## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report def initialize super( 'Name' => 'H.323 Version Scanner', 'Version' => '$Revision: 9804 $', 'Description' => 'Detect H.323 Version.', 'Author' => 'hdm', 'License' => MSF_LICENSE ) register_options( [ Opt::RPORT(1720), ], self.class) end def run_host(ip) remote_display = nil remote_product_id = nil remote_version_id = nil remote_vendor_id = nil remote_protocol = nil begin # Wrap this in a timeout to prevent dead services from # hanging this thread. Timeout.timeout( call_timeout) do connect caller_name = "SYSTEM\x00" h323_id = Rex::Text.rand_text_alpha(3) vendor_id = Rex::Text.rand_text_alpha(32) caller_host = Rex::Socket.source_address( ip ) caller_port = rand( 32768 ) + 30000 callee_host = rhost callee_port = rport conf_guid = Rex::Text.rand_text(16) call_guid = Rex::Text.rand_text(16) pkt_setup = h323_setup_call(caller_name, h323_id, vendor_id, callee_host, callee_port, caller_host, caller_port, conf_guid, call_guid) res = sock.put(pkt_setup) rescue nil if not res disconnect return end cnt = 0 while( true ) info = read_packet break if not info # The remote side of the call disconnected us break if info[:type] == @@H323_STATUS_RELEASE_COMPLETE remote_display = info[40].strip if info[40] remote_product_id = info[:product_id].strip if info[:product_id] remote_version_id = info[:version_id].strip if info[:version_id] remote_protocol = info[:protocol_version].strip if info[:protocol_version] if info[:vendor_id] and [nil, "Unknown"].include?( remote_vendor_id ) remote_vendor_id = info[:vendor_id].strip end # Diagnostics # print_status("Host: #{rhost}:#{rport} => #{info.inspect}") # The remote side of the call was connected (kill it) break if info[:type] == @@H323_STATUS_CONNECT # Exit if we already received 5 packets from the server break if (cnt +=1) > 5 end # Make sure the call was shut down cleanly pkt_release = h323_release_call(caller_name, h323_id, vendor_id, callee_host, callee_port, caller_host, caller_port, conf_guid, call_guid) sock.put(pkt_release) rescue nil # End timeout block end rescue ::Timeout::Error rescue ::Interrupt raise $! rescue ::Rex::ConnectionError, ::IOError, ::Errno::ECONNRESET, ::Errno::ENOPROTOOPT rescue ::Exception print_error("#{rhost}:#{rport} #{$!.class} #{$!} #{$!.backtrace}") ensure disconnect end if remote_vendor_id remote_product_id = remote_product_id.to_s.gsub(/[^\x20-\x7e]/, '') remote_version_id = remote_version_id.to_s.gsub(/[^\x20-\x7e]/, '') banner = "Protocol: #{ remote_protocol } VendorID: #{ remote_vendor_id } " if remote_version_id and remote_version_id.length > 0 banner << "VersionID: #{ remote_version_id } " end if remote_product_id and remote_product_id.length > 0 banner << "ProductID: #{ remote_product_id } " end if remote_display and remote_display.length > 0 remote_display = remote_display.to_s.gsub(/[^\x20-\x7e]/, '') banner << "DisplayName: #{ remote_display }" end print_status("#{rhost}:#{rport} #{banner}") report_service(:host => rhost, :port => rport, :name => "h323", :info => banner) end end def read_packet begin ::Timeout.timeout( read_timeout ) do ver = sock.read(2) return if not (ver and ver == "\x03\x00") bin = sock.read(2) return if not bin len = [ bin.unpack("n")[0] - 4, 0 ].max return if len == 0 bin = sock.read(len) return if not bin f_desc, cref_len = bin.unpack("CC") cref_val = bin[2, cref_len] f_type = bin[2 + cref_len, 1].unpack("C")[0] return { :type => f_type, :call_ref => cref_val }.merge( read_ies(f_type, bin[ 2 + cref_len + 1, bin.length] ) ) end rescue ::Timeout::Error end nil end def read_ies(mtype, data) r = { } i = 0 while( i < (data.length - 1) ) ie_type = data[i, 1].unpack("C")[0] break if not ie_type ie_len = 0 ie_data = "" case ie_type when @@H225_IE_USER_USER ie_len = data[i+1, 2].unpack("n")[0] break if not ie_len ie_data = data[i+3, ie_len] break if not ie_data i = i + 3 + ie_len else ie_len = data[i+1, 1].unpack("C")[0] break if not ie_len ie_data = data[i+2, ie_len] break if not ie_data i = i + 2 + ie_len end r[ ie_type ] = ie_data if ie_type == @@H225_IE_USER_USER r.merge!( ( read_user_user(mtype, ie_data) rescue {} ) ) end end r end # This provides a weak method of decoding USER-USER PDUs. These are # actually PER-encoded ASN.1, but we take a few shortcuts since PER # encoding is such a pain. def read_user_user(mtype, data) r = {} # Identify the embedded version (2/3/4/5/6 commonly found) i = data.index("\x00\x08\x91\x4a\x00") return r if not i # Store the protocol version pver = data[i + 5, 1].unpack("C")[0] r[:protocol_version] = pver.to_s # Bump the index over the version i+= 6 # print_line( Rex::Text.to_hex_dump( data[i, 32] ) ) # Set a placeholder VendorID so this system will be reported r[:vendor_id] = "Unknown" # We use the version offset to identify the destination block location # This changes slightly based on the type of packet we receive case mtype when @@H323_STATUS_ALERTING, @@H323_STATUS_PROCEEDING if pver == 2 and data[i, 2] == "\x20\x00" r[ :vendor_id ] = "0x%.8x" % ( data[i + 2, 4].unpack("N")[0] rescue 0 ) return r end # Find the offset to the VendorID if data[i + 1, 1] != "\xc0" i+= 7 end # Stop processing if we can't identify a VendorID return r if data[i + 1, 1] != "\xc0" # Otherwise just add 2 to the offset of the version i += 2 when @@H323_STATUS_CONNECT # Bail early in some corner cases return r if data[i, 1] == "\x00" # Find the offset to the VendorID if data[i + 1, 1] != "\xc0" i+= 7 end # Stop processing if we can't identify a VendorID return r if data[i + 1, 1] != "\xc0" i += 2 return r else return r end # Extract the manufacturer ID r[ :vendor_id ] = "0x%.8x" % ( data[i, 4].unpack("N")[0] rescue 0 ) i+= 4 # No Product ID / Version ID in versions less than 3 (unless special cased above) return r if pver < 3 # Get the product_id length (-1) product_id_length = data[i, 1].unpack("C")[0] + 1 i+= 1 # Extract the product ID r[ :product_id ] = data[i, product_id_length] i+= product_id_length # Get the version ID length (-1) version_id_length = data[i, 1].unpack("C")[0] + 1 i+= 1 # Extract the version ID r[ :version_id ] = data[i, version_id_length] # Thats it for now r end def read_timeout 10 end def call_timeout 30 end @@H225_IE_BEARER_CAP = 0x04 @@H225_IE_DISPLAY = 0x28 @@H225_IE_USER_USER = 0x7e # Yes, really User-user @@H323_STATUS_ALERTING = 0x01 @@H323_STATUS_PROCEEDING = 0x02 @@H323_STATUS_SETUP = 0x05 @@H323_STATUS_SETUP_ACK = 0x0D @@H323_STATUS_CONNECT = 0x07 @@H323_STATUS_RELEASE_COMPLETE = 0x5a @@H323_STATUS_FACILITY = 0x62 def encap_tpkt(ver,data) [ ver, 0, data.length + 4 ].pack("CCn") + data end def encap_q225(desc, cref_value, msg_type, data) [ desc, cref_value.length, cref_value, msg_type].pack("CCA*C") + data