src_call number containing the source call
-- @param dst_call number containing the dest call
-- @param timestamp number containing a timestamp
-- @param oseqno number containing the seqno of outgoing packets
-- @param iseqno number containing the seqno of incoming packets
-- @param frametype number containing the frame type
-- @param subclass number containing the subclass type
new = function(self, src_call, dst_call, timestamp, oseqno, iseqno, frametype, subclass)
local o = {
type = IAX2.PacketType.FULL,
retrans = false,
src_call = src_call,
dst_call = dst_call,
timestamp = timestamp,
oseqno = oseqno,
iseqno = iseqno,
frametype = frametype,
subclass = subclass,
}
setmetatable(o, self)
self.__index = self
return o
end,
-- Parses data, a byte string, and creates a new Header instance
-- @return header instance of Header
parse = function(data)
local header = IAX2.Header:new()
local frame_type, pos = string.unpack("B", data)
if ( (frame_type & 0x80) == 0 ) then
stdnse.debug2("Frametype %x not supported", frame_type)
return
end
header.type = IAX2.PacketType.FULL
header.src_call, pos = string.unpack(">I2", data)
header.src_call = (header.src_call & 0x7FFF)
local retrans = string.unpack("B", data, pos)
if ( (retrans & 0x80) == 8 ) then
header.retrans = true
end
header.dst_call, pos = string.unpack(">I2", data, pos)
header.dst_call = (header.dst_call & 0x7FFF)
header.timestamp, header.oseqno,
header.iseqno, header.frametype, header.subclass, pos = string.unpack(">I4BBBB", data, pos)
return header
end,
-- Converts the instance to a string
-- @return str containing the instance
__tostring = function(self)
assert(self.src_call < 32767, "Source call exceeds 32767")
assert(self.dst_call < 32767, "Dest call exceeds 32767")
local src_call = self.src_call
local dst_call = self.dst_call
if ( self.type == IAX2.PacketType.FULL ) then
src_call = src_call + 32768
end
if ( self.retrans ) then
dst_call = dst_call + 32768
end
return string.pack(">I2I2 I4BBBB", src_call, dst_call, self.timestamp,
self.oseqno, self.iseqno, self.frametype, self.subclass)
end,
},
-- The IAX2 Request class
Request = {
-- Creates a new instance
-- @param header instance of Header
new = function(self, header)
local o = {
header = header,
ies = {}
}
setmetatable(o, self)
self.__index = self
return o
end,
-- Sets an Info Element or adds one, in case it's missing
-- @param key the key value of the IE to add
-- @param value string containing the value to set or add
setIE = function(self, key, value)
for _, ie in ipairs(self.ies or {}) do
if ( key == ie.type ) then
ie.value = value
end
end
table.insert(self.ies, { type = key, value = value } )
end,
-- Gets an information element
-- @param key number containing the element number to retrieve
-- @return ie table containing the info element if it exists
getIE = function(self, key)
for _, ie in ipairs(self.ies or {}) do
if ( key == ie.type ) then
return ie
end
end
end,
-- Converts the instance to a string
-- @return str containing the instance
__tostring = function(self)
local data = {}
for _, ie in ipairs(self.ies) do
data[#data+1] = string.pack("Bs1", ie.type, ie.value )
end
return tostring(self.header) .. table.concat(data)
end,
},
-- The IAX2 Response
Response = {
-- Creates a new instance
new = function(self)
local o = { ies = {} }
setmetatable(o, self)
self.__index = self
return o
end,
-- Sets an Info Element or adds one, in case it's missing
-- @param key the key value of the IE to add
-- @param value string containing the value to set or add
setIE = function(self, key, value)
for _, ie in ipairs(self.ies or {}) do
if ( key == ie.type ) then
ie.value = value
end
end
table.insert(self.ies, { type = key, value = value } )
end,
-- Gets an information element
-- @param key number containing the element number to retrieve
