_________ .__ .__ _________ __ \_ ___ \_____ | | | | / _____// |_____________ ____ ____ ___________ / \ \/\__ \ | | | | \_____ \ __\_ __ \__ \ / \ / ___\_/ __ \_ __ \ \ \____/ __ \| |_| |__/ \| | | | \// __ \| | \/ /_/ > ___/| | \/ \______ (____ /____/____/_______ /|__| |__| (____ /___| /\___ / \___ >__| \/ \/ \/ \/ \//_____/ \/ This script created by Yunus Çadırcı (https://twitter.com/yunuscadirci) to check against CallStranger (CVE-2020-12695) vulnerability. An attacker can use this vulnerability for: * Bypassing DLP for exfiltrating data * Using millions of Internet-facing UPnP device as source of amplified reflected TCP DDoS / SYN Flood * Scanning internal ports from Internet facing UPnP devices You can find detailed information on https://www.callstranger.com https://kb.cert.org/vuls/id/339275 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12695 Slightly modified version of https://github.com/5kyc0d3r/upnpy used for base UPnP communication Stranger Host: http://20.42.105.45 Stranger Port: 80 !Error in service definition http://192.168.86.30:49152 urn:schemas-microsoft-com:service:NULL:1 !Error: http://192.168.86.40:49153/description1.xml failed !Error in device description request http://192.168.86.40:49153/description1.xml !Error in ('192.168.86.40', 51876) !Error: http://192.168.86.40:49153/description0.xml failed !Error in device description request http://192.168.86.40:49153/description0.xml !Error in ('192.168.86.40', 53206) !Error: http://192.168.86.40:49153/description3.xml failed !Error in device description request http://192.168.86.40:49153/description3.xml !Error in ('192.168.86.40', 60720) 11 devices found: WDMyCloudMirror http://192.168.86.30:49152 ( http://192.168.86.30:49152/nasdevicedesc.xml ) 0 service(s) found for WDMyCloudMirror OnHub http://192.168.86.1:5000 ( http://192.168.86.1:5000/rootDesc.xml ) 4 service(s) found for OnHub urn:schemas-upnp-org:service:Layer3Forwarding:1 --> http://192.168.86.1:5000/evt/L3F urn:schemas-upnp-org:service:DeviceProtection:1 --> http://192.168.86.1:5000/evt/DP urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1 --> http://192.168.86.1:5000/evt/CmnIfCfg urn:schemas-upnp-org:service:WANIPConnection:2 --> http://192.168.86.1:5000/evt/IPConn None None ( http://192.168.86.40:49153/description1.xml ) 0 service(s) found for None None None ( http://192.168.86.40:49153/description0.xml ) 0 service(s) found for None Living Room TV http://192.168.86.24:8008 ( http://192.168.86.24:8008/ssdp/device-desc.xml ) 1 service(s) found for Living Room TV urn:dial-multiscreen-org:service:dial:1 --> http://192.168.86.24:8008/ssdp/notfound --skipping http://192.168.86.24:8008/ssdp/notfound because it contains dummy service keywords Kitchen display http://192.168.86.50:8008 ( http://192.168.86.50:8008/ssdp/device-desc.xml ) 1 service(s) found for Kitchen display urn:dial-multiscreen-org:service:dial:1 --> http://192.168.86.50:8008/ssdp/notfound --skipping http://192.168.86.50:8008/ssdp/notfound because it contains dummy service keywords None None ( http://192.168.86.40:49153/description3.xml ) 0 service(s) found for None WDMyCloudMirror http://192.168.86.30:9000 ( http://192.168.86.30:9000/TMSDeviceDescription.xml ) 3 service(s) found for WDMyCloudMirror urn:schemas-upnp-org:service:ConnectionManager:1 --> http://192.168.86.30:9000/TMSConnectionManager/Event urn:schemas-upnp-org:service:ContentDirectory:1 --> http://192.168.86.30:9000/TMSContentDirectory/Event urn:microsoft.com:service:X_MS_MediaReceiverRegistrar:1 --> http://192.168.86.30:9000/TMSMediaReceiverRegistrar/Event WDMyCloudMirror http://192.168.86.30:9000 ( http://192.168.86.30:9000/TMSDeviceDescription.xml ) 3 service(s) found for WDMyCloudMirror urn:schemas-upnp-org:service:ConnectionManager:1 --> http://192.168.86.30:9000/TMSConnectionManager/Event urn:schemas-upnp-org:service:ContentDirectory:1 --> http://192.168.86.30:9000/TMSContentDirectory/Event urn:microsoft.com:service:X_MS_MediaReceiverRegistrar:1 --> http://192.168.86.30:9000/TMSMediaReceiverRegistrar/Event WDMyCloudMirror http://192.168.86.30:9000 ( http://192.168.86.30:9000/TMSDeviceDescription.xml ) 3 service(s) found for WDMyCloudMirror urn:schemas-upnp-org:service:ConnectionManager:1 --> http://192.168.86.30:9000/TMSConnectionManager/Event urn:schemas-upnp-org:service:ContentDirectory:1 --> http://192.168.86.30:9000/TMSContentDirectory/Event urn:microsoft.com:service:X_MS_MediaReceiverRegistrar:1 --> http://192.168.86.30:9000/TMSMediaReceiverRegistrar/Event Sensia 200D Connect http://192.168.86.38:59823 ( http://192.168.86.38:59823/93b2abac-cb6a-4857-b891-0019f581ad33.xml ) 7 service(s) found for Sensia 200D Connect urn:schemas-upnp-org:service:ConnectionManager:1 --> http://192.168.86.38:59823/Event/org.mpris.MediaPlayer2.mansion/RygelSinkConnectionManager urn:schemas-upnp-org:service:AVTransport:1 --> http://192.168.86.38:59823/Event/org.mpris.MediaPlayer2.mansion/RygelAVTransport urn:schemas-upnp-org:service:RenderingControl:3 --> http://192.168.86.38:59823/Event/org.mpris.MediaPlayer2.mansion/RygelRenderingControl urn:schemas-pure-com:service:RTSPGateway:1 --> http://192.168.86.38:59823/Event/org.mpris.MediaPlayer2.mansion/RygelRTSPGateway urn:schemas-pure-com:service:SpeakerManagement:1 --> http://192.168.86.38:59823/Event/org.mpris.MediaPlayer2.mansion/RygelSpeakerManagement urn:schemas-pure-com:service:NetworkManagement:1 --> http://192.168.86.38:59823/Event/org.mpris.MediaPlayer2.mansion/RygelNetworkManagement urn:schemas-pure-com:service:SessionManagement:1 --> http://192.168.86.38:59823/Event/org.mpris.MediaPlayer2.mansion/RygelSessionManagement Total 20 service(s) found. do you want to continue to VERIFY if service(s) are vulnerable? Be careful: This operation needs Internet access and may transfer data about devices over network. Data encrypted on local and we can not see which services are vulnerable but ISPs and other elements may be able to inspect HTTP headers created by UPnP device. Because most of UPnPstack do not allow SSL connection we can not use it. Do you want to continue? y/N y Successfully get session:dh4m4vhcaagqn7ub1fbq8pgcqr Symmetric random key for encryption: b'wPVb8DgO0rptj7USaKnucw-lY4wuhxf1-5vvcHtfZsU=' We do not send this value to server so we can not see which services are vulnerable. All confirmation process is done on client side Calling stranger for http://192.168.86.1:5000/evt/L3F with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe7diVaRZCPus8M8km7krgF-QGe_zmCb5IB3cOGGcTduaV8ytbufuhOf4OidXJLDGys0LL7mJvOxqHyiK_8ZT83MK-sT_359Gtw5AsKOZLm_A9HSRxdTnEkZRrCDWrflpxIN29&token=dh4m4vhcaagqn7ub1fbq8pgcqr Subscribe to http://192.168.86.1:5000/evt/L3F failed with status code:412 {'Content-Type': 'text/xml; charset="utf-8"', 'Connection': 'close', 'Content-Length': '0', 'Server': 'chromiumos/rolling UPnP/1.1 MiniUPnPd/1.9', 'Ext': ''} Calling stranger for http://192.168.86.1:5000/evt/DP with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe7diVAhMBKgihTzohD1ykZvq4T0W_fXfTN3lCwWWbm3ytdHSMUx_dQtfCSRDVfPsigOyP6405QVTmLFeEnGFwGnjoff0LXX8VYY30OpWTnE2fA9k=&token=dh4m4vhcaagqn7ub1fbq8pgcqr Subscribe to http://192.168.86.1:5000/evt/DP failed with status code:412 {'Content-Type': 'text/xml; charset="utf-8"', 'Connection': 'close', 'Content-Length': '0', 'Server': 'chromiumos/rolling UPnP/1.1 MiniUPnPd/1.9', 'Ext': ''} Calling stranger for http://192.168.86.1:5000/evt/CmnIfCfg with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe7diVHBeJuJWR9lT2GqHvGMrzepjwH0GbkyBXrA7ZlYR4c7lZtEiBTQ9Hn6vQxcY9NzUAHtxH9mhJfvxjLSl2jtMRwdf0FwlzbXATXSbmL9_NotZRN2s3KvR-dOonC7Ld6XOg&token=dh4m4vhcaagqn7ub1fbq8pgcqr Subscribe to http://192.168.86.1:5000/evt/CmnIfCfg failed with status code:412 {'Content-Type': 'text/xml; charset="utf-8"', 'Connection': 'close', 'Content-Length': '0', 'Server': 'chromiumos/rolling UPnP/1.1 MiniUPnPd/1.9', 'Ext': ''} Calling stranger for http://192.168.86.1:5000/evt/IPConn with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe7diWmllTEGSYA8bnYXTe8N--L7Gw8IFyha77XfBGaVdcyjREqU0HRyNYUN95_Gwfs2GyCAaxn0-zUFTj7EYLk3-1v_vUrQilLYZbXXjWZa5in1eSFHh2JflcF-2PBeeoF2wn&token=dh4m4vhcaagqn7ub1fbq8pgcqr Subscribe to http://192.168.86.1:5000/evt/IPConn failed with status code:412 {'Content-Type': 'text/xml; charset="utf-8"', 'Connection': 'close', 'Content-Length': '0', 'Server': 'chromiumos/rolling UPnP/1.1 MiniUPnPd/1.9', 'Ext': ''} Calling stranger for http://192.168.86.30:9000/TMSConnectionManager/Event with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe7diWvYATnARw5qWobAhvZ22d_hglqFMaCp-aZnMyP037iYVdj_1Q45ZG0MNoH-wnCDvWCFcILkBZpoYR9OoCffvfIYVvfuh7DuSujk1F9thzONcCvoICfwS6kXs1rgTScIcw6RDRc40i_h-mZlkvLHbvPQ==&token=dh4m4vhcaagqn7ub1fbq8pgcqr Subscribe to http://192.168.86.30:9000/TMSConnectionManager/Event seems successfull {'DATE': 'Sat, 20 Jun 