end def encap_q225_standard(msg_type, data) encap_q225(0x08, [0x733f].pack("n"), msg_type, data) end def encap_q225_setup(data) encap_q225_standard(0x05, data) end def encap_q225_release(data) encap_q225_standard(0x5a, data) end def create_ie_byte(ie_type, data) [ie_type, data.length].pack("CC") + data end def create_ie_short(ie_type, data) [ie_type, data.length].pack("Cn") + data end def create_ie_bearer_capability(cap = 0x00038893) create_ie_byte( @@H225_IE_BEARER_CAP, [cap].pack("N")[0,3] ) end def create_ie_display(name = "DEBUG\x00") create_ie_byte( @@H225_IE_DISPLAY, name ) end def create_ie_user_user(data) create_ie_short( @@H225_IE_USER_USER, data ) end # # This is ugly. Doing it properly requires a PER capable ASN.1 encoder, which is overkill for this task # def create_user_info(h323_id, vendor_id, callee_host, callee_port, caller_host, caller_port, conf_guid, call_guid) buff = "\x05" # Protocol descriminator: X.208/X.209 coded user information buff << "\x20\xa8\x06\x00\x08\x91\x4a\x00\x06\x01\x40\x02" # H323-ID buff << h323_id.unpack("C*").pack("n*") buff << "\x22\xc0\x09\x00\x00\x3d\x02\x00\x00\x00\x21" # VENDOR: 32 + 2 null bytes buff << [vendor_id].pack("Z32") + "\x00\x00" buff << "\x00" # Remote IP + Remote Port buff << ( ::Rex::Socket.addr_aton( callee_host ) + [ callee_port.to_i ].pack("n") ) buff << "\x00" # Conference GUID buff << conf_guid buff << "\x00\xc5\x1d\x80\x04\x07\x00" # Local IP + Port buff << ( ::Rex::Socket.addr_aton( caller_host ) + [ caller_port.to_i ].pack("n") ) buff << "\x11\x00" # Call GUID buff << call_guid buff << "\x82\x49\x10\x47\x40\x00\x00\x06\x04\x01\x00\x4c\x10\xb5" + "\x00\x00\x26\x25\x73\x70\x65\x65\x78\x20\x73\x72\x3d\x31" + "\x36\x30\x30\x30\x3b\x6d\x6f\x64\x65\x3d\x36\x3b\x76\x62" + "\x72\x3d\x6f\x66\x66\x3b\x63\x6e\x67\x3d\x6f\x66\x66\x80" + "\x12\x1c\x40\x01\x00" + Rex::Socket.addr_aton( caller_host ) + "\x13\xc6\x00" + Rex::Socket.addr_aton( caller_host ) + "\x13\xc7\x90\x3c\x00\x00\x64\x0c\x10\xb5\x00\x00\x26\x25" + "\x73\x70\x65\x65\x78\x20\x73\x72\x3d\x31\x36\x30\x30\x30" + "\x3b\x6d\x6f\x64\x65\x3d\x36\x3b\x76\x62\x72\x3d\x6f\x66" + "\x66\x3b\x63\x6e\x67\x3d\x6f\x66\x66\x80\x0b\x0d\x40\x01" + "\x00" + Rex::Socket.addr_aton( caller_host ) + "\x13\xc7\x48\x31\x40\x00\x00\x06\x04\x01\x00\x4c\x10\x09" + "\x00\x00\x3d\x0f\x53\x70\x65\x65\x78\x20\x62\x73\x34\x20" + "\x57\x69\x64\x65\x36\x80\x12\x1c\x40\x01\x00" + Rex::Socket.addr_aton( caller_host ) + "\x13\xc6\x00" + Rex::Socket.addr_aton( caller_host ) + "\x13\xc7\xa0\x26\x00\x00\x65\x0c\x10\x09\x00\x00\x3d\x0f" + "\x53\x70\x65\x65\x78\x20\x62\x73\x34\x20\x57\x69\x64\x65" + "\x36\x80\x0b\x0d\x40\x01\x00" + Rex::Socket.addr_aton( caller_host ) + "\x13\xc7\x50\x1d\x40\x00\x00\x06\x04\x01\x00\x4c\x60\x13" + "\x80\x11\x1c\x00\x01\x00" + Rex::Socket.addr_aton( caller_host ) + "\x13\xc6\x00" + Rex::Socket.addr_aton( caller_host ) + "\x13\xc7\x13\x00\x00\x66\x0c\x60\x13\x80\x0b\x0d\x00\x01" + "\x00" + Rex::Socket.addr_aton( caller_host ) + "\x13\xc7\x00\x1d\x40\x00\x00\x06\x04\x01\x00\x4c\x20\x13" + "\x80\x11\x1c\x00\x01\x00" + Rex::Socket.addr_aton( caller_host ) + "\x13\xc6\x00" + Rex::Socket.addr_aton( caller_host ) + "\x13\xc7\x13\x00\x00\x67\x0c\x20\x13\x80\x0b\x0d\x00\x01" + "\x00" + Rex::Socket.addr_aton( caller_host ) + "\x13\xc7\x00\x23\x40\x00\x00\x06\x04\x01\x00\x48\x78\x00" + "\x4a\xff\x00\x80\x01\x00\x80\x11\x1c\x00\x02\x00" + Rex::Socket.addr_aton( caller_host ) + "\x13\xc8\x00" + Rex::Socket.addr_aton( caller_host ) + "\x13\xc9\x19\x00\x00\x68\x08\x78\x00\x4a\xff\x00\x80\x01" + "\x00\x80\x0b\x0d\x00\x02\x00" + Rex::Socket.addr_aton( caller_host ) + "\x13\xc9\x00\x22\x40\x00\x00\x06\x04\x01\x00\x48\x68\x4a" + "\xff\x00\x80\x01\x00\x80\x11\x1c\x00\x02\x00" + Rex::Socket.addr_aton( caller_host ) + "\x13\xc8\x00" + Rex::Socket.addr_aton( caller_host ) + "\x13\xc9\x18\x00\x00\x69\x08\x68\x4a\xff\x00\x80\x01\x00" + "\x80\x0b\x0d\x00\x02\x00" + Rex::Socket.addr_aton( caller_host ) + "\x13\xc9\x00\x22\x40\x00\x00\x06\x04\x01\x00\x48\x70\x4a" + "\xff\x00\x80\x01\x00\x80\x11\x1c\x00\x02\x00" + Rex::Socket.addr_aton( caller_host ) + "\x13\xc8\x00" + Rex::Socket.addr_aton( caller_host ) + "\x13\xc9\x18\x00\x00\x6a\x08\x70\x4a\xff\x00\x80\x01\x00" + "\x80\x0b\x0d\x00\x02\x00" + Rex::Socket.addr_aton( caller_host ) + "\x13\xc9\x00\x2c\x40\x00\x00\x06\x04\x01\x00\x48\xee\x00" + "\x00\x20\x9f\xff\x20\x50\x40\x01\x00\x80\x17\x1c\x20\x02" + "\x00" + Rex::Socket.addr_aton( caller_host ) + "\x13\xc8\x00" + Rex::Socket.addr_aton( caller_host ) + "\x13\xc9\x80\x04\x48\x08\x8d\x44\x22\x00\x00\x6b\x08\xee" + "\x00\x00\x20\x9f\xff\x20\x50\x40\x01\x00\x80\x11\x0d\x20" + "\x02\x00" + Rex::Socket.addr_aton( caller_host ) + "\x13\xc9\x40\x00\x04\x48\x08\x8d\x44\x01\x00\x01\x00\x01" + "\x00\x01\x00\x80\xfa\x02\x80\xef\x02\x70\x01\x06\x00\x08" + "\x81\x75\x00\x0d\x80\x1a\x80\x01\xf4\x00\x01\x00\x00\x01" + "\x00\x00\x01\x00\x04\x02\x05\x00\x48\x08\x8d\x44\x06\x60" + "\x01\x00\x01\x80\x0b\x80\x00\x00\x20\x20\xb5\x00\x00\x26" + "\x25\x73\x70\x65\x65\x78\x20\x73\x72\x3d\x31\x36\x30\x30" + "\x30\x3b\x6d\x6f\x64\x65\x3d\x36\x3b\x76\x62\x72\x3d\x6f" + "\x66\x66\x3b\x63\x6e\x67\x3d\x6f\x66\x66\x80\x00\x01\x20" + "\x20\x09\x00\x00\x3d\x0f\x53\x70\x65\x65\x78\x20\x62\x73" + "\x34\x20\x57\x69\x64\x65\x36\x80\x00\x02\x20\xc0\xef\x80" + "\x00\x03\x20\x40\xef\x80\x00\x04\x08\xf0\x00\x4a\xff\x00" + "\x80\x01\x00\x80\x00\x05\x08\xd0\x4a\xff\x00\x80\x01\x00" + "\x80\x00\x06\x08\xe0\x4a\xff\x00\x80\x01\x00\x80\x00\x07" + "\x09\xdc\x00\x00\x40\x9f\xff\x20\x50\x40\x01\x00\x80\x00" + "\x08\x83\x01\x50\x80\x00\x09\x83\x01\x10\x80\x00\x0a\x83" + "\x01\x40\x80\x00\x0b\x8a\x0c\x14\x0a\x30\x2d\x31\x36\x2c" + "\x33\x32\x2c\x33\x36\x00\x80\x01\x03\x03\x00\x00\x00\x01" + "\x00\x02\x00\x03\x03\x00\x04\x00\x05\x00\x06\x00\x07\x00" + "\x00\x08\x02\x00\x09\x00\x0a\x00\x0b\x07\x01\x00\x32\x80" + "\x96\x61\x41\x02\x80\x01\x80" buff end def create_user_release_info(call_guid) "\x05" + "\x25\x80\x06\x00\x08\x91\x4a\x00\x05\x01\x11\x00" + call_guid + "\x02\x80\x01\x00" end def h323_release_call(caller_name, h323_id, vendor_id, callee_host, callee_port, caller_host, caller_port, conf_guid, call_guid) encap_tpkt(3, encap_q225_release( create_ie_display(caller_name) + create_ie_user_user( create_user_release_info(call_guid ) ) ) ) end def h323_setup_call(caller_name, h323_id, vendor_id, callee_host, callee_port, caller_host, caller_port, conf_guid, call_guid) encap_tpkt(3, encap_q225_setup( create_ie_bearer_capability() + create_ie_display(caller_name) + create_ie_user_user( create_user_info( h323_id, vendor_id, callee_host, callee_port, caller_host, caller_port, conf_guid, call_guid ) ) ) ) end end