/lib/rex/proto/iax2/client.rb
https://gitlab.com/alx741/metasploit-framework · Ruby · 219 lines · 170 code · 42 blank · 7 comment · 24 complexity · e323fa3681d0cd0984dbf3651c4ff2f1 MD5 · raw file
- # -*- coding: binary -*-
- require 'rex/proto/iax2/constants'
- require 'rex/proto/iax2/codecs'
- require 'rex/proto/iax2/call'
- require 'rex/socket'
- require 'thread'
- require 'digest/md5'
- require 'timeout'
- module Rex
- module Proto
- module IAX2
- class Client
- attr_accessor :caller_number, :caller_name, :server_host, :server_port
- attr_accessor :username, :password
- attr_accessor :sock, :monitor
- attr_accessor :src_call_idx
- attr_accessor :debugging
- attr_accessor :calls
- def initialize(uopts={})
- opts = {
- :caller_number => '15555555555',
- :caller_name => '',
- :server_port => IAX2_DEFAULT_PORT,
- :context => { }
- }.merge(uopts)
- self.caller_name = opts[:caller_name]
- self.caller_number = opts[:caller_number]
- self.server_host = opts[:server_host]
- self.server_port = opts[:server_port]
- self.username = opts[:username]
- self.password = opts[:password]
- self.debugging = opts[:debugging]
- self.sock = Rex::Socket::Udp.create(
- 'PeerHost' => self.server_host,
- 'PeerPort' => self.server_port,
- 'Context' => opts[:context]
- )
- self.monitor = ::Thread.new { monitor_socket }
- self.src_call_idx = 0
- self.calls = {}
- end
- def shutdown
- self.monitor.kill rescue nil
- end
- def create_call
- cid = allocate_call_id()
- self.calls[ cid ] = IAX2::Call.new(self, cid)
- end
- #
- # Transport
- #
- def monitor_socket
- while true
- begin
- pkt, src = self.sock.recvfrom(65535)
- next if not pkt
- # Find the matching call object
- mcall = matching_call(pkt)
- next if not mcall
- if (pkt[0,1].unpack("C")[0] & 0x80) != 0
- mcall.handle_control(pkt)
- else
- # Dispatch the buffer via the call handler
- mcall.handle_audio(pkt)
- end
- rescue ::Exception => e
- dprint("monitor_socket: #{e.class} #{e} #{e.backtrace}")
- break
- end
- end
- self.sock.close rescue nil
- end
- def matching_call(pkt)
- src_call = pkt[0,2].unpack('n')[0]
- dst_call = nil
- if (src_call & 0x8000 != 0)
- dst_call = pkt[2,2].unpack('n')[0]
- dst_call ^= 0x8000 if (dst_call & 0x8000 != 0)
- end
- src_call ^= 0x8000 if (src_call & 0x8000 != 0)
- # Find a matching call in our list
- mcall = self.calls.values.select {|x| x.dcall == src_call or (dst_call and x.scall == dst_call) }.first
- if not mcall
- dprint("Packet received for non-existent call #{[src_call, dst_call].inspect} vs #{self.calls.values.map{|x| [x.dcall, x.scall]}.inspect}")
- return
- end
- mcall
- end
- def allocate_call_id
- res = ( self.src_call_idx += 1 )
- if ( res > 0x8000 )
- self.src_call_idx = 1
- res = 1
- end
- res
- end
- def dprint(msg)
- return if not self.debugging
- $stderr.puts "[#{Time.now.to_s}] #{msg}"
- end
- def send_data(call, data, inc_seq = true )
- r = self.sock.sendto(data, self.server_host, self.server_port, 0)
- if inc_seq
- call.oseq = (call.oseq + 1) & 0xff
- end
- r
- end
- def send_ack(call)
- data = [ IAX_SUBTYPE_ACK ].pack('C')
