urllib.error.HTTPError: HTTP Error 404: Not Found

[JSylvia007]

Sometimes it finds more hosts, but mostly it just fails with the below stacktrace.

Ubuntu 18.04 w/ Python3 VENV, Python v3.6.9

Traceback (most recent call last):
  File "CallStranger.py", line 113, in <module>
    devices = upnp.discover()
  File "/opt/callstranger/upnpy/upnp/UPnP.py", line 33, in discover
    for device in self.ssdp.m_search(discover_delay=delay, st='upnp:rootdevice', **headers):
  File "/opt/callstranger/upnpy/ssdp/SSDPRequest.py", line 49, in m_search
    devices = self._send_request(self._get_raw_request())
  File "/opt/callstranger/upnpy/ssdp/SSDPRequest.py", line 100, in _send_request
    device = SSDPDevice(addr, response.decode())
  File "/opt/callstranger/upnpy/ssdp/SSDPDevice.py", line 82, in __init__
    self._get_description_request(utils.parse_http_header(response, 'Location'))
  File "/opt/callstranger/upnpy/ssdp/SSDPDevice.py", line 115, in _get_description_request
    device_description = utils.make_http_request(url).read()
  File "/opt/callstranger/upnpy/utils.py", line 80, in make_http_request
    return urllib.request.urlopen(request)
  File "/usr/lib/python3.6/urllib/request.py", line 223, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/lib/python3.6/urllib/request.py", line 532, in open
    response = meth(req, response)
  File "/usr/lib/python3.6/urllib/request.py", line 642, in http_response
    'http', request, response, code, msg, hdrs)
  File "/usr/lib/python3.6/urllib/request.py", line 570, in error
    return self._call_chain(*args)
  File "/usr/lib/python3.6/urllib/request.py", line 504, in _call_chain
    result = func(*args)
  File "/usr/lib/python3.6/urllib/request.py", line 650, in http_error_default
    raise HTTPError(req.full_url, code, msg, hdrs, fp)
urllib.error.HTTPError: HTTP Error 404: Not Found

[JSylvia007]

So I spun up an Ubuntu 20.04 VM and that has Python 3.8.2, and I still get the same error.

[ZPrimed]

I am getting a similar error (slightly different line numbers in some of the library stuff, probably owing to python 3.7 vs. 3.6?) when running against python 3.7.7 on macOS. I git cloned the repo directly from here... My python3 is from homebrew.

  File "CallStranger.py", line 113, in <module>
    devices = upnp.discover()
  File "[redacted]/CallStranger/upnpy/upnp/UPnP.py", line 33, in discover
    for device in self.ssdp.m_search(discover_delay=delay, st='upnp:rootdevice', **headers):
  File "[redacted]/CallStranger/upnpy/ssdp/SSDPRequest.py", line 49, in m_search
    devices = self._send_request(self._get_raw_request())
  File "[redacted]/CallStranger/upnpy/ssdp/SSDPRequest.py", line 100, in _send_request
    device = SSDPDevice(addr, response.decode())
  File "[redacted]/CallStranger/upnpy/ssdp/SSDPDevice.py", line 82, in __init__
    self._get_description_request(utils.parse_http_header(response, 'Location'))
  File "[redacted]/CallStranger/upnpy/ssdp/SSDPDevice.py", line 115, in _get_description_request
    device_description = utils.make_http_request(url).read()
  File "[redacted]/CallStranger/upnpy/utils.py", line 80, in make_http_request
    return urllib.request.urlopen(request)
  File "/usr/local/Cellar/python/3.7.7/Frameworks/Python.framework/Versions/3.7/lib/python3.7/urllib/request.py", line 222, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/local/Cellar/python/3.7.7/Frameworks/Python.framework/Versions/3.7/lib/python3.7/urllib/request.py", line 531, in open
    response = meth(req, response)
  File "/usr/local/Cellar/python/3.7.7/Frameworks/Python.framework/Versions/3.7/lib/python3.7/urllib/request.py", line 641, in http_response
    'http', request, response, code, msg, hdrs)
  File "/usr/local/Cellar/python/3.7.7/Frameworks/Python.framework/Versions/3.7/lib/python3.7/urllib/request.py", line 569, in error
    return self._call_chain(*args)
  File "/usr/local/Cellar/python/3.7.7/Frameworks/Python.framework/Versions/3.7/lib/python3.7/urllib/request.py", line 503, in _call_chain
    result = func(*args)
  File "/usr/local/Cellar/python/3.7.7/Frameworks/Python.framework/Versions/3.7/lib/python3.7/urllib/request.py", line 649, in http_error_default
    raise HTTPError(req.full_url, code, msg, hdrs, fp)
urllib.error.HTTPError: HTTP Error 404:

[yunuscadirci]

I updated UPnP stack to handle exceptions. can you retry?

[ZPrimed]

Some improvement but a different failure for me now.