-- @return ie table containing the info element if it exists
getIE = function(self, key)
for _, ie in ipairs(self.ies or {}) do
if ( key == ie.type ) then
return ie
end
end
end,
-- Parses data, a byte string, and creates a response
-- @return resp instance of response
parse = function(data)
local resp = IAX2.Response:new()
if ( not(resp) ) then return end
resp.header = IAX2.Header.parse(data)
if ( not(resp.header) ) then return end
local pos = 13
resp.ies = {}
repeat
local ie = {}
ie.type, ie.value, pos = string.unpack(">Bs1", data, pos)
table.insert(resp.ies, ie)
until( pos > #data )
return resp
end,
}
}
Helper = {
-- Creates a new Helper instance
-- @param host table as received by the action method
-- @param port table as received by the action method
-- @param options table containing helper options, currently
-- <code>timeout</code> socket timeout in ms
-- @return o instance of Helper
new = function(self, host, port, options)
local o = { host = host, port = port, options = options or {} }
setmetatable(o, self)
self.__index = self
return o
end,
-- Connects the UDP socket to the server
-- @return status true on success, false on failure
-- @return err message containing error if status is false
connect = function(self)
self.socket = nmap.new_socket()
self.socket:set_timeout(self.options.timeout or 5000)
return self.socket:connect(self.host, self.port)
end,
-- Sends a request to the server and receives the response
-- @param req instance containing the request to send to the server
-- @return status true on success, false on failure
-- @return resp instance of response on success,
-- err containing the error message on failure
exch = function(self, req)
local status, err = self.socket:send(tostring(req))
if ( not(status) ) then
return false, "Failed to send request to server"
end
local status, data = self.socket:receive()
if ( not(status) ) then
return false, "Failed to receive response from server"
end
local resp = IAX2.Response.parse(data)
return true, resp
end,
-- Request a session release
-- @param username string containing the extension (username)
-- @param password string containing the password
regRelease = function(self, username, password)
local src_call = math.random(32767)
local header = IAX2.Header:new(src_call, 0, os.time(), 0, 0, IAX2.FrameType.IAX, IAX2.SubClass.REGREL)
local regrel = IAX2.Request:new(header)
regrel:setIE(IAX2.InfoElement.USERNAME, username)
regrel:setIE(IAX2.InfoElement.CALLTOKEN, "")
local status, resp = self:exch(regrel)
if ( not(status) ) then
return false, resp
end
if ( not(resp) or IAX2.SubClass.CALLTOKEN ~= resp.header.subclass ) then
return false, "Unexpected response"
end
local token = resp:getIE(IAX2.InfoElement.CALLTOKEN)
if ( not(token) ) then
return false, "Failed to get token"
end
regrel:setIE(IAX2.InfoElement.CALLTOKEN, token.value)
status, resp = self:exch(regrel)
if ( not(status) ) then
return false, resp
end
local challenge = resp:getIE(IAX2.InfoElement.CHALLENGE)
if ( not(challenge) ) then
return false, "Failed to retrieve challenge from server"
end
regrel.header.iseqno = 1
regrel.header.oseqno = 1
regrel.header.dst_call = resp.header.src_call
regrel.ies = {}
local hash = stdnse.tohex(openssl.md5(challenge.value .. password))
regrel:setIE(IAX2.InfoElement.USERNAME, username)
regrel:setIE(IAX2.InfoElement.MD5_RESULT, hash)
status, resp = self:exch(regrel)
if ( not(status) ) then
return false, resp
end
if ( IAX2.SubClass.ACK == resp.header.subclass ) then
local data
status, data = self.socket:receive()
resp = IAX2.Response.parse(data)
end
if ( status and IAX2.SubClass.REGACK == resp.header.subclass ) then
return true
end
return false, "Release failed"
end,
-- Close the connection with the server
-- @return true on success, false on failure
close = function(self)
return self.socket:close()
end,
}
return _ENV;
|
