upnpfuzz 1.0.6

The Universal Plug and Play (UPnP) Fuzzer

UPnPFuzz

UPnPFuzz is a specialized fuzzing tool designed for testing and discovering vulnerabilities within devices and software that implement the Universal Plug and Play (UPnP) protocol.

Community

Join community on Embedded Exploitation Discord.

Installation

Use of PyPI

pip install upnpfuzz

Local Dev

git clone https://github.com/threat9/upnpfuzz
cd upnpfuzz
python -m venv venv
source venv/bin/activate
pip install -r requirements-dev.txt
python setup.py install

Usage

Discover UPnP devices

> upnpfuzz --discover
                        upnpfuzz (v1.0.0) by threat9
[*] Using network timeout for discovery: 5
[*] Discovering UPnP devices...
[+] 192.168.2.1:1900 - http://192.168.2.1:8000/ssdp/desc-DSM-lbr0.xml - Synology/DSM/192.168.2.1
[+] 192.168.2.1:1900 - http://169.254.70.46:8000/ssdp/desc-DSM-eth0.xml - Synology/DSM/169.254.70.46
[+] 192.168.2.1:1900 - http://:8000/ssdp/desc-DSM-bwlan1.xml - Synology/DSM/
[+] 192.168.2.1:1900 - http://:8000/ssdp/desc-DSM-bwlan0.xml - Synology/DSM/
[+] 192.168.2.1:1900 - http://192.168.2.1:46560/rootDesc.xml - Synology DSM UPnP/1.1 MiniUPnPd/2.

Discover UPnP devices using custom network timeout

> upnpfuzz --discover --network-timeout 10
                        upnpfuzz (v1.0.0) by threat9
[*] Using network timeout for discovery: 10.0
[*] Discovering UPnP devices...
[+] 192.168.2.1:1900 - http://192.168.2.1:8000/ssdp/desc-DSM-lbr0.xml - Synology/DSM/192.168.2.1
[+] 192.168.2.1:1900 - http://169.254.70.46:8000/ssdp/desc-DSM-eth0.xml - Synology/DSM/169.254.70.46
[+] 192.168.2.1:1900 - http://:8000/ssdp/desc-DSM-bwlan1.xml - Synology/DSM/
[+] 192.168.2.1:1900 - http://:8000/ssdp/desc-DSM-bwlan0.xml - Synology/DSM/
[+] 192.168.2.1:1900 - http://192.168.2.1:46560/rootDesc.xml - Synology DSM UPnP/1.1 MiniUPnPd/2.0

Targeting SSDP - Simple Service Discovery Protocol

Specifying the target address via --ssdp parameter.

upnpfuzz --ssdp 192.168.2.1:1900 --raw

Targeting SOAP - UPnP Control Messaging

Specifying the target address via --soap parameter.

upnpfuzz --soap http://192.168.2.1:46560/rootDesc.xml --raw

Targeting ESP - Event Subscription

Specifying the target address via --esp parameter.

upnpfuzz --esp http://192.168.2.1:46560/rootDesc.xml --raw

Generating requests without fuzzing

upnpfuzz --ssdp 192.168.2.1:1900 --raw

Fuzzing for command injections

upnpfuzz --ssdp 192.168.2.1:1900 --injection

Fuzzing for overflows

upnpfuzz --ssdp 192.168.2.1:1900 --overflow

Fuzzing using radamsa

upnpfuzz --ssdp 192.168.2.1:1900 --radamsa

Fuzzing using random strategy (injection/overflow/radamsa)

upnpfuzz --ssdp 192.168.2.1:1900 --fuzz

Additional Parameters

Use of --delay parameter. Specifying the amount of seconds that should be waited after sending every request.

upnpfuzz --esp http://192.168.2.1:46560/rootDesc.xml --fuzz --delay 1

Use of --alive-url parameter. The url is checked after sending every request to verify if the target is still alive.

upnpfuzz --esp http://192.168.2.1:46560/rootDesc.xml --fuzz --alive-url http://192.168.2.1:46560/rootDesc.xml

Use of --crash-dir parameter. Specifying the directory where the crashes should be saved.

upnpfuzz --esp http://192.168.2.1:46560/rootDesc.xml --fuzz --alive-url http://192.168.2.1:46560/rootDesc.xml --crash-dir /tmp/crashes/

Use of --restart-cmd. Specifying the command (or script) that should be executed once the target crashed in order to restart the target.

upnpfuzz --esp http://192.168.2.1:46560/rootDesc.xml --fuzz --alive-url http://192.168.2.1:46560/rootDesc.xml --restart-cmd /tmp/restart_target.sh

Use of --radamsa-path. Specifying the path to radamsa binary.

upnpfuzz --esp http://192.168.2.1:46560/rootDesc.xml --fuzz --radamsa-path /Users/user/git/radamsa/bin/radamsa