!Error: http://192.168.42.4:8080/upnp failed
Traceback (most recent call last):
  File "CallStranger.py", line 113, in <module>
    devices = upnp.discover()
  File "[redacted]/CallStranger/upnpy/upnp/UPnP.py", line 33, in discover
    for device in self.ssdp.m_search(discover_delay=delay, st='upnp:rootdevice', **headers):
  File "[redacted]/CallStranger/upnpy/ssdp/SSDPRequest.py", line 49, in m_search
    devices = self._send_request(self._get_raw_request())
  File "[redacted]/CallStranger/upnpy/ssdp/SSDPRequest.py", line 100, in _send_request
    device = SSDPDevice(addr, response.decode())
  File "[redacted]/CallStranger/upnpy/ssdp/SSDPDevice.py", line 81, in __init__
    self._get_description_request(utils.parse_http_header(response, 'Location'))
  File "[redacted]/CallStranger/upnpy/ssdp/SSDPDevice.py", line 114, in _get_description_request
    device_description = utils.make_http_request(url).read()
AttributeError: 'NoneType' object has no attribute 'read'

For the record, I do have a UPnP "gateway" device, but it is pfSense running miniupnpd (and I'm not sure if that fully complies to the official UPnP spec, don't even know if it has an SSDP endpoint).

The device it appears to have died on here (192.168.42.4) is not my gateway/router, it's a Synology NAS (not even sure if that has a UPnP daemon in it... if it does, it would just be a multimedia device endpoint for video discovery, that kind of thing - not a router)

[yunuscadirci]

I think location header is empty. I broaded the catch. can you try again?

[ZPrimed]

I just re-pulled, no change, exact same error as before.

[JSylvia007]

Just did a pull... Still have an error with 18.04 (Python v. 3.6.9)

\_   ___ \_____  |  | |  |  /   _____//  |_____________    ____    ____   ___________
/    \  \/\__  \ |  | |  |  \_____  \   __\_  __ \__  \  /    \  / ___\_/ __ \_  __ \
\     \____/ __ \|  |_|  |__/        \|  |  |  | \// __ \|   |  \/ /_/  >  ___/|  | \/
 \______  (____  /____/____/_______  /|__|  |__|  (____  /___|  /\___  / \___  >__|
        \/     \/                  \/                  \/     \//_____/      \/
This script created by Yunus Çadırcı (https://twitter.com/yunuscadirci) to check against CallStranger (CVE-2020-12695) vulnerability. An attacker can use this vulnerability for:
* Bypassing DLP for exfiltrating data
* Using millions of Internet-facing UPnP device as source of amplified reflected TCP DDoS / SYN Flood
* Scanning internal ports from Internet facing UPnP devices
You can find detailed information on https://www.callstranger.com  https://kb.cert.org/vuls/id/339275 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12695
Slightly modified version of https://github.com/5kyc0d3r/upnpy used for base UPnP communication
Stranger Host: http://20.42.105.45
Stranger Port: 80
!Error in service definition http://10.1.2.182:3391 urn:schemas-microsoft-com:service:NULL:1
!Error in service definition http://10.1.2.183:3391 urn:schemas-microsoft-com:service:NULL:1
!Error: http://10.1.2.186:3391/XD/DeviceDescription.xml failed
Traceback (most recent call last):
  File "CallStranger.py", line 113, in <module>
    devices = upnp.discover()
  File "/opt/callstranger/upnpy/upnp/UPnP.py", line 33, in discover
    for device in self.ssdp.m_search(discover_delay=delay, st='upnp:rootdevice', **headers):
  File "/opt/callstranger/upnpy/ssdp/SSDPRequest.py", line 49, in m_search
    devices = self._send_request(self._get_raw_request())
  File "/opt/callstranger/upnpy/ssdp/SSDPRequest.py", line 100, in _send_request
    device = SSDPDevice(addr, response.decode())
  File "/opt/callstranger/upnpy/ssdp/SSDPDevice.py", line 81, in __init__
    self._get_description_request(utils.parse_http_header(response, 'Location'))
  File "/opt/callstranger/upnpy/ssdp/SSDPDevice.py", line 114, in _get_description_request
    device_description = utils.make_http_request(url).read()
AttributeError: 'NoneType' object has no attribute 'read'

Getting an error with 20.04 (Python v. 3.8.3)

