About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Abusing VoIPmonitor for Remote Code Execution - 423

Alfred Farrugia - Enable SecurityPosted 5 Years Ago
  • VoIPmonitor is open source network packet sniffer with commercial frontend for SIP and our protocols. The authors of this find a vulnerability in this popular software.
  • The author used their open source tool sipvicious to fuzz the SIP protocol parsing. Initially they got no results. However, after turning on the live sniffer, they found a crash almost immediately.
  • The bug was a simple buffer overflow in a fixed size buffer by blindly adding the data from a header into the array. The REGISTER header had this vulnerability in it.
  • The make file of the project showed lots of binary protections. But, the actual release of the product had NONE of these turned on! So, the pwning of a simple buffer overflow was live :)
  • The exploit overwrites the RET address on the stack to point to a ROP gadget. This ROP gadget increases the value of RDI to point to the place of the overwritten packet, which has user controlled values! system takes in a single parameter. Once this is controlled, we can pop a shell!
  • This is confusing because LibC would be randomized with ASLR but they use a ROP gadget later to increase the value of RDI to an attacker controlled location. Regardless,the author could have referenced the PLT entry for system instead with ASLR on the system and not PIE.
  • Overall, I really liked this post and enjoy the content this company puts out. I love the logo of a man screaming into the phone; you know this is a group of hackers when you see that!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed