Snort mailing list archives
UPnP transaction: ASCII decode
From: John Sage <jsage () finchhaven com>
Date: Thu, 27 Dec 2001 01:25:40 -0800
Here is a rough cut of a UPnP transaction, run through a right-cool little proggie, tcpflow (See: http://freshmeat.net/projects/tcpflow/) that will strip out and present the ASCII contents of tcp/ip packets.
The original dump came from Matt Scarborough; here's his narrative as to what's going on:
"192.168.1.90 is the WinME box with UPnP client installed. 192.168.1.80 is a Win2K box with IIS. I started the capture (Ethereal) on the Win2K box, and then booted up the WinME box. So you see the WinME box coming online and sending the three UDP M-SEARCH packets to the broadcast address. Nothing responds. Then I fire up a Sample Device. This is a piece of software that comes from the MS UPnP Developer's Kit. Essentially we'll use it to emulate some piece of hardware that has just been connected to the network. Sample Device sends NOTIFY packets. It sends several because we know UDP is unreliable. Inside the NOTIFY packets we see the URL of the IIS server (same Win2K box.) IIS simulates a mini-webserver inside Sample Device. We could stop right here, in terms of exploit, because as you'll see in a moment the WinME box responds by requesting the URL at the Sample Device http://192.168.1.80/upnp-emulator/description/x10light-desc.xml The XML tells the WinME, "I am a sample device, this is how you use me, blah blah, blah.""Here's the tcpflow output from "tcpflow -vvv -r upnpsamp.dmp > unpnsamp_tcpf.txt" -- it doesn't *quite* match Matt's narrative because tcpflow ignores those packets with no ASCII content.. ("192.168.001.090.01027-192.168.001.080.00080" is tcpflow for "sending_host.port-receiving_host.port")
(I *hope* the formatting won't get too screwed; I'm working on merging this with the tcpdump-formatted capture of all packets, too..)
192.168.001.090.01027-192.168.001.080.00080: GET /upnp-emulator/description/x10light-desc.xml HTTP/1.1 Accept: text/xml, application/xml Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90) Host: 192.168.1.80 Connection: Keep-Alive 192.168.001.080.00080-192.168.001.090.01027: HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Sun, 23 Dec 2001 23:29:34 GMT Content-Type: text/xml Accept-Ranges: bytes Last-Modified: Sun, 23 Dec 2001 23:29:17 GMT ETag: "b0d1a9a398cc11:83f" Content-Length: 1267 <?xml version="1.0"?> <root xmlns="urn:schemas-upnp-org:device-1-0"> <specVersion> <major>1</major> <minor>0</minor> </specVersion> <device> <UDN>uuid:780035E4-DE18-443A-B60D-04090F092516</UDN> <friendlyName>SAMPLE DEVICE - Light/Dimmer control</friendlyName> <deviceType>urn:schemas-upnp-org:device:lighting:1</deviceType> <presentationURL>../presentation/X10Light.html</presentationURL> <manufacturer>Microsoft</manufacturer> <manufacturerURL>http://www.microsoft.com/</manufacturerURL> <modelName>X-10L1</modelName> <modelNumber>L1</modelNumber> <modelDescription>UPnP-X10 Light and Dimmer control</modelDescription> <modelURL>http://www.microsoft.com/</modelURL> <UPC>000000000001</UPC> <serialNumber>0000001</serialNumber> <iconList> <icon> <mimetype>image/png</mimetype> <width>16</width> <height>16</height> <depth>2</depth> <url>../images/16-2.png</url> </icon> </iconList> <serviceList> <service> <serviceType>urn:schemas-upnp-org:service:pwrdim:1</serviceType> <serviceId>urn:upnp-org:serviceId:pwrdim</serviceId> <controlURL>../control/isapictl.dll?pwrdim</controlURL> <eventSubURL>../control/isapictl.dll?pwrdim</eventSubURL> <SCPDURL>../SCPD/X10PwrDim-SCPD.xml</SCPDURL> </service> </se 192.168.001.080.00080-192.168.001.090.01027: rviceList> </device> </root> 192.168.001.090.01029-192.168.001.080.00080: GET /upnp-emulator/description/x10light-desc.xml HTTP/1.1 Accept: text/xml, application/xml Accept-Encoding: gzip, deflate If-Modified-Since: Sun, 23 Dec 2001 23:29:17 GMT If-None-Match: "b0d1a9a398cc11:83f" User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90) Host: 192.168.1.80 Connection: Keep-Alive 192.168.001.080.00080-192.168.001.090.01029: HTTP/1.1 304 Not Modified Server: Microsoft-IIS/5.0 Date: Sun, 23 Dec 2001 23:30:55 GMT ETag: "b0d1a9a398cc11:83f" Content-Length: 0 192.168.001.090.01031-192.168.001.080.00080: GET /upnp-emulator/presentation/X10Light.html HTTP/1.1 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90) Host: 192.168.1.80 Connection: Keep-Alive 192.168.001.080.00080-192.168.001.090.01031: HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Sun, 23 Dec 2001 23:31:13 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Thu, 08 Mar 2001 16:57:18 GMT ETag: "0eb5cd5f0a7c01:83f" Content-Length: 4131 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <TITLE>Presentation page for a UPnP-X10 Light/Dimmer control</TITLE> </HEAD> <BODY> <BR> <INPUT type="button" onclick="SetPowerOn()" value="Power On"> <INPUT type="button" onclick="SetPowerOff()" value="Power Off"> <INPUT type="button" onclick="IncreaseLevel()" value="Level Up"> <INPUT type="button" onclick="DecreaseLevel()" value="Level Down"> <H3>App State</H3><TABLE BGCOLOR='#D6D7DE' BORDER=0 VALIGN=top ALIGN=left CELLPADDING=1 CELLSPACING=3>
<TR><TD BGCOLOR='#000000' VALIGN=center ALIGN=center WIDTH=60><B><FONT SIZE="2" COLOR=whitesmoke>Variable</FONT></B></TD> <TD VALIGN=middle ALIGN=left BGCOLOR='#000000' WIDTH=470><B><FONT SIZE="2" COLOR=whitesmoke>Value</FONT></B></TD>
</TR>
<TR>
<TD BGCOLOR="#FFFFFF" VALIGN=center ALIGN=center>Power</TD>
<TD BGCOLOR="#FFFFFF" valign="top"><P ID=Power></P></TD>
</TR>
<TR>
<TD BGCOLOR="#FFFFFF" VALIGN=center ALIGN=center>Level</TD>
<TD BGCOLOR="#FFFFFF" valign="top"><P ID=Level></P></
192.168.001.080.00080-192.168.001.090.01031:
TD>
</TR>
</TABLE>
<H3> </H3>
<SCRIPT language=VBScript>
' *********************************************************
' Event handler called when the UPnP device submits events
' *********************************************************
Sub eventHandler(callbackType, svcObj, varName, value)
'Dim output
'output = output & "varName " & varName & vbCrLf
'output = output & "value " & value & vbCrLf
'output = output & "svcObj " & svcObj.Id & vbCrLf
'MsgBox output
If (callbackType = "VARIABLE_UPDATE") Then
select case svcObj.Id
case "urn:upnp-org:serviceId:pwrdim"
select case varName
Case "power" Power.innerText = value
Case "level" Level.innerText = value
end select
end select
End If
End Sub
' **********************************************************
' Button action callbacks invoke actions
' **********************************************************
function SetPowerOn()
Dim inArgs(0)
Dim outArgs(0)
PwrDimService.InvokeAction "PowerOn", inArgs, outArgs
end function
function SetPowerOff()
Dim inArgs(0)
Dim outArgs(0)
PwrDimService.InvokeAction "PowerOff", inArgs, outArgs
end function
function IncreaseLevel()
Dim inArgs(0)
Dim outArgs(0)
PwrDimService.InvokeAction "IncreaseLevel", inArgs, outArgs
end function
function DecreaseLevel()
192.168.001.080.00080-192.168.001.090.01031:
Dim inArgs(0)
Dim outArgs(0)
PwrDimService.InvokeAction "DecreaseLevel", inArgs, outArgs
end function
' ********************************************************
' Download the description document from the UPnP device
' ********************************************************
Dim LightDesc
Set LightDesc = CreateObject("UPnP.DescriptionDocument.1")
LightDesc.Load("..\description\X10Light-desc.xml")
' ********************************************************
' Get the Root Device from the description document
' ********************************************************
Dim LightDevice
Set LightDevice = LightDesc.RootDevice
' ********************************************************
' Output some of the device properties to the user
' ********************************************************
Dim output
output = "Found: " & vbCrLf