2020 09:36:21 GMT', 'SERVER': 'Linux/2.x.x, UPnP/1.0, pvConnect UPnP SDK/1.0, Twonky UPnP SDK/1.1', 'SID': 'uuid:9469e7e1-d500-10a9-800c-00651080012c', 'TIMEOUT': 'Second-300', 'Content-Length': '0'} Calling stranger for http://192.168.86.30:9000/TMSContentDirectory/Event with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe7diWD3ygm0ByP3P3__vb8X34XhSZvilgMEZIW6n8SXQJe0C4m8hVjYCCnSbTryjXjwt6hx8sgO1gjev2fsIN6NxH1sHpx8BxSi72vC5h25j7nqD6nrv2ZOVciiEIA4_ezHHBeEFiZ65g7Kn5ihbPIV67Vg==&token=dh4m4vhcaagqn7ub1fbq8pgcqr Subscribe to http://192.168.86.30:9000/TMSContentDirectory/Event seems successfull {'DATE': 'Sat, 20 Jun 2020 09:36:21 GMT', 'SERVER': 'Linux/2.x.x, UPnP/1.0, pvConnect UPnP SDK/1.0, Twonky UPnP SDK/1.1', 'SID': 'uuid:9469e7e8-d700-10a9-800c-00651080012c', 'TIMEOUT': 'Second-300', 'Content-Length': '0'} Calling stranger for http://192.168.86.30:9000/TMSMediaReceiverRegistrar/Event with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe7diWilO4dJ3Ir8x5otxHh-nYnUr5rvEiZh0erMPdXFBYmTDOhE0jSkc8EAL3_SaiRGVjUhxq5xgtAc6HyiAHewK5UhwAlL1tsb0BwJioR2UQEaxWTUmDQn3b9unrm5bGYfijkY3ncM4tIdih1TYIaG9UZg==&token=dh4m4vhcaagqn7ub1fbq8pgcqr Subscribe to http://192.168.86.30:9000/TMSMediaReceiverRegistrar/Event seems successfull {'DATE': 'Sat, 20 Jun 2020 09:36:21 GMT', 'SERVER': 'Linux/2.x.x, UPnP/1.0, pvConnect UPnP SDK/1.0, Twonky UPnP SDK/1.1', 'SID': 'uuid:9469e7f1-d900-10a9-800c-00651080012c', 'TIMEOUT': 'Second-300', 'Content-Length': '0'} Calling stranger for http://192.168.86.30:9000/TMSConnectionManager/Event with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe7diWmb8RHNKTgbXCGmwKo4kMFYhTUtrqfyJzCC0LhZd1X__rx9kKd2nalYaokcMG01_1ollfml25-YcqgYRMAoKejVKeaHwotsDdvmdzBIRv8GjRHuzT9XPRCpKMzIlDfhQ3bq2IvDqNRRGBjlfKvwXG-Q==&token=dh4m4vhcaagqn7ub1fbq8pgcqr Subscribe to http://192.168.86.30:9000/TMSConnectionManager/Event seems successfull {'DATE': 'Sat, 20 Jun 2020 09:36:21 GMT', 'SERVER': 'Linux/2.x.x, UPnP/1.0, pvConnect UPnP SDK/1.0, Twonky UPnP SDK/1.1', 'SID': 'uuid:9469e7f9-db00-10a9-800c-00651080012c', 'TIMEOUT': 'Second-300', 'Content-Length': '0'} Calling stranger for http://192.168.86.30:9000/TMSContentDirectory/Event with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe7diWoAZCwUd1vGLzgx2BaVWw4HauQGUjk2JGiYtPMyHbh0BnZ3z3X55Hpezwbh44eJ8e-p4nPEfyGGXG18ej-ivHuy67ovxicOekmaqdAVY9lbROU_5lTf5BitGelX1H1kug3sWKYoewpxccfydWL3pFOg==&token=dh4m4vhcaagqn7ub1fbq8pgcqr Subscribe to http://192.168.86.30:9000/TMSContentDirectory/Event seems successfull {'DATE': 'Sat, 20 Jun 2020 09:36:21 GMT', 'SERVER': 'Linux/2.x.x, UPnP/1.0, pvConnect UPnP SDK/1.0, Twonky UPnP SDK/1.1', 'SID': 'uuid:9469e801-dd00-10a9-800c-00651080012c', 'TIMEOUT': 'Second-300', 'Content-Length': '0'} Calling stranger for http://192.168.86.30:9000/TMSMediaReceiverRegistrar/Event with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe7diW_ITVBeCHKVZFTpxn5_wF0CYsR5SSbHMxNpQ1gYueC-Ocvd-CRFlwcZf2SRbAo07k0mVfCv4qJGxanjs_sXuKUYc9TT70pU7cRNZD3GeNVth65hmHfGvVedTRub_D_BFMfr6uRODiWLUf3UAppPnaCw==&token=dh4m4vhcaagqn7ub1fbq8pgcqr