A FreeSWITCH specific scanning and exploitation toolkit for CVE-2021-37624 and CVE-2021-41157.
Related blog: https://0xinfection.github.io/posts/analyzing-freeswitch-vulns/
The help statement of the tool is as below:
$ ./pewswitch --help
___ . ____ _ __ __
/ _ \___|\ __/ __/| __(_) /_____/ /
/ ___/ -_) |/|/ /\ \| |/|/ / / __/ __/ _ \
/_/ \__/|__,__/___/|__,__/_/\__/\__/_//_/ v0.1
"where we pew pew pew freeswitch"
Usage of ./pewswitch:
-cve string
Specify a specific CVE to scan. Both vulns are tested by default.
-delay int
Delay in seconds between subsequent requests. (default 0)
-events string
Comma-separated list of events to be subscribed to. All events are monitored by default.
-expires int
Maximum value of the 'Expires' header for SUBSCRIBE requests. (default 60)
-ext-file string
Specify a file containing extensions instead of '-exts'.
-exts string
Comma separated list of extensions to scan.
-msg-file string
Specify a CSV file containing messages to be sent (if found vulnerable to CVE-2021-37624).
-out-dir string
Output directory to write the results to. (default "./pewswitch-results/")
-out-format string
Output format type of the results. Can be either 'json' or 'csv'. (default "json")
-threads int
Number of threads to use while scanning. (default 2)
-user-agent string
Custom user-agent string to use. (default "pewswitch/0.1")
By default the tool scans for both vulnerabilites. If you want to test for a specific vulnerability, you can use the -cve
flag to test for a specific vulnerability.
Example:
./pewswitch -cve 'cve-2021-37624' -exts 1000 freeserver.voip.com
To specify extensions, you can choose either of the methods:
-
Specify a comma separated list of extensions via the
-exts
argument.Example:
./pewswitch -exts 1000,1001 freeserver.voip.com freeserver1.voip.com:5060
This will make the tool to test for combinations of pairs for each extension with every host. So the end targets that will be tested in the above command are:
[email protected]
,[email protected]
,[email protected]:5060
and[email protected]:5060
. -
Specify a file containing extensions. Note that when using a file, you need to specify both user and host. This is especially useful when you have to test specific extensions on specific servers. An example of such a file (e.g.
extensions-sample.txt
) could look like this:[email protected] [email protected]:5060 [email protected]:5660 ...
Example:
./pewswitch -ext-file extensions-sample.txt
Note that if any port is not specified with the host, port 5060 will be used by default as the destination port.
The tool can output in 2 different formats, namely JSON and CSV. The default output format is JSON. Output format can be changed using the -out-format
switch.
Example:
./pewswitch -exts 1000 -out-format csv freeserver.voip.com
You can find samples of reports in json
as well as csv
format in the ./pewswitch-results/
directory.
The destination output directory can be changed using the -out-dir
argument. By default the output directory is ./pewswitch-results/
which is created in the current working directory while running the tool.
Example:
./pewswitch -ext-file extensions-sample.txt -out-dir /tmp
There are some additional packet specific settings in the tool that allows customization of requests during vulnerability validation/exploitation.
If a server is found vulnerable to CVE-2021-37624, by default a sample message from name FBI
and number 022-324-3000
is sent to the target extension. The contents of the message looks like this: FBI here. Open your door!
This behaviour can be changed by making use of the -msg-file
argument. This accepts a CSV file containing the name of the sender, the phone number and lastly the message contents to be sent. An example of such a file is messages-sample.csv
.
sender_name,sender_phone,message
FBI,022-324-3000,FBI here. Open your door!
0xInfection,000-000-0000,Hi. Just confirming the vulnerability.
SPAMMY SALESMAN,BAD-GUY-9999,BUY MY STUFF!
Example:
./pewswitch -cve 'cve-2021-27624' -msg-file messages-sample.csv -exts 1000 freeserver.voip.com
By default, the tool sends SUBSCRIBE requests with a Expires
header set at 60 seconds. It is for the same time-frame the tool will continue to listen for NOTIFY messages from the server. The value can be changed by making use of the -expires
flag.
Example:
./pewswitch -expires 600 -ext-file extensions-sample.txt
The tool also monitors for NOTIFY messages by subscribing to all events. A list of all events is below:
talk
hold
conference
as-feature-event
dialog
line-seize
call-info
sla
include-session-description
presence
presence.winfo
message-summary
refer
This behaviour can be changed by the -events
flag which takes a comma separated list of events to monitor. Example:
./pewswitch -cve 'cve-2021-41157' -events message-summary,presence -exts 1000,1002 freeserver.voip.com
You can make use of the pre-built binaries from the Releases section. Or, if you prefer to compile the code yourself, you'll need Go > 1.13. To build the tool, you can run go build
which will give you a binary to run.
The tool is available under MIT License. Feel free to do whatever you want to do with it. :)
Currently, PewSWITCH is at v0.1.
New requests and features? Feel free to create an issue or a pull request.
If you have anything to discuss you can reach out to me via twitter/email on my profile.
Created with ♡ by Pinaki.