\_   ___ \_____  |  | |  |  /   _____//  |_____________    ____    ____   ___________
/    \  \/\__  \ |  | |  |  \_____  \   __\_  __ \__  \  /    \  / ___\_/ __ \_  __ \
\     \____/ __ \|  |_|  |__/        \|  |  |  | \// __ \|   |  \/ /_/  >  ___/|  | \/
 \______  (____  /____/____/_______  /|__|  |__|  (____  /___|  /\___  / \___  >__|
        \/     \/                  \/                  \/     \//_____/      \/
This script created by Yunus Çadırcı (https://twitter.com/yunuscadirci) to check against CallStranger (CVE-2020-12695) vulnerability. An attacker can use this vulnerability for:
* Bypassing DLP for exfiltrating data
* Using millions of Internet-facing UPnP device as source of amplified reflected TCP DDoS / SYN Flood
* Scanning internal ports from Internet facing UPnP devices
You can find detailed information on https://www.callstranger.com  https://kb.cert.org/vuls/id/339275 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12695
Slightly modified version of https://github.com/5kyc0d3r/upnpy used for base UPnP communication
Stranger Host: http://20.42.105.45
Stranger Port: 80
Traceback (most recent call last):
  File "CallStranger.py", line 113, in <module>
    devices = upnp.discover()
  File "/opt/callstranger/callstranger/upnpy/upnp/UPnP.py", line 33, in discover
    for device in self.ssdp.m_search(discover_delay=delay, st='upnp:rootdevice', **headers):
  File "/opt/callstranger/callstranger/upnpy/ssdp/SSDPRequest.py", line 49, in m_search
    devices = self._send_request(self._get_raw_request())
  File "/opt/callstranger/callstranger/upnpy/ssdp/SSDPRequest.py", line 100, in _send_request
    device = SSDPDevice(addr, response.decode())
  File "/opt/callstranger/callstranger/upnpy/ssdp/SSDPDevice.py", line 82, in __init__
    self._get_friendly_name_request()
  File "/opt/callstranger/callstranger/upnpy/ssdp/SSDPDevice.py", line 21, in wrapper
    return func(device, *args, **kwargs)
  File "/opt/callstranger/callstranger/upnpy/ssdp/SSDPDevice.py", line 120, in _get_friendly_name_request
    root = minidom.parseString(self.description)
  File "/usr/lib/python3.8/xml/dom/minidom.py", line 1969, in parseString
    return expatbuilder.parseString(string)
  File "/usr/lib/python3.8/xml/dom/expatbuilder.py", line 925, in parseString
    return builder.parseString(string)
  File "/usr/lib/python3.8/xml/dom/expatbuilder.py", line 223, in parseString
    parser.Parse(string, True)
xml.parsers.expat.ExpatError: not well-formed (invalid token): line 1, column 6

[ZPrimed]

it almost feels like Yunus is debugging poor UPnP implementations in consumer devices at this point (e.g. streaming media sources / etc, like my Synology NAS)... @JSylvia007 I'm guessing that none of the IPs you're seeing it choke on are your actual router / WAN device?

[JSylvia007]

it almost feels like Yunus is debugging poor UPnP implementations in consumer devices at this point (e.g. streaming media sources / etc, like my Synology NAS)... @JSylvia007 I'm guessing that none of the IPs you're seeing it choke on are your actual router / WAN device?

That could very well be. I haven't seen it make it to my router yet. It always crashes before that.

[dffvb]

I get the same error. Also too, the amount of devices being found on startup varies. 3 to 14 everything there...

[yunuscadirci]

Hi there are too many devices. I broaded exception handling. can you try again?

[ZPrimed]

Hi there are too many devices. I broaded exception handling. can you try again?

Much improved, seems to have run to completion, but still some errors and definitely isn't showing everything it found. Here's full output:

Stranger Host: http://20.42.105.45
Stranger Port: 80
!Error: http://192.168.42.4:8080/upnp failed
!Error in device description request http://192.168.42.4:8080/upnp
!Error in  ('192.168.42.4', 1900)
!Error in  ('192.168.42.101', 60500)
13  devices found:

 [Synology-hostname] (DS412+) http://192.168.42.4:5000 ( http://192.168.42.4:5000/ssdp/desc-DSM-bond0.xml )

  1 service(s) found for [Synology-hostname] (DS412+)
     urn:schemas-dummy-com:service:Dummy:1 	--> http://192.168.42.4:5000/dummy
     --skipping  http://192.168.42.4:5000/dummy because it contains dummy service keywords

 None None ( http://192.168.42.4:8080/upnp )
Traceback (most recent call last):
  File "CallStranger.py", line 120, in <module>
    print(colored('\n  ' +str(len(tmpservices)) + ' service(s) found for '+device.friendly_name,'yellow'))
TypeError: can only concatenate str (not "NoneType") to str
[end of output here, no other devices listed]

[yunuscadirci]

Can you try again? there are too many exception point. I don't know why upnp stacks are not handling this exceptions!!

