cbcvebase.
CVE-2006-3524
published 2006-07-12

CVE-2006-3524: Buffer overflow in SIPfoundry sipXtapi released before 20060324 allows remote attackers to execute arbitrary code via a long CSeq field value in an INVITE…

PriorityP355high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
66.99%
99.2th percentile
Buffer overflow in SIPfoundry sipXtapi released before 20060324 allows remote attackers to execute arbitrary code via a long CSeq field value in an INVITE message.

Detection & IOCsextracted from sources · hover to see the quote

port5060/udp
port5060/udp
port5061/udp
commandINVITE sip:<user>@127.0.0.1 SIP/2.0 with oversized CSeq header (260+ bytes, SEH overwrite at offset 252)
commandINVITE sip:<user>@127.0.0.1 SIP/2.0 with oversized CSeq header (792+ bytes, SEH overwrite at offset 780)
  • Detect oversized SIP CSeq header values in INVITE messages over UDP — the PoC sends a CSeq field exceeding normal numeric bounds with embedded shellcode padding.
  • Alert on SIP INVITE packets arriving on UDP/5060 or UDP/5061 where the CSeq header value is abnormally long (hundreds of bytes rather than a short integer + method string).
  • Bad characters filtered by the exploit payloads are \x00\x0a\x20\x09\x0d — shellcode in the CSeq field will avoid these bytes; use their absence as a heuristic for encoded shellcode in SIP headers.
  • Monitor for the specific CSeq byte pattern from the PoC exploit: hex sequence 31 31 35 37 39 32 30 38 39 32 33 37 33 31 36 31 39 35 34 32 33 35 37 30 followed by a 4-byte EIP overwrite value.
  • Flag presence of coolcore45.dll in process memory of AIM Triton; the SEH overwrite targets a gadget at 0x4017b3d9 within this DLL.
  • SEH-based exploitation: look for structured exception handler overwrites at CSeq buffer offset 252 (sipXezPhone) or offset 780 (AIM Triton) within SIP INVITE traffic.
  • ·The sipXezPhone Metasploit module uses a single universal target with a hardcoded SEH gadget; no version-specific offsets are provided, so the same payload is attempted against all 0.35a installs.
  • ·The AIM Triton module uses EXITFUNC=seh (not process/thread), meaning the exploit relies on SEH chain walking; detection based purely on process termination may miss successful exploitation.
  • ·Payload space is constrained to 400 bytes for both sipXezPhone and AIM Triton modules; staged payloads or large shellcode will not fit and require a stager.
  • ·The PoC exploit sends a single UDP datagram with no reliability mechanism; packet loss on the network may cause silent failure with no error indication to the attacker.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.