Subscribe to http://192.168.86.30:9000/TMSMediaReceiverRegistrar/Event seems successfull {'DATE': 'Sat, 20 Jun 2020 09:36:21 GMT', 'SERVER': 'Linux/2.x.x, UPnP/1.0, pvConnect UPnP SDK/1.0, Twonky UPnP SDK/1.1', 'SID': 'uuid:9469e809-df00-10a9-800c-00651080012c', 'TIMEOUT': 'Second-300', 'Content-Length': '0'} Calling stranger for http://192.168.86.30:9000/TMSConnectionManager/Event with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe7diWrYn6gJpH-kP1iBcpAOHT4eD7_x90fwtzFV9CicBXLCJJL0fvz6EU7YnAP3Z0XmUFDlZrZ-qqdZbprELcHKXGqHf5L48EnCo7mti1zPrimCNWAfeiaYcDz69xc9ucA-Usn2mTSfY7LdVMnynP_TtvKQ==&token=dh4m4vhcaagqn7ub1fbq8pgcqr Subscribe to http://192.168.86.30:9000/TMSConnectionManager/Event seems successfull {'DATE': 'Sat, 20 Jun 2020 09:36:21 GMT', 'SERVER': 'Linux/2.x.x, UPnP/1.0, pvConnect UPnP SDK/1.0, Twonky UPnP SDK/1.1', 'SID': 'uuid:9469e829-e100-10a9-800c-00651080012c', 'TIMEOUT': 'Second-300', 'Content-Length': '0'} Calling stranger for http://192.168.86.30:9000/TMSContentDirectory/Event with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe7diWz7yuc_Hp1a0He295jTj4Blo4BUSZSdumCf2iuqIFI--Qv5s5Q86zhzxKCE9cXlGW9mbN31AIlVRFH20u_RldsbDVgBzNYCGRd_fBOCDWSii24X4l0IAX9A_JnFgPp0JDKlhY25sSfxDB8iSqeam8cA==&token=dh4m4vhcaagqn7ub1fbq8pgcqr Subscribe to http://192.168.86.30:9000/TMSContentDirectory/Event seems successfull {'DATE': 'Sat, 20 Jun 2020 09:36:21 GMT', 'SERVER': 'Linux/2.x.x, UPnP/1.0, pvConnect UPnP SDK/1.0, Twonky UPnP SDK/1.1', 'SID': 'uuid:9469e866-e300-10a9-800c-00651080012c', 'TIMEOUT': 'Second-300', 'Content-Length': '0'} Calling stranger for http://192.168.86.30:9000/TMSMediaReceiverRegistrar/Event with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe7diWxZ6HSE2LpRCYGLqFmoQ6iKNB1o1f0KwoNSujtaFrtLKZ_S9EA09hy6DuSAGFP5xeBIjqlMkZ4SMTJPu2Mu7Mz5MVT_cUhmLJXSCkEcc5jf1hb708gqm_Fheftv2jDJE-VtBjLi5Drj-oXphG7_ttbg==&token=dh4m4vhcaagqn7ub1fbq8pgcqr Subscribe to http://192.168.86.30:9000/TMSMediaReceiverRegistrar/Event seems successfull {'DATE': 'Sat, 20 Jun 2020 09:36:21 GMT', 'SERVER': 'Linux/2.x.x, UPnP/1.0, pvConnect UPnP SDK/1.0, Twonky UPnP SDK/1.1', 'SID': 'uuid:9469e8a1-e500-10a9-800c-00651080012c', 'TIMEOUT': 'Second-300', 'Content-Length': '0'} Calling stranger for http://192.168.86.38:59823/Event/org.mpris.MediaPlayer2.mansion/RygelSinkConnectionManager with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe7diWExxvHHMOnDVWJdJlb1fCAmmpoQNzpMAvs-zbopZqnQf6wD3RwuDfFPCNFo3jt00iwwQcN-_hSVN-2aOiw1z_hTLjXpC44XWsRXd75ACxBnyeYgEmvxiAE2z_3BIETBac54pGlzAloH9MxZqv3S5dv6SdXd2htGMfxWH7HxL7rUEqwuAl6KZOZ5ae94PWVTwg&token=dh4m4vhcaagqn7ub1fbq8pgcqr Subscribe to http://192.168.86.38:59823/Event/org.mpris.MediaPlayer2.mansion/RygelSinkConnectionManager seems successfull {'Date': 'Sat, 20 Jun 2020 10:32:42 GMT', 'Server': 'Linux/3.3.0 UPnP/1.0 GUPnP/0.18.2', 'SID': 