[ZPrimed]

Full completion! I did not run the test / verify if services are vulnerable but going to try that next. Here's the full output (I edited some hostnames / device names again, in square brackets):

Stranger Host: http://20.42.105.45
Stranger Port: 80
!Error: http://192.168.42.4:8080/upnp failed
!Error in device description request http://192.168.42.4:8080/upnp
!Error in  ('192.168.42.4', 1900)
!Error in  ('192.168.42.101', 37986)
13  devices found:

 [Syno-NAS] (DS412+) http://192.168.42.4:5000 ( http://192.168.42.4:5000/ssdp/desc-DSM-bond0.xml )

  1 service(s) found for [Syno-NAS] (DS412+)
     urn:schemas-dummy-com:service:Dummy:1 	--> http://192.168.42.4:5000/dummy
     --skipping  http://192.168.42.4:5000/dummy because it contains dummy service keywords

 None None ( http://192.168.42.4:8080/upnp )

  0 service(s) found for None

 [Syno-NAS] http://192.168.42.4:50001 ( http://192.168.42.4:50001/desc/device.xml )

  2 service(s) found for [Syno-NAS]
     urn:schemas-upnp-org:service:ConnectionManager:1 	--> http://192.168.42.4:50001/ConnectionManager/event
     urn:schemas-upnp-org:service:ContentDirectory:1 	--> http://192.168.42.4:50001/ContentDirectory/event

 [Denon AV Receiver 1] http://192.168.42.129:60006 ( http://192.168.42.129:60006/upnp/desc/aios_device/aios_device.xml )

  8 service(s) found for [Denon AV Receiver 1]
     urn:schemas-upnp-org:service:AVTransport:1 	--> http://192.168.42.129:60006/upnp/event/renderer_dvc/AVTransport
     urn:schemas-upnp-org:service:ConnectionManager:1 	--> http://192.168.42.129:60006/upnp/event/renderer_dvc/ConnectionManager
     urn:schemas-upnp-org:service:RenderingControl:1 	--> http://192.168.42.129:60006/upnp/event/renderer_dvc/RenderingControl
     urn:schemas-denon-com:service:ErrorHandler:1 	--> http://192.168.42.129:60006/upnp/event/AiosServicesDvc/ErrorHandler
     urn:schemas-denon-com:service:ZoneControl:2 	--> http://192.168.42.129:60006/upnp/event/AiosServicesDvc/ZoneControl
     urn:schemas-denon-com:service:GroupControl:1 	--> http://192.168.42.129:60006/upnp/event/AiosServicesDvc/GroupControl
     urn:schemas-denon-com:service:ACT:1 	--> http://192.168.42.129:60006/ACT/event
     urn:schemas-upnp-org:service:ContentDirectory:1 	--> http://192.168.42.129:60006/upnp/event/ams_dvc/ContentDirectory

 FreeBSD router [pfSense] http://192.168.42.1:2189 ( http://192.168.42.1:2189/rootDesc.xml )

  3 service(s) found for FreeBSD router [pfSense]
     urn:schemas-upnp-org:service:Layer3Forwarding:1 	--> http://192.168.42.1:2189/evt/L3F
     urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1 	--> http://192.168.42.1:2189/evt/CmnIfCfg
     urn:schemas-upnp-org:service:WANIPConnection:1 	--> http://192.168.42.1:2189/evt/IPConn

 None None ( http://192.168.42.101:9080 )

  0 service(s) found for None

 Phillips hue bridge (192.168.42.10) http://192.168.42.10:80 ( http://192.168.42.10:80/description.xml )

  0 service(s) found for Philips hue bridge (192.168.42.10)

 Philips hue bridge (192.168.42.10) http://192.168.42.10:80 ( http://192.168.42.10:80/description.xml )

  0 service(s) found for Philips hue bridge (192.168.42.10)

 Philips hue bridge (192.168.42.10) http://192.168.42.10:80 ( http://192.168.42.10:80/description.xml )

  0 service(s) found for Philips hue bridge (192.168.42.10)

 Philips hue bridge (192.168.42.10) http://192.168.42.10:80 ( http://192.168.42.10:80/description.xml )

  0 service(s) found for Philips hue bridge (192.168.42.10)

 Philips hue bridge (192.168.42.10) http://192.168.42.10:80 ( http://192.168.42.10:80/description.xml )

  0 service(s) found for Philips hue bridge (192.168.42.10)

 Philips hue bridge (192.168.42.10) http://192.168.42.10:80 ( http://192.168.42.10:80/description.xml )

  0 service(s) found for Philips hue bridge (192.168.42.10)

 LR Denon AVR-X3200W http://192.168.42.105:8080 ( http://192.168.42.105:8080/description.xml )

  3 service(s) found for LR Denon AVR-X3200W
     urn:schemas-upnp-org:service:RenderingControl:1 	--> http://192.168.42.105:8080/RenderingControl/evt
     urn:schemas-upnp-org:service:ConnectionManager:1 	--> http://192.168.42.105:8080/ConnectionManager/evt
     urn:schemas-upnp-org:service:AVTransport:1 	--> http://192.168.42.105:8080/AVTransport/evt

 Total 16 service(s) found. do you want to continue to VERIFY if service(s) are vulnerable?
Be careful: This operation needs Internet access and may transfer data about devices over network. Data encrypted on local and we can not see which services are vulnerable but ISPs and other elements may be able to inspect HTTP headers created by UPnP device. Because most of UPnPstack do not allow SSL connection we can not use it.
Do you want to continue? y/N n

	Visit https://www.CallStranger.com for updates

I am not sure why the Philips hue bridge showed up so many times... if it was finding different ports or something that might make sense, but it seems to just be showing the same endpoint over and over? Kind of strange.

