Earlier in the chapter, we discussed an exploit with UPnP as a method of performing a denial-of-service attack. This service can also be used to gain remote access to a computer.
The UPnP service is vulnerable. One method of attack is to use the NOTIFY directive, which has the following format:
NOTIFY * HTTP/1.1 HOST: <TARGET IP>:1900 CACHE-CONTROL: max-age=10 LOCATION: http://IPADDRESS:PORT/.xml NT: urn:schemas-upnp-org:device:InternetGatewayDevice:1 NTS: ssdp:alive SERVER: HACKER/2001 UPnP/1.0 product/1.1 USN: uuid:HACKER
If the Location field increases rapidly, the result is a server crash as the result of a server memory error. Technically, this is the result of a buffer overflow error that caused important information to be overwritten with random data. However, it has been discovered that overflowing the server with a series of As returns the problem address 0x41414141, which indicates that a controllable buffer overflow is possible. This is simple because the letter "A" is the same as the hex value "41". We know that the memory was overflowed with our series of As when we receive a response of 41414141 in the error.
There's a program that tests this problem. (It should be noted that this script may not work correctly due to the fact that every loaded service changes the starting point of the ssdpsrv.ede service.) The following is the most commonly quoted program with regard to performing a buffer overflow attack. If this program is successful, a remote shell is ...