'uuid:5535e0b2-4c2a-46f7-90cd-33e0afac8098', 'TIMEOUT': 'Second-300', 'Content-Length': '0'} Calling stranger for http://192.168.86.38:59823/Event/org.mpris.MediaPlayer2.mansion/RygelAVTransport with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe7diWf3ufV6aKom678OMDHd5DLGj_O4EQiEUBM52juEeLz2c1Vf9kgyM9FAnIW5znxpqvR5RXf4jTC7Cq_0uNCm67Kje2n0u5GZBcwONwNBHjr74OrMJiIMGCQJPjMDjHjeyjmzOifDlgjvmuhZ2kwOGo2c6a3rMmVs-Yrr8cTnseKJOHwci9Z83l_95NPaSJRMDc&token=dh4m4vhcaagqn7ub1fbq8pgcqr Subscribe to http://192.168.86.38:59823/Event/org.mpris.MediaPlayer2.mansion/RygelAVTransport seems successfull {'Date': 'Sat, 20 Jun 2020 10:32:43 GMT', 'Server': 'Linux/3.3.0 UPnP/1.0 GUPnP/0.18.2', 'SID': 'uuid:10239936-609e-4a1e-82c7-cdb05641da59', 'TIMEOUT': 'Second-300', 'Content-Length': '0'} Calling stranger for http://192.168.86.38:59823/Event/org.mpris.MediaPlayer2.mansion/RygelRenderingControl with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe7diXLCGIurf_jyj32n8FbEaoG0RyNwHRD2ovbvfe7dAYuf2WAY1lSCFf5MGEpaZC6svmh12XQTDmrd0XgblRKuljDq1LHFucKmuk273qexlu-KI49L4I3iYHsA_tOEsskOJAFmNPQdvhS3MMCw3C05KLOG6OKr29VDrizCx73PV2P1It2_lo7dG2ii4WsCkh8J10&token=dh4m4vhcaagqn7ub1fbq8pgcqr Subscribe to http://192.168.86.38:59823/Event/org.mpris.MediaPlayer2.mansion/RygelRenderingControl seems successfull {'Date': 'Sat, 20 Jun 2020 10:32:43 GMT', 'Server': 'Linux/3.3.0 UPnP/1.0 GUPnP/0.18.2', 'SID': 'uuid:9894aefb-f6bd-4730-b83c-cddef23e3745', 'TIMEOUT': 'Second-300', 'Content-Length': '0'} Calling stranger for http://192.168.86.38:59823/Event/org.mpris.MediaPlayer2.mansion/RygelRTSPGateway with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe7diXO9wrzzEksw0edAOWCPKpy9gmn2ZJhF7vN__GG4HRYfYmmS2ZHVMoEYUJBliYGwovUdQnDH-mn95mj2LQRsLDTHpW2UB2AUXKh0qgjGNTIKi2WHv7T77fN3wDMVTJsThIOuQf39W4bXvBIDU_QuSEMReWFoB5dgEsgNXqj50gklhwdCoqWNqCcRzvSfAzBpY_&token=dh4m4vhcaagqn7ub1fbq8pgcqr Subscribe to http://192.168.86.38:59823/Event/org.mpris.MediaPlayer2.mansion/RygelRTSPGateway seems successfull {'Date': 'Sat, 20 Jun 2020 10:32:44 GMT', 'Server': 'Linux/3.3.0 UPnP/1.0 GUPnP/0.18.2', 'SID': 'uuid:17817427-a845-43e2-a94c-dc226ce7e491', 'TIMEOUT': 'Second-300', 'Content-Length': '0'} Calling stranger for http://192.168.86.38:59823/Event/org.mpris.MediaPlayer2.mansion/RygelSpeakerManagement with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe7diXLs7DFXLBECcts0FkQo5iRPN7bqdUKapje4LE2NFasOVNxz-hl5f6Ce3fqhJnLc30nqIVBVetTXPlR6eWYIgBQEA7su6vk5ZL67wUUAWhGMs9aleK4bdpT5is5f8bmF3DxIcUmIy661ZEFAvwvHvK4J7-RtJNXj4H9mQ-5SiGu8KIohjgsj_0MLmVECmdBny8&token=dh4m4vhcaagqn7ub1fbq8pgcqr Subscribe to http://192.168.86.38:59823/Event/org.mpris.MediaPlayer2.mansion/RygelSpeakerManagement seems successfull {'Date': 'Sat, 20 Jun 2020 10:32:44 GMT', 'Server': 'Linux/3.3.0 UPnP/1.0 GUPnP/0.18.2', 'SID': 'uuid:85d22eea-3a79-4b06-b86e-27763cf5c2e5', 'TIMEOUT': 'Second-300', 'Content-Length': '0'} Calling stranger for http://192.168.86.38:59823/Event/org.mpris.MediaPlayer2.mansion/RygelNetworkManagement with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe7diXviftxfocq8wYfjGgNNcYt8ieRglRL_krvUIkM44s30mkFQJ_vvPPTIK-CnE9BLcQdq7PfAWgIOjPTD4ggGLRZCfwM8dXWXKMD5OuD6tJJlTaAc2qMISbU6DDFxnGVzy3EsN7Ozoo62UxwZgFk-zdIxPAl0G-qDOMRwodFCH9K9jo9ezKpUbGUCpnICFZ6Bms&token=dh4m4vhcaagqn7ub1fbq8pgcqr Subscribe to http://192.168.86.38:59823/Event/org.mpris.MediaPlayer2.mansion/RygelNetworkManagement seems successfull {'Date': 'Sat, 20 Jun 2020 10:32:44 GMT', 'Server': 'Linux/3.3.0 UPnP/1.0 GUPnP/0.18.2', 'SID': 'uuid:4809d459-e502-42c1-b761-ca92e503f54b', 'TIMEOUT': 'Second-300', 'Content-Length': '0'} Calling stranger for http://192.168.86.38:59823/Event/org.mpris.MediaPlayer2.mansion/RygelSessionManagement with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe7diYf4lT-ZQIf-eW2LBBol3RGthmmbWxAFeBjS85xRFvM2TlPmXdxObxlz65bBt6H6qfB8dxaPTKCu8i9ne9DIYvpTiQZDqxbN9J5RNLK7_KEN1yL19M76Z5iaz8vwO2ARnE_BqSNgABEpp5NXgjPF0dRna4Q3bIo0qj5vsoBIW_WSonQvPTak9M5nKwWMlFSgz2&token=dh4m4vhcaagqn7ub1fbq8pgcqr Subscribe to http://192.168.86.38:59823/Event/org.mpris.MediaPlayer2.mansion/RygelSessionManagement seems successfull {'Date': 'Sat, 20 Jun 2020 10:32:44 GMT', 'Server': 'Linux/3.3.0 UPnP/1.0 GUPnP/0.18.2', 'SID': 'uuid:c4f74838-73a8-4dea-a029-aec1233ddfbc', 'TIMEOUT': 'Second-300', 'Content-Length': '0'} Waiting 5 second for asynchronous requests Successfully get services from server: http://20.42.105.45:80/CallStranger.php?c=getservices&token=dh4m4vhcaagqn7ub1fbq8pgcqr Encrypted vulnerable services: gAAAAABe7diWD3ygm0ByP3P3__vb8X34XhSZvilgMEZIW6n8SXQJe0C4m8hVjYCCnSbTryjXjwt6hx8sgO1gjev2fsIN6NxH1sHpx8BxSi72vC5h25j7nqD6nrv2ZOVciiEIA4_ezHHBeEFiZ65g7Kn5ihbPIV67Vg== gAAAAABe7diWilO4dJ3Ir8x5otxHh-nYnUr5rvEiZh0erMPdXFBYmTDOhE0jSkc8EAL3_SaiRGVjUhxq5xgtAc6HyiAHewK5UhwAlL1tsb0BwJioR2UQEaxWTUmDQn3b9unrm5bGYfijkY3ncM4tIdih1TYIaG9UZg== gAAAAABe7diWvYATnARw5qWobAhvZ22d_hglqFMaCp-aZnMyP037iYVdj_1Q45ZG0MNoH-wnCDvWCFcILkBZpoYR9OoCffvfIYVvfuh7DuSujk1F9thzONcCvoICfwS6kXs1rgTScIcw6RDRc40i_h-mZlkvLHbvPQ== gAAAAABe7diWmb8RHNKTgbXCGmwKo4kMFYhTUtrqfyJzCC0LhZd1X__rx9kKd2nalYaokcMG01_1ollfml25-YcqgYRMAoKejVKeaHwotsDdvmdzBIRv8GjRHuzT9XPRCpKMzIlDfhQ3bq2IvDqNRRGBjlfKvwXG-Q== gAAAAABe7diWoAZCwUd1vGLzgx2BaVWw4HauQGUjk2JGiYtPMyHbh0BnZ3z3X55Hpezwbh44eJ8e-p4nPEfyGGXG18ej-ivHuy67ovxicOekmaqdAVY9lbROU_5lTf5BitGelX1H1kug3sWKYoewpxccfydWL3pFOg== gAAAAABe7diW_ITVBeCHKVZFTpxn5_wF0CYsR5SSbHMxNpQ1gYueC-Ocvd-CRFlwcZf2SRbAo07k0mVfCv4qJGxanjs_sXuKUYc9TT70pU7cRNZD3GeNVth65hmHfGvVedTRub_D_BFMfr6uRODiWLUf3UAppPnaCw== gAAAAABe7diWrYn6gJpH-kP1iBcpAOHT4eD7_x90fwtzFV9CicBXLCJJL0fvz6EU7YnAP3Z0XmUFDlZrZ-qqdZbprELcHKXGqHf5L48EnCo7mti1zPrimCNWAfeiaYcDz69xc9ucA-Usn2mTSfY7LdVMnynP_TtvKQ== gAAAAABe7diWz7yuc_Hp1a0He295jTj4Blo4BUSZSdumCf2iuqIFI--Qv5s5Q86zhzxKCE9cXlGW9mbN31AIlVRFH20u_RldsbDVgBzNYCGRd_fBOCDWSii24X4l0IAX9A_JnFgPp0JDKlhY25sSfxDB8iSqeam8cA== gAAAAABe7diWxZ6HSE2LpRCYGLqFmoQ6iKNB1o1f0KwoNSujtaFrtLKZ_S9EA09hy6DuSAGFP5xeBIjqlMkZ4SMTJPu2Mu7Mz5MVT_cUhmLJXSCkEcc5jf1hb708gqm_Fheftv2jDJE-VtBjLi5Drj-oXphG7_ttbg== gAAAAABe7diWExxvHHMOnDVWJdJlb1fCAmmpoQNzpMAvs-zbopZqnQf6wD3RwuDfFPCNFo3jt00iwwQcN-_hSVN-2aOiw1z_hTLjXpC44XWsRXd75ACxBnyeYgEmvxiAE2z_3BIETBac54pGlzAloH9MxZqv3S5dv6SdXd2htGMfxWH7HxL7rUEqwuAl6KZOZ5ae94PWVTwg