[ZPrimed]

Running the online verify also worked.

Seems like two of the endpoints on the Synology NAS are vulnerable. The 8 on the "Denon AV Receiver 1" (I can't remember the model number off-hand) are all vulnerable as well.

The 3 services on the Denon X3200W are "unverified", as are the 3 endpoints on the pfSense router/gateway.

[yunuscadirci]

Hi
It is good to see It worked. Can I add these devices to vulnerable list on website?
Thanks

[ZPrimed]

Sure, the confirmed vulnerable AVR for me is a Denon X3500H. The X3200W is showing "unverified," so I guess that one may not be?

The Synology vulnerability should impact (at least) any Intel-based Synology NAS (mine is running the latest available OS for the DS412+ which I believe is also used on a bunch of newer units).

But neither of these are gateway devices at least... and it's good to see that miniupnpd on pfSense (which is a gateway) seems safe.

You may want to leave this open until others who were having problems get a chance to test, just because it worked for me may not mean their errors are all resolved.

[yunuscadirci]

Can you share vulnerable services' server header. It may contain detailed device info like version
Calling stranger for http://192.168.1.40:2870/ConnectionManager/event with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe3eWNJJsfohjZJRLZdiBF4Kvt1amVenr9a1Zi3oHhu_Xfomk_li6uJ9l0OeR6YVh2d6qbCF-t1uAmMVJfs5Tu7FWiNg15UXhyF8ubI_YZxtXTC4zpxHt7r2MdISJ8WwOFQ_J-f6E5yV6Bv8c4A1BBqfuD2Q==&token=nae9lqq3keg79l3qei9ahohvqe
Subscribe to http://192.168.1.40:2870/ConnectionManager/event seems successfull
{'Date': 'Mon, 08 Jun 2020 07:15:24 GMT', 'Server': 'NFLC/3.0 UPnP/1.0 DLNADOC/1.50', 'SID': 'uuid:13ec9fee-035e-1090-8000-bc52a0dfdacc', 'Timeout': 'Second-300', 'Content-Length': '0', 'Connection': 'Keep-Alive'}

[ZPrimed]

Sure, here is the header info from the items listed as vulnerable:

Calling stranger for  http://192.168.42.4:50001/ConnectionManager/event with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe41NX76Zt6dMhNTm3skCOp8PuWH5UB9pw9MqOSBf3Dp35LfEOQPDjpHd3Wd2BstMk8X5TWDJGFdqPwtxnjvi0atYZPl5uGrS0UsPPIH1tfsBDNZSEKHeneRv-_RoQ1LeZHlRy-eDLqpmWGTbkmV8Lfb2LYA==&token=ttnktosuikmur5smrlbdtavs4h
Subscribe to http://192.168.42.4:50001/ConnectionManager/event seems successfull
{'DATE': 'Fri, 12 Jun 2020 10:05:11 GMT', 'SERVER': 'Linux/3.10.105, UPnP/1.0, Portable SDK for UPnP devices/1.6.21', 'CONTENT-LENGTH': '0', 'X-User-Agent': 'redsonic', 'SID': 'uuid:33aef01e-ac94-11ea-9926-8f4143d4cc15', 'TIMEOUT': 'Second-300'}

Calling stranger for  http://192.168.42.4:50001/ContentDirectory/event with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe41NXPCdcP5kAmv1oWormBkbm_XsTyAAP2a7ySEDF2mMc09j3QvgIjegbrYODsoM3q9c2Hv2NFn7OmNjUn4OMx5Q86iTiDpEjTs1wV0LXwYVCqQ4XvmPo0REKIzCGB6OuBICcesj7soi_fQAm9ZPe01apuw==&token=ttnktosuikmur5smrlbdtavs4h
Subscribe to http://192.168.42.4:50001/ContentDirectory/event seems successfull
{'DATE': 'Fri, 12 Jun 2020 10:05:11 GMT', 'SERVER': 'Linux/3.10.105, UPnP/1.0, Portable SDK for UPnP devices/1.6.21', 'CONTENT-LENGTH': '0', 'X-User-Agent': 'redsonic', 'SID': 'uuid:33b05bde-ac94-11ea-9926-8f4143d4cc15', 'TIMEOUT': 'Second-300'}

