Snort mailing list archives
UPnP transaction: ASCII decode
From: John Sage <jsage () finchhaven com>
Date: Thu, 27 Dec 2001 01:25:40 -0800
Here is a rough cut of a UPnP transaction, run through a right-cool little proggie, tcpflow (See: http://freshmeat.net/projects/tcpflow/) that will strip out and present the ASCII contents of tcp/ip packets.
The original dump came from Matt Scarborough; here's his narrative as to what's going on:
"192.168.1.90 is the WinME box with UPnP client installed. 192.168.1.80 is a Win2K box with IIS. I started the capture (Ethereal) on the Win2K box, and then booted up the WinME box. So you see the WinME box coming online and sending the three UDP M-SEARCH packets to the broadcast address. Nothing responds. Then I fire up a Sample Device. This is a piece of software that comes from the MS UPnP Developer's Kit. Essentially we'll use it to emulate some piece of hardware that has just been connected to the network. Sample Device sends NOTIFY packets. It sends several because we know UDP is unreliable. Inside the NOTIFY packets we see the URL of the IIS server (same Win2K box.) IIS simulates a mini-webserver inside Sample Device. We could stop right here, in terms of exploit, because as you'll see in a moment the WinME box responds by requesting the URL at the Sample Device http://192.168.1.80/upnp-emulator/description/x10light-desc.xml The XML tells the WinME, "I am a sample device, this is how you use me, blah blah, blah.""Here's the tcpflow output from "tcpflow -vvv -r upnpsamp.dmp > unpnsamp_tcpf.txt" -- it doesn't *quite* match Matt's narrative because tcpflow ignores those packets with no ASCII content.. ("192.168.001.090.01027-192.168.001.080.00080" is tcpflow for "sending_host.port-receiving_host.port")
(I *hope* the formatting won't get too screwed; I'm working on merging this with the tcpdump-formatted capture of all packets, too..)
192.168.001.090.01027-192.168.001.080.00080: GET /upnp-emulator/description/x10light-desc.xml HTTP/1.1 Accept: text/xml, application/xml Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90) Host: 192.168.1.80 Connection: Keep-Alive 192.168.001.080.00080-192.168.001.090.01027: HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Sun, 23 Dec 2001 23:29:34 GMT Content-Type: text/xml Accept-Ranges: bytes Last-Modified: Sun, 23 Dec 2001 23:29:17 GMT ETag: "b0d1a9a398cc11:83f" Content-Length: 1267 <?xml version="1.0"?> <root xmlns="urn:schemas-upnp-org:device-1-0"> <specVersion> <major>1</major> <minor>0</minor> </specVersion> <device> <UDN>uuid:780035E4-DE18-443A-B60D-04090F092516</UDN> <friendlyName>SAMPLE DEVICE - Light/Dimmer control</friendlyName> <deviceType>urn:schemas-upnp-org:device:lighting:1</deviceType> <presentationURL>../presentation/X10Light.html</presentationURL> <manufacturer>Microsoft</manufacturer> <manufacturerURL>http://www.microsoft.com/</manufacturerURL> <modelName>X-10L1</modelName> <modelNumber>L1</modelNumber> <modelDescription>UPnP-X10 Light and Dimmer control</modelDescription> <modelURL>http://www.microsoft.com/</modelURL> <UPC>000000000001</UPC> <serialNumber>0000001</serialNumber> <iconList> <icon> <mimetype>image/png</mimetype> <width>16</width> <height>16</height> <depth>2</depth> <url>../images/16-2.png</url> </icon> </iconList> <serviceList> <service> <serviceType>urn:schemas-upnp-org:service:pwrdim:1</serviceType> <serviceId>urn:upnp-org:serviceId:pwrdim</serviceId> <controlURL>../control/isapictl.dll?pwrdim</controlURL> <eventSubURL>../control/isapictl.dll?pwrdim</eventSubURL> <SCPDURL>../SCPD/X10PwrDim-SCPD.xml</SCPDURL> </service> </se 192.168.001.080.00080-192.168.001.090.01027: rviceList> </device> </root> 192.168.001.090.01029-192.168.001.080.00080: GET /upnp-emulator/description/x10light-desc.xml HTTP/1.1 Accept: text/xml, application/xml Accept-Encoding: gzip, deflate If-Modified-Since: Sun, 23 Dec 2001 23:29:17 GMT If-None-Match: "b0d1a9a398cc11:83f" User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90) Host: 192.168.1.80 Connection: Keep-Alive 192.168.001.080.00080-192.168.001.090.01029: HTTP/1.1 304 Not Modified Server: Microsoft-IIS/5.0 Date: Sun, 23 Dec 2001 23:30:55 GMT ETag: "b0d1a9a398cc11:83f" Content-Length: 0 192.168.001.090.01031-192.168.001.080.00080: GET /upnp-emulator/presentation/X10Light.html HTTP/1.1 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90) Host: 192.168.1.80 Connection: Keep-Alive 192.168.001.080.00080-192.168.001.090.01031: HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Sun, 23 Dec 2001 23:31:13 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Thu, 08 Mar 2001 16:57:18 GMT ETag: "0eb5cd5f0a7c01:83f" Content-Length: 4131 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <TITLE>Presentation page for a UPnP-X10 Light/Dimmer control</TITLE> </HEAD> <BODY> <BR> <INPUT type="button" onclick="SetPowerOn()" value="Power On"> <INPUT type="button" onclick="SetPowerOff()" value="Power Off"> <INPUT type="button" onclick="IncreaseLevel()" value="Level Up"> <INPUT type="button" onclick="DecreaseLevel()" value="Level Down"> <H3>App State</H3><TABLE BGCOLOR='#D6D7DE' BORDER=0 VALIGN=top ALIGN=left CELLPADDING=1 CELLSPACING=3>
<TR><TD BGCOLOR='#000000' VALIGN=center ALIGN=center WIDTH=60><B><FONT SIZE="2" COLOR=whitesmoke>Variable</FONT></B></TD> <TD VALIGN=middle ALIGN=left BGCOLOR='#000000' WIDTH=470><B><FONT SIZE="2" COLOR=whitesmoke>Value</FONT></B></TD>
</TR> <TR> <TD BGCOLOR="#FFFFFF" VALIGN=center ALIGN=center>Power</TD> <TD BGCOLOR="#FFFFFF" valign="top"><P ID=Power></P></TD> </TR> <TR> <TD BGCOLOR="#FFFFFF" VALIGN=center ALIGN=center>Level</TD> <TD BGCOLOR="#FFFFFF" valign="top"><P ID=Level></P></ 192.168.001.080.00080-192.168.001.090.01031: TD> </TR> </TABLE> <H3> </H3> <SCRIPT language=VBScript> ' ********************************************************* ' Event handler called when the UPnP device submits events ' ********************************************************* Sub eventHandler(callbackType, svcObj, varName, value) 'Dim output 'output = output & "varName " & varName & vbCrLf 'output = output & "value " & value & vbCrLf 'output = output & "svcObj " & svcObj.Id & vbCrLf 'MsgBox output If (callbackType = "VARIABLE_UPDATE") Then select case svcObj.Id case "urn:upnp-org:serviceId:pwrdim" select case varName Case "power" Power.innerText = value Case "level" Level.innerText = value end select end select End If End Sub ' ********************************************************** ' Button action callbacks invoke actions ' ********************************************************** function SetPowerOn() Dim inArgs(0) Dim outArgs(0) PwrDimService.InvokeAction "PowerOn", inArgs, outArgs end function function SetPowerOff() Dim inArgs(0) Dim outArgs(0) PwrDimService.InvokeAction "PowerOff", inArgs, outArgs end function function IncreaseLevel() Dim inArgs(0) Dim outArgs(0) PwrDimService.InvokeAction "IncreaseLevel", inArgs, outArgs end function function DecreaseLevel() 192.168.001.080.00080-192.168.001.090.01031: Dim inArgs(0) Dim outArgs(0) PwrDimService.InvokeAction "DecreaseLevel", inArgs, outArgs end function ' ******************************************************** ' Download the description document from the UPnP device ' ******************************************************** Dim LightDesc Set LightDesc = CreateObject("UPnP.DescriptionDocument.1") LightDesc.Load("..\description\X10Light-desc.xml") ' ******************************************************** ' Get the Root Device from the description document ' ******************************************************** Dim LightDevice Set LightDevice = LightDesc.RootDevice ' ******************************************************** ' Output some of the device properties to the user ' ******************************************************** Dim output output = "Found: " & vbCrLf output = output & "DisplayName: " & LightDevice.FriendlyName & vbCrLf output = output & "Type: " & LightDevice.Type & vbCrLf output = output & "UDN: " & LightDevice.UniqueDeviceName & vbCrLf MsgBox output ' ******************************************************** ' Attach the event handler to this service ' ******************************************************** Dim PwrDimService set PwrDimService=LightDevice.Services("urn:upnp-org:serviceId:pwrdim") PwrDimService.AddCallback GetRef("eventHandler") </SCRIPT> </BODY> </HTML> 192.168.001.090.01031-192.168.001.080.00080: GET /upnp-emulator/description/X10Light-desc.xml HTTP/1.1 Accept: text/xml, application/xml Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90) Host: 192.168.1.80 Connection: Keep-Alive 192.168.001.080.00080-192.168.001.090.01031: HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Sun, 23 Dec 2001 23:31:19 GMT Content-Type: text/xml Accept-Ranges: bytes Last-Modified: Sun, 23 Dec 2001 23:29:17 GMT ETag: "b0d1a9a398cc11:83f" Content-Length: 1267 <?xml version="1.0"?> <root xmlns="urn:schemas-upnp-org:device-1-0"> <specVersion> <major>1</major> <minor>0</minor> </specVersion> <device> <UDN>uuid:780035E4-DE18-443A-B60D-04090F092516</UDN> <friendlyName>SAMPLE DEVICE - Light/Dimmer control</friendlyName> <deviceType>urn:schemas-upnp-org:device:lighting:1</deviceType> <presentationURL>../presentation/X10Light.html</presentationURL> <manufacturer>Microsoft</manufacturer> <manufacturerURL>http://www.microsoft.com/</manufacturerURL> <modelName>X-10L1</modelName> <modelNumber>L1</modelNumber> <modelDescription>UPnP-X10 Light and Dimmer control</modelDescription> <modelURL>http://www.microsoft.com/</modelURL> <UPC>000000000001</UPC> <serialNumber>0000001</serialNumber> <iconList> <icon> <mimetype>image/png</mimetype> <width>16</width> <height>16</height> <depth>2</depth> <url>../images/16-2.png</url> </icon> </iconList> <serviceList> <service> <serviceType>urn:schemas-upnp-org:service:pwrdim:1</serviceType> <serviceId>urn:upnp-org:serviceId:pwrdim</serviceId> <controlURL>../control/isapictl.dll?pwrdim</controlURL> <eventSubURL>../control/isapictl.dll?pwrdim</eventSubURL> <SCPDURL>../SCPD/X10PwrDim-SCPD.xml</SCPDURL> </service> </se 192.168.001.080.00080-192.168.001.090.01031: rviceList> </device> </root> 192.168.001.090.01031-192.168.001.080.00080: GET /upnp-emulator/SCPD/X10PwrDim-SCPD.xml HTTP/1.1 Accept: text/xml, application/xml Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90) Host: 192.168.1.80 Connection: Keep-Alive 192.168.001.080.00080-192.168.001.090.01031: HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Sun, 23 Dec 2001 23:31:32 GMT Content-Type: text/xml Accept-Ranges: bytes Last-Modified: Thu, 08 Mar 2001 16:57:18 GMT ETag: "0eb5cd5f0a7c01:83f" Content-Length: 974 <?xml version="1.0"?> <scpd xmlns="urn:schemas-upnp-org:service-1-0"> <specVersion> <major>1</major> <minor>0</minor> </specVersion> <serviceStateTable> <stateVariable> <name>Power</name> <dataType>Boolean</dataType> <defaultValue>0</defaultValue> </stateVariable> <stateVariable> <name>Level</name> <dataType>i4</dataType> <allowedValueRange> <minimum>0</minimum> <maximum>10</maximum> <step>1</step> </allowedValueRange> <defaultValue>0</defaultValue> </stateVariable> </serviceStateTable> <actionList> <action> <name>PowerOn</name> </action> <action> <name>PowerOff</name> </action> <action> <name>IncreaseLevel</name> </action> <action> <name>DecreaseLevel</name> </action> </actionList> </scpd> 192.168.001.090.01033-192.168.001.080.00080: SUBSCRIBE /upnp-emulator/control/isapictl.dll?pwrdim HTTP/1.1 NT: upnp:propchange Callback: <http://0.0.0.0:5000/notify> Timeout: Second-1800 User-Agent: SSDP UCP Events Host: 192.168.1.80 Content-Length: 0 192.168.001.080.00080-192.168.001.090.01033: HTTP/1.1 200 OK DATE: Windows NT/5.0 UPnP/1.0 DevKit Sample/1.0 SERVER: Sun, 23 Dec 2001 23:31:58 GMT SID: uuid:003346d8_c0_2 Timeout: Second-1800 EOF upnpsamp_tcpf.txt - John -- Computers: they're really nothing but l's and O's _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- UPnP transaction: ASCII decode John Sage (Dec 27)
- <Possible follow-ups>
- Re: UPnP transaction: ASCII decode Matt Scarborough (Dec 27)