gAAAAABe7diWf3ufV6aKom678OMDHd5DLGj_O4EQiEUBM52juEeLz2c1Vf9kgyM9FAnIW5znxpqvR5RXf4jTC7Cq_0uNCm67Kje2n0u5GZBcwONwNBHjr74OrMJiIMGCQJPjMDjHjeyjmzOifDlgjvmuhZ2kwOGo2c6a3rMmVs-Yrr8cTnseKJOHwci9Z83l_95NPaSJRMDc gAAAAABe7diXLCGIurf_jyj32n8FbEaoG0RyNwHRD2ovbvfe7dAYuf2WAY1lSCFf5MGEpaZC6svmh12XQTDmrd0XgblRKuljDq1LHFucKmuk273qexlu-KI49L4I3iYHsA_tOEsskOJAFmNPQdvhS3MMCw3C05KLOG6OKr29VDrizCx73PV2P1It2_lo7dG2ii4WsCkh8J10 gAAAAABe7diXO9wrzzEksw0edAOWCPKpy9gmn2ZJhF7vN__GG4HRYfYmmS2ZHVMoEYUJBliYGwovUdQnDH-mn95mj2LQRsLDTHpW2UB2AUXKh0qgjGNTIKi2WHv7T77fN3wDMVTJsThIOuQf39W4bXvBIDU_QuSEMReWFoB5dgEsgNXqj50gklhwdCoqWNqCcRzvSfAzBpY_ gAAAAABe7diXLs7DFXLBECcts0FkQo5iRPN7bqdUKapje4LE2NFasOVNxz-hl5f6Ce3fqhJnLc30nqIVBVetTXPlR6eWYIgBQEA7su6vk5ZL67wUUAWhGMs9aleK4bdpT5is5f8bmF3DxIcUmIy661ZEFAvwvHvK4J7-RtJNXj4H9mQ-5SiGu8KIohjgsj_0MLmVECmdBny8 gAAAAABe7diXviftxfocq8wYfjGgNNcYt8ieRglRL_krvUIkM44s30mkFQJ_vvPPTIK-CnE9BLcQdq7PfAWgIOjPTD4ggGLRZCfwM8dXWXKMD5OuD6tJJlTaAc2qMISbU6DDFxnGVzy3EsN7Ozoo62UxwZgFk-zdIxPAl0G-qDOMRwodFCH9K9jo9ezKpUbGUCpnICFZ6Bms gAAAAABe7diYf4lT-ZQIf-eW2LBBol3RGthmmbWxAFeBjS85xRFvM2TlPmXdxObxlz65bBt6H6qfB8dxaPTKCu8i9ne9DIYvpTiQZDqxbN9J5RNLK7_KEN1yL19M76Z5iaz8vwO2ARnE_BqSNgABEpp5NXgjPF0dRna4Q3bIo0qj5vsoBIW_WSonQvPTak9M5nKwWMlFSgz2 Decyripting vulnerable services with key: b'wPVb8DgO0rptj7USaKnucw-lY4wuhxf1-5vvcHtfZsU=' Verified vulnerable services: 1: http://192.168.86.30:9000/TMSContentDirectory/Event 2: http://192.168.86.30:9000/TMSMediaReceiverRegistrar/Event 3: http://192.168.86.30:9000/TMSConnectionManager/Event 4: http://192.168.86.30:9000/TMSConnectionManager/Event 5: http://192.168.86.30:9000/TMSContentDirectory/Event 6: http://192.168.86.30:9000/TMSMediaReceiverRegistrar/Event 7: http://192.168.86.30:9000/TMSConnectionManager/Event 8: http://192.168.86.30:9000/TMSContentDirectory/Event 9: http://192.168.86.30:9000/TMSMediaReceiverRegistrar/Event 10: http://192.168.86.38:59823/Event/org.mpris.MediaPlayer2.mansion/RygelSinkConnectionManager 11: http://192.168.86.38:59823/Event/org.mpris.MediaPlayer2.mansion/RygelAVTransport 12: http://192.168.86.38:59823/Event/org.mpris.MediaPlayer2.mansion/RygelRenderingControl 13: http://192.168.86.38:59823/Event/org.mpris.MediaPlayer2.mansion/RygelRTSPGateway 14: http://192.168.86.38:59823/Event/org.mpris.MediaPlayer2.mansion/RygelSpeakerManagement 15: http://192.168.86.38:59823/Event/org.mpris.MediaPlayer2.mansion/RygelNetworkManagement 16: http://192.168.86.38:59823/Event/org.mpris.MediaPlayer2.mansion/RygelSessionManagement Unverified services: 1: http://192.168.86.1:5000/evt/L3F 2: http://192.168.86.1:5000/evt/DP 3: http://192.168.86.1:5000/evt/CmnIfCfg 4: http://192.168.86.1:5000/evt/IPConn