Calling stranger for  http://192.168.42.129:60006/upnp/event/renderer_dvc/AVTransport with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe41NX7u8WfqNra-YXfJUKah2Efk5m8sXEn1t3zdmoov_bBYkgh8S6niYW6Q2YvQA14-KgwSLMHyP5rxEtwLm3MWOAQDA0jg702a67ZB85Z4dqFEz5tDZF8ULSVsdgkL5eZA1qBbozEE7rnLqYbXIJ6Xq_uQ==&token=ttnktosuikmur5smrlbdtavs4h
Subscribe to http://192.168.42.129:60006/upnp/event/renderer_dvc/AVTransport seems successfull
{'DATE': 'Fri, 12 Jun 2020 10:05:11 GMT', 'SERVER': 'LINUX UPnP/1.0 Denon-Heos/155415', 'CONTENT-LENGTH': '0', 'Accept-Ranges': 'bytes', 'X-User-Agent': 'redsonic', 'SID': 'uuid:33b65502-ac94-11ea-84af-ee83ccf0c0e6', 'TIMEOUT': 'Second-300'}

Calling stranger for  http://192.168.42.129:60006/upnp/event/renderer_dvc/ConnectionManager with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe41NX4nlE9LB1PpmqufRe4KfS3g_NCpFDeFsB_9xHC58SeILODdluLhFBkRicYQpC-rzAuStMw3XHet_hSCqMYVKsqPEBJxrJG1_kIVv3yO2kYh--K0Ne9yHx_gMQwjX4pz0ky2D8cikG8lqSdenQ9deHmsmsRYDErrKrMQnhc8HcfDU=&token=ttnktosuikmur5smrlbdtavs4h
Subscribe to http://192.168.42.129:60006/upnp/event/renderer_dvc/ConnectionManager seems successfull
{'DATE': 'Fri, 12 Jun 2020 10:05:11 GMT', 'SERVER': 'LINUX UPnP/1.0 Denon-Heos/155415', 'CONTENT-LENGTH': '0', 'Accept-Ranges': 'bytes', 'X-User-Agent': 'redsonic', 'SID': 'uuid:33b7ec82-ac94-11ea-84af-ee83ccf0c0e6', 'TIMEOUT': 'Second-300'}

Calling stranger for  http://192.168.42.129:60006/upnp/event/renderer_dvc/RenderingControl with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe41NX1NkEOmkOIK4AFGpUc2d28FowGl9lC7iKRky8xERWjN1jeAsxIMl_hGjMV2xjWeJ1EvMChRyPMDxDcV6zZow97fGgMs9z8-d-UV4MXrzniE4XuzOV4jHSbrZ7vTZWHLNP66kVySDE17U9rg-Ze4bRgcAx8XS9HX50zhLe9ZmoVTQ=&token=ttnktosuikmur5smrlbdtavs4h
Subscribe to http://192.168.42.129:60006/upnp/event/renderer_dvc/RenderingControl seems successfull
{'DATE': 'Fri, 12 Jun 2020 10:05:11 GMT', 'SERVER': 'LINUX UPnP/1.0 Denon-Heos/155415', 'CONTENT-LENGTH': '0', 'Accept-Ranges': 'bytes', 'X-User-Agent': 'redsonic', 'SID': 'uuid:33b9423a-ac94-11ea-84af-ee83ccf0c0e6', 'TIMEOUT': 'Second-300'}

Calling stranger for  http://192.168.42.129:60006/upnp/event/AiosServicesDvc/ErrorHandler with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe41NXA5NDr8hhQFLE4tEAhHuax_Mu1R_6m7FJ1gz8y6eBpcEtheGsYCjRizsAF1P3ui0WAux50JnyjDuu4ZIFpk0MoFtGSgOHffZlDDTDon0VApruE4n3NA8riCxhHexB7Uqb9FgVhlaIdt9gAAAd0-tZPJ_eaUdpDen7-u1xrLUbOm0=&token=ttnktosuikmur5smrlbdtavs4h
Subscribe to http://192.168.42.129:60006/upnp/event/AiosServicesDvc/ErrorHandler seems successfull
{'DATE': 'Fri, 12 Jun 2020 10:05:11 GMT', 'SERVER': 'LINUX UPnP/1.0 Denon-Heos/155415', 'CONTENT-LENGTH': '0', 'Accept-Ranges': 'bytes', 'X-User-Agent': 'redsonic', 'SID': 'uuid:33ba9716-ac94-11ea-84af-ee83ccf0c0e6', 'TIMEOUT': 'Second-300'}