- send_data( call, create_pkt( call.scall, call.dcall, call.timestamp, call.oseq, call.iseq, IAX_TYPE_IAX, data ), false )
- end
- def send_pong(call, stamp)
- data = [ IAX_SUBTYPE_PONG ].pack('C')
- send_data( call, create_pkt( call.scall, call.dcall, stamp, call.oseq, call.iseq, IAX_TYPE_IAX, data ) )
- end
- def send_lagrp(call, stamp)
- data = [ IAX_SUBTYPE_LAGRP ].pack('C')
- send_data( call, create_pkt( call.scall, call.dcall, stamp, call.oseq, call.iseq, IAX_TYPE_IAX, data ) )
- end
- def send_invalid(call)
- data = [ IAX_SUBTYPE_INVAL ].pack('C')
- send_data( call, create_pkt( call.scall, call.dcall, call.timestamp, call.oseq, call.iseq, IAX_TYPE_IAX, data ) )
- end
- def send_hangup(call)
- data = [ IAX_SUBTYPE_HANGUP ].pack('C')
- send_data( call, create_pkt( call.scall, call.dcall, call.timestamp, call.oseq, call.iseq, IAX_TYPE_IAX, data ) )
- end
- def send_new(call, number)
- data = [ IAX_SUBTYPE_NEW ].pack('C')
- cid = call.caller_number || self.caller_number
- cid = number if cid == 'SELF'
- data << create_ie(IAX_IE_CALLING_NUMBER, cid )
- data << create_ie(IAX_IE_CALLING_NAME, call.caller_name || self.caller_name)
- data << create_ie(IAX_IE_DESIRED_CODEC, [IAX_SUPPORTED_CODECS].pack("N") )
- data << create_ie(IAX_IE_ACTUAL_CODECS, [IAX_SUPPORTED_CODECS].pack("N") )
- data << create_ie(IAX_IE_USERNAME, self.username) if self.username
- data << create_ie(IAX_IE_CALLED_NUMBER, number)
- data << create_ie(IAX_IE_ORIGINAL_DID, number)
- send_data( call, create_pkt( call.scall, call.dcall, call.timestamp, call.oseq, call.iseq, IAX_TYPE_IAX, data ) )
- end
- def send_authrep_chall_response(call, chall)
- data =
- [ IAX_SUBTYPE_AUTHREP ].pack('C') +
- create_ie(IAX_IE_CHALLENGE_RESP, ::Digest::MD5.hexdigest( chall + self.password ))
- send_data( call, create_pkt( call.scall, call.dcall, call.timestamp, call.oseq, call.iseq, IAX_TYPE_IAX, data ) )
- end
- def send_regreq(call)
- data = [ IAX_SUBTYPE_REGREQ ].pack('C')
- data << create_ie(IAX_IE_USERNAME, self.username) if self.username
- data << create_ie(IAX_IE_REG_REFRESH, [IAX_DEFAULT_REG_REFRESH].pack('n'))
- send_data( call, create_pkt( call.scall, call.dcall, call.timestamp, call.oseq, call.iseq, IAX_TYPE_IAX, data ) )
- end
- def send_regreq_chall_response(call, chall)
- data =
- [ IAX_SUBTYPE_REGREQ ].pack('C') +
- create_ie(IAX_IE_USERNAME, self.username) +
- create_ie(IAX_IE_CHALLENGE_RESP, ::Digest::MD5.hexdigest( chall + self.password )) +
- create_ie(IAX_IE_REG_REFRESH, [IAX_DEFAULT_REG_REFRESH].pack('n'))
- send_data( call, create_pkt( call.scall, call.dcall, call.timestamp, call.oseq, call.iseq, IAX_TYPE_IAX, data ) )
- end
- def create_ie(ie_type, ie_data)
- [ie_type, ie_data.length].pack('CC') + ie_data
- end
- def create_pkt(src_call, dst_call, tstamp, out_seq, inp_seq, itype, data)
- [
- src_call | 0x8000, # High bit indicates a full packet
- dst_call,
- tstamp,
- out_seq & 0xff, # Sequence numbers wrap at 8-bits
- inp_seq & 0xff, # Sequence numbers wrap at 8-bits
- itype
- ].pack('nnNCCC') + data
- end
- end
- end
- end
- end