Another proof of concept, exploiting following vulnerability: Ethereal SIP Dissector Overflow, a vulnerability in Ethereal's SIP dissector allows attackers to cause Ethereal to crash by overflowing an internal buffer used by Ethereal when it tries to handle SIP related packets. The following exploit code can be used to test your system for the mentioned vulnerability.
Exploit:
/* ethereal_sip_dos.c - by Shaun Colley <shaun rsc cx>
*
* This code exploits the Ethereal <= 0.10.10 SIP dissector stack overflow vulnerability,
* reported by SecurityLab. See the advisory for more details (i.e. fix) -
* <http://www.securitylab.net/ethereal-0-10-10.txt>
*
* This buffer overflow bug is due to a blind copy of the "CSeq" field in a packet containing a SIP header.
* If a malformed SIP packet appears on the same interface as the vulnerable Ethereal,
* Ethereal will strcpy() the SIP header's CSeq field into a buffer without bounds checking.
* This code transmits a SIP header (in a UDP datagram) with an overly long CSeq field, which
* results in a stack overflow because of the strcpy(). It is probably
* possible to execute code, but since Ethereal first validates each byte with an 'isalpha' check,
* shellcode may have to be printable ASCII-only if the bug were to be exploited. I am not
* certain on how easy code execution would be. Important things get overwritten during the overflow,
* so the attacker would need to fill them back in themselves.
*
* Ethereal have released a patch. Ethereal 0.10.11 fixes this bug.
*
* syntax: ethereal_sip_dos <host> - where <host> is an address that makes the packet appear on
* the Ethereal host's interface, i.e. target's IP address.
*
* This code doesn't spoof the source address - if you care, capture the packet and retransmit
* it with a spoofed source IP address.
*/