Calling stranger for  http://192.168.42.129:60006/upnp/event/AiosServicesDvc/ZoneControl with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe41NXPOk6jkyaoU-HWphugAUHTQSXpS3wNJsrF4g3b38Bb2S6DUf4_jjFjQBXdNKZWhdgVTbJHuJ0FZ8J2BzxzVbiukjfEgzTDca3nE3imZOOW1EBuiCAxsN7QF-PPe1OfRt6wvemwGeIJtagt3JXp4EdcMw33-ogqFdewnYqAoc0Tt8=&token=ttnktosuikmur5smrlbdtavs4h
Subscribe to http://192.168.42.129:60006/upnp/event/AiosServicesDvc/ZoneControl seems successfull
{'DATE': 'Fri, 12 Jun 2020 10:05:11 GMT', 'SERVER': 'LINUX UPnP/1.0 Denon-Heos/155415', 'CONTENT-LENGTH': '0', 'Accept-Ranges': 'bytes', 'X-User-Agent': 'redsonic', 'SID': 'uuid:33bbe0a8-ac94-11ea-84af-ee83ccf0c0e6', 'TIMEOUT': 'Second-300'}

Calling stranger for  http://192.168.42.129:60006/upnp/event/AiosServicesDvc/GroupControl with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe41NX57toHVPKQgORyYgu3wW88NUKrjHBylYK9VDroj72nv5GgaTIeLnm18_YpkJD0FYi1M5lZNdXN9er7Xnd7BYBMz9VANfHOxZuynLtHuH6-sQZy58mIc3-PGtunVO4kLI6zbp1u6AhCn80xi1J423DC9ERDG3PETjMUOyYQzThMwY=&token=ttnktosuikmur5smrlbdtavs4h
Subscribe to http://192.168.42.129:60006/upnp/event/AiosServicesDvc/GroupControl seems successfull
{'DATE': 'Fri, 12 Jun 2020 10:05:11 GMT', 'SERVER': 'LINUX UPnP/1.0 Denon-Heos/155415', 'CONTENT-LENGTH': '0', 'Accept-Ranges': 'bytes', 'X-User-Agent': 'redsonic', 'SID': 'uuid:33bd0686-ac94-11ea-84af-ee83ccf0c0e6', 'TIMEOUT': 'Second-300'}

Calling stranger for  http://192.168.42.129:60006/ACT/event with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe41NXXlwp3px2pbxU5zpinAKZr4ouLOMkfIeGq9Hb1vp949lFtjuyjBSrc6x_ljWTSrcSHqehb81p0ZKg5V_ZuTPHiSn1gT-Puh37RAa_B8WsxfaZmx710ksiKt6gNgxtH5mp&token=ttnktosuikmur5smrlbdtavs4h
Subscribe to http://192.168.42.129:60006/ACT/event seems successfull
{'DATE': 'Fri, 12 Jun 2020 10:05:11 GMT', 'SERVER': 'LINUX UPnP/1.0 Denon-Heos/155415', 'CONTENT-LENGTH': '0', 'Accept-Ranges': 'bytes', 'X-User-Agent': 'redsonic', 'SID': 'uuid:33be309c-ac94-11ea-84af-ee83ccf0c0e6', 'TIMEOUT': 'Second-300'}

Calling stranger for  http://192.168.42.129:60006/upnp/event/ams_dvc/ContentDirectory with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe41NXujhT1Hje0PDdetukMTqBkV2Fn6oyIzE2Wo6R7WJC7pKZqqtuGVGs84fjnGcN85HdQGkrMedP4C7QovIWSk9xYu2ldZf2jpLTO6cx_05ZUqVBIXXCPounSJrp6Jg_L7gHuEr8D9vDZRd3Eln7_x4NTw==&token=ttnktosuikmur5smrlbdtavs4h
Subscribe to http://192.168.42.129:60006/upnp/event/ams_dvc/ContentDirectory seems successfull
{'DATE': 'Fri, 12 Jun 2020 10:05:11 GMT', 'SERVER': 'LINUX UPnP/1.0 Denon-Heos/155415', 'CONTENT-LENGTH': '0', 'Accept-Ranges': 'bytes', 'X-User-Agent': 'redsonic', 'SID': 'uuid:33c0035e-ac94-11ea-84af-ee83ccf0c0e6', 'TIMEOUT': 'Second-300'}

And here are the ones with failure codes (and they match the "unverified" list):

Calling stranger for  http://192.168.42.1:2189/evt/L3F with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe41NXx_WWv0yiDqoHub1OCosFHwPHM-Nw3up3cbFtq5CBY-URTpEUmLYBJb_PjOSwj9o2d8zTGX9LJaBtXZlZ-as87sizMMfX763iDgsoOmajtI95W_mNU_Yhityy4IBNbr3h&token=ttnktosuikmur5smrlbdtavs4h
Subscribe to http://192.168.42.1:2189/evt/L3F failed with status code:412
{'Content-Type': 'text/xml; charset="utf-8"', 'Connection': 'close', 'Content-Length': '0', 'Server': 'FreeBSD/11.3-STABLE UPnP/1.1 MiniUPnPd/2.1', 'Ext': ''}

