CVE-2006-0189
published 2006-01-13CVE-2006-0189: Buffer overflow in eStara Softphone 3.0.1.14 through 3.0.1.46 allows remote attackers to execute arbitrary code via a long attribute (aka "a") field in the SDP…
PriorityP345high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
15.51%
96.4th percentile
Buffer overflow in eStara Softphone 3.0.1.14 through 3.0.1.46 allows remote attackers to execute arbitrary code via a long attribute (aka "a") field in the SDP data of a SIP packet on UDP port 5060.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| estara | softphone | — | — |
| estara | softphone | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
GPL VOIP EXPLOIT SIP UDP Softphone overflow attempt
suricata·2010-09-23
CVE-2006-0189 GPL VOIP EXPLOIT SIP UDP Softphone overflow attempt
GPL VOIP EXPLOIT SIP UDP Softphone overflow attempt
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"GPL VOIP EXPLOIT SIP UDP Softphone overflow attempt"; content:"|3B|branch|3D|"; content:"a|3D|"; pcre:"/^a\x3D[^\n]{1000,}/smi"; reference:bugtraq,16213; reference:cve,2006-0189; classtype:misc-attack; sid:2100223; rev:2; metadata:created_at 2010_09_23, cve CVE_2006_0189, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
Exploit-DB
eStara SoftPhone 3.0.1.46 - SIP Remote Buffer Overflow (2)
exploitdb·2006-01-12
CVE-2006-0189 eStara SoftPhone 3.0.1.46 - SIP Remote Buffer Overflow (2)
eStara SoftPhone 3.0.1.46 - SIP Remote Buffer Overflow (2)
---
#!/usr/bin/perl -s
# damn-hippie.pl by kokanin (google estara, it shows sip stuff and a hippie)
# Remote "estara softphone" exploit, executable version info = 3.0.1.2
# kokanin did the research, metasploit.com did the encoded bindshell on tcp/5060
# Lets face it, most users wont know the difference between tcp and udp even if
# if it bites them in the ass, so the port is chosen in the hope that nat'ed
# users forward both tcp and udp port 5060 to their machine to make sip stuff
# work without all that hard thinking taking place.
# this used to be 0day, but I saw someone release something called estara.c
# on packetstorm today. I don't know if it's even the same bug, but this
# exploit is better anyway, so there.
# win32_bin
Exploit-DB
eStara SoftPhone 3.0.1.46 - SIP Remote Buffer Overflow (1)
exploitdb·2006-01-12
CVE-2006-0189 eStara SoftPhone 3.0.1.46 - SIP Remote Buffer Overflow (1)
eStara SoftPhone 3.0.1.46 - SIP Remote Buffer Overflow (1)
---
/***************************************
eStara Softphone buffer overflow exploit
tested on :
eStara Softphone 3.0.1.14
||||||
eStara Softphone 3.0.1.46
Vender website : http://www.estara.com/softphone/softph.exe
Run this application, then use nc to send builded packet :
nc -u 127.0.0.1 5060
#include
unsigned char invite[] = {
0x49, 0x4E, 0x56, 0x49, 0x54, 0x45, 0x20, 0x73, 0x69, 0x70, 0x3A, 0x61, 0x40, 0x31, 0x32, 0x37,
0x2E, 0x30, 0x2E, 0x30, 0x2E, 0x31, 0x20, 0x53, 0x49, 0x50, 0x2F, 0x32, 0x2E, 0x30, 0x0D, 0x0A,
0x56, 0x69, 0x61, 0x3A, 0x20, 0x53, 0x49, 0x50, 0x2F, 0x32, 0x2E, 0x30, 0x2F, 0x55, 0x44, 0x50,
0x20, 0x31, 0x37, 0x32, 0x2E, 0x31, 0x36, 0x2E, 0x33, 0x2E, 0x36, 0x3A, 0x33, 0x33, 0x33, 0x33,
0x3B, 0x62, 0x72, 0x
No writeups or analysis indexed.
http://secunia.com/advisories/18410http://securitytracker.com/id?1015481http://www.osvdb.org/22348http://www.securityfocus.com/archive/1/421596/100/0/threadedhttp://www.securityfocus.com/bid/16213http://www.vupen.com/english/advisories/2006/0167https://exchange.xforce.ibmcloud.com/vulnerabilities/24090http://secunia.com/advisories/18410http://securitytracker.com/id?1015481http://www.osvdb.org/22348http://www.securityfocus.com/archive/1/421596/100/0/threadedhttp://www.securityfocus.com/bid/16213http://www.vupen.com/english/advisories/2006/0167https://exchange.xforce.ibmcloud.com/vulnerabilities/24090
2006-01-13
Published