dc414 and I are proud to introduce Upnp Exploiter! A Upnp scanner and exploit tool. This tool comes with two main scanning functions and exploit functions.
The first scanning functions is the target scan. Here you can pick a single IP or IP range to find anything that reports back to a UPNP multicast packet sent to the normal UPNP broadcast address “126.96.36.199 on port 1900” If target responds it takes a closer look and sees if it can get the targets UPNP profile letting us know what type of device it is, what UPNP functions it supports, its IP, and other information. When used remotely, this all takes advantage of the fact that the target device violates the UPNP specs and responds to UPNP requests outside of the deices local area network.
The second scanning function only works in a local area network and just sends out a UPNP broadcast. This function is just using the UPNP protocol as intended.
Once a list of UPNP supported devices are found the script mines some information from it like device type, UPNP functions, IP. If its a gateway device it prompts you and asks if you want to attempt to exploit it.
The first option is to forward ports. If doing this LAN side its best to do some network recon with NMAP or something, find some fun services running on a internal server and forward them to the web for later hacking. While gathering information on the device it gets a list of other ports forwarded via UPNP and the devices internal IP. This is supper helpful when doing things on the remote side. One of my personal favs is routing the modems internal port 80 to 81 on WAN. This should give you access to the routers internal web UI for configuration. Most of the time the default creds will work for admin access >:)
This of course violates lots of rfc’s, protocols, and other stuff lol.
The second exploit option tries to turn a gateway device into a proxy. Now this works using IP addresses and one host per port. So if you want to connect to Victim A on port 8 you use the script to forward all data coming in on any port you choose “for now we will say 88” to VA on port 80. So you connect to port 88 on the Victim B “the gateway device” and all the traffic is forwarded to VA on port 80. This also breaks UPNP rules, but who cares.
The last little thing this script does is parse the replies for the unique_service_name() vulnerability and reports to you if it finds anything with some helpful information to aid in exploiting it.
You can get the script from the git page HERE. If you like it please consider donating to dc414 or me (Anarchy Angel – email@example.com) for taking the time to make such an awesome script 🙂 If anyone would like to help with development please contact Anarchy Angel (me).
Many thanks to Ngharo for help with the regex and list stuff.
Sorry for the question, a COMPLETE newbie here….but how do you run the code? I see it on get hub, but no idea what to do next 🙁
Well before you start, know this script only works on linux. You can download a zip file from git that has everything you need for Upnp Exploiter – https://github.com/dc414/Upnp-Exploiter/archive/master.zip if you dont want to download git and clone the project.
I see, I don’t use linux 🙁
Any chance for a demo on the Upnp exploiter during next group meeting?
Sure ask me and I will be happy to show you how it works.
A curiosity, your tool Upnp exploiter is for that router model ? linksys, dlink. ? Is generic . no ?
Nice job your tool!
generic, should work on most if not all routers.
Python upnp.py target 192.168.0.*
AnarychyAngel, thanks for the code. I am working on software that needs to create a peer-to-peer network as part of it’s core functionary and one of the most problematic aspects of this is port forwarding. Resilient software at least needs to use UPnP to open up ports since its widely implemented on networked devices as a way of traversing NAT. There aren’t many Python libraries that work to solve this problem. Actually, to clarify this statement – there aren’t many purely Python libraries that work and are this simple.
What I like about your code is it’s only a few hundred lines of code that solves the problem and it doesn’t rely on non-standard dependencies. I can easily turn this into a simple, modular, class and use it in my software. So, thanks a lot. You’ve probably saved me hours of going over the UPnP spec, manually figuring out the format and how to craft the packets right and to be honest – I’m not even sure I’m capable of concentrating on something that boring (which is now fine since I only have to clean up your code a little and it will be perfect.)
Interesting PoC, too, btw. I was well aware that UPnP is a highly useful technology for bots, Trojans, RATs, etc, since it solves the NAT problem and could be used to punch a hole to use for direct connect but it’s interesting to know there are routers that respond to UPnP from external networks. The unique_service_name() vuln is pretty scary too.
Do I have your permission to release a modified version of your original code under the AGPL? Since you put the work in the public domain I thought I’d get permission about open source licensing.
Go for it! If it works out please submit it here as well if you are releasing it to the public. Thanks!
it works but after use for while time, i get this error, when i try open ports.
HTTP Error 500: Internal Server Error
Shit it didnt work y0 :/
i need help exploit it does work it fine, but i dont know why when i configure portforwarding on the remote router it show me was successfull configurated, but when i do scan to remote ip it does not show open.
I have a setup like this.
sh-4.1# ./upnp.py target 10.1.100.196
Sending UPNP packets to 10.1.100.196
Waiting for data
Press Ctrl+c at anytime to stop capture
** upnp script is started on centos
*** what kinds of application I can use to receive this packets on the client side ( windows)?
You could probably just use Wireshark.
chronos@localhost / $ wget https://raw.githubusercontent.com/dc414/Upnp-Exploiter/master/upnp.py
–2017-10-08 22:27:35– https://raw.githubusercontent.com/dc414/Upnp-Exploiter/master/upnp.py
Resolving raw.githubusercontent.com… 188.8.131.52
Connecting to raw.githubusercontent.com|184.108.40.206|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 10112 (9.9K) [text/plain]
upnp.py: Read-only file system
Cannot write to ‘upnp.py’ (Success).