Calling stranger for  http://192.168.42.1:2189/evt/CmnIfCfg with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe41NXiHeVFXKM-BOm8nLVD9ILlMKAWyilP1RSzHAbN7yOEfoBpngyC7nsyP5ZlYhRM0RXxs-K4euTXA1qLb4AxBwGjhKIM2tgH_eJfnw057G_qMsMKCzbbC9ZHulgZJ53uul0&token=ttnktosuikmur5smrlbdtavs4h
Subscribe to http://192.168.42.1:2189/evt/CmnIfCfg failed with status code:412
{'Content-Type': 'text/xml; charset="utf-8"', 'Connection': 'close', 'Content-Length': '0', 'Server': 'FreeBSD/11.3-STABLE UPnP/1.1 MiniUPnPd/2.1', 'Ext': ''}

Calling stranger for  http://192.168.42.1:2189/evt/IPConn with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe41NXsIvlqtYmbzZxdvuOGS9InstcJxW3KW8sYFlvRFiEYRF0Dq1eCYjPpPUJ8NHJF1yBzKfAMP4OYv8jVm83yhXKwgCIE4P5b2qO2hgQ7LVwIFf_vOxGVdvKuQyD8yQZx1iF&token=ttnktosuikmur5smrlbdtavs4h
Subscribe to http://192.168.42.1:2189/evt/IPConn failed with status code:412
{'Content-Type': 'text/xml; charset="utf-8"', 'Connection': 'close', 'Content-Length': '0', 'Server': 'FreeBSD/11.3-STABLE UPnP/1.1 MiniUPnPd/2.1', 'Ext': ''}

Calling stranger for  http://192.168.42.105:8080/RenderingControl/evt with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe41NX-N-Kby312j_O7cjk4msMMT5YR8FWHXsbnp0wavX9Xu9gYCyxkt71T48fQHtvClRUcBgzecbQwN-LUAHK6Cf1B4jBl4vXjGFb8kGpiwzINaFnZ5EeVufBmgGp7rCr7mIr&token=ttnktosuikmur5smrlbdtavs4h
Subscribe to http://192.168.42.105:8080/RenderingControl/evt failed with status code:503
{'CONTENT-LENGTH': '0'}

Calling stranger for  http://192.168.42.105:8080/ConnectionManager/evt with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe41NXGFu6aHLePUL5vD9xTzS0VD7VrHDKO3_LlpwuiIgpfLJuWbtQ_Y6Hl1CUrNKEhp_8QbdDWcUZEkOSQZgiBxKJA3FRQ8CM-RK_WOlN-biq_5Dq-f3zzGfrVQmCyJ6goki92V3pAjUkHoRVHbMkiGPFcw==&token=ttnktosuikmur5smrlbdtavs4h
Subscribe to http://192.168.42.105:8080/ConnectionManager/evt failed with status code:412
{'CONTENT-LENGTH': '0'}

Calling stranger for  http://192.168.42.105:8080/AVTransport/evt with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe41NXcJga8ix8jCe5KlDfltkT8pgzL0ZOmPMYQqqn9K0IgRdvljUtObKI4gyomowWmJlbKjGhtsy4W0uSMQhwvCbsPixB5zVEIKzr4Qm8gGy-neIzGag-en8uux15CM_J8r9h&token=ttnktosuikmur5smrlbdtavs4h
Subscribe to http://192.168.42.105:8080/AVTransport/evt failed with status code:503
{'CONTENT-LENGTH': '0'}

Final output was:

Verified vulnerable services:
1:	http://192.168.42.4:50001/ConnectionManager/event
2:	http://192.168.42.4:50001/ContentDirectory/event
3:	http://192.168.42.129:60006/upnp/event/renderer_dvc/AVTransport
4:	http://192.168.42.129:60006/upnp/event/renderer_dvc/ConnectionManager
5:	http://192.168.42.129:60006/upnp/event/renderer_dvc/RenderingControl
6:	http://192.168.42.129:60006/upnp/event/AiosServicesDvc/ErrorHandler
7:	http://192.168.42.129:60006/upnp/event/AiosServicesDvc/ZoneControl
8:	http://192.168.42.129:60006/upnp/event/AiosServicesDvc/GroupControl
9:	http://192.168.42.129:60006/upnp/event/ams_dvc/ContentDirectory
10:	http://192.168.42.129:60006/ACT/event

Unverified  services:
1:	http://192.168.42.1:2189/evt/L3F
2:	http://192.168.42.1:2189/evt/CmnIfCfg
3:	http://192.168.42.1:2189/evt/IPConn
4:	http://192.168.42.105:8080/RenderingControl/evt
5:	http://192.168.42.105:8080/ConnectionManager/evt
6:	http://192.168.42.105:8080/AVTransport/evt

More than a little ironic that stuff running Linux internally has the problem, while I see no Microsoft devices on the list. I have two XBox OneXs in the house, but both were powered off during my tests... I also have a couple Windows laptops, those were both on but probably in sleep mode at the time.

[yunuscadirci]

Thanks. Added

[dffvb]

So the outcome is now stable with 7 upnp devices, however I still get the 404