output = output & "DisplayName: " & LightDevice.FriendlyName & vbCrLf
output = output & "Type: " & LightDevice.Type & vbCrLf
output = output & "UDN: " & LightDevice.UniqueDeviceName & vbCrLf
MsgBox output
' ********************************************************
' Attach the event handler to this service
' ********************************************************
Dim PwrDimService
set PwrDimService=LightDevice.Services("urn:upnp-org:serviceId:pwrdim")
PwrDimService.AddCallback GetRef("eventHandler")
</SCRIPT>
</BODY>
</HTML>
192.168.001.090.01031-192.168.001.080.00080:
GET /upnp-emulator/description/X10Light-desc.xml HTTP/1.1
Accept: text/xml, application/xml
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)
Host: 192.168.1.80
Connection: Keep-Alive
192.168.001.080.00080-192.168.001.090.01031:
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun, 23 Dec 2001 23:31:19 GMT
Content-Type: text/xml
Accept-Ranges: bytes
Last-Modified: Sun, 23 Dec 2001 23:29:17 GMT
ETag: "b0d1a9a398cc11:83f"
Content-Length: 1267 <?xml version="1.0"?>
<root xmlns="urn:schemas-upnp-org:device-1-0">
<specVersion>
<major>1</major>
<minor>0</minor>
</specVersion>
<device>
<UDN>uuid:780035E4-DE18-443A-B60D-04090F092516</UDN>
<friendlyName>SAMPLE DEVICE - Light/Dimmer control</friendlyName>
<deviceType>urn:schemas-upnp-org:device:lighting:1</deviceType>
<presentationURL>../presentation/X10Light.html</presentationURL>
<manufacturer>Microsoft</manufacturer>
<manufacturerURL>http://www.microsoft.com/</manufacturerURL>
<modelName>X-10L1</modelName>
<modelNumber>L1</modelNumber>
<modelDescription>UPnP-X10 Light and Dimmer control</modelDescription>
<modelURL>http://www.microsoft.com/</modelURL>
<UPC>000000000001</UPC>
<serialNumber>0000001</serialNumber>
<iconList>
<icon>
<mimetype>image/png</mimetype>
<width>16</width>
<height>16</height>
<depth>2</depth>
<url>../images/16-2.png</url>
</icon>
</iconList>
<serviceList>
<service>
<serviceType>urn:schemas-upnp-org:service:pwrdim:1</serviceType>
<serviceId>urn:upnp-org:serviceId:pwrdim</serviceId>
<controlURL>../control/isapictl.dll?pwrdim</controlURL>
<eventSubURL>../control/isapictl.dll?pwrdim</eventSubURL>
<SCPDURL>../SCPD/X10PwrDim-SCPD.xml</SCPDURL>
</service>
</se
192.168.001.080.00080-192.168.001.090.01031:
rviceList>
</device>
</root>
192.168.001.090.01031-192.168.001.080.00080:
GET /upnp-emulator/SCPD/X10PwrDim-SCPD.xml HTTP/1.1
Accept: text/xml, application/xml
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)
Host: 192.168.1.80
Connection: Keep-Alive
192.168.001.080.00080-192.168.001.090.01031:
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun, 23 Dec 2001 23:31:32 GMT
Content-Type: text/xml
Accept-Ranges: bytes
Last-Modified: Thu, 08 Mar 2001 16:57:18 GMT
ETag: "0eb5cd5f0a7c01:83f"
Content-Length: 974
<?xml version="1.0"?>
<scpd xmlns="urn:schemas-upnp-org:service-1-0">
<specVersion>
<major>1</major>
<minor>0</minor>
</specVersion>
<serviceStateTable>
<stateVariable>
<name>Power</name>
<dataType>Boolean</dataType>
<defaultValue>0</defaultValue>
</stateVariable>
<stateVariable>
<name>Level</name>
<dataType>i4</dataType>
<allowedValueRange>
<minimum>0</minimum>
<maximum>10</maximum>
<step>1</step>
</allowedValueRange>
<defaultValue>0</defaultValue>
</stateVariable>
</serviceStateTable>
<actionList>
<action>
<name>PowerOn</name>
</action>
<action>
<name>PowerOff</name>
</action>
<action>
<name>IncreaseLevel</name>
</action>
<action>
<name>DecreaseLevel</name>
</action>
</actionList>
</scpd>
192.168.001.090.01033-192.168.001.080.00080:
SUBSCRIBE /upnp-emulator/control/isapictl.dll?pwrdim HTTP/1.1
NT: upnp:propchange
Callback: <http://0.0.0.0:5000/notify>
Timeout: Second-1800
User-Agent: SSDP UCP Events
Host: 192.168.1.80
Content-Length: 0
192.168.001.080.00080-192.168.001.090.01033:
HTTP/1.1 200 OK
DATE: Windows NT/5.0 UPnP/1.0 DevKit Sample/1.0
SERVER: Sun, 23 Dec 2001 23:31:58 GMT
SID: uuid:003346d8_c0_2
Timeout: Second-1800
EOF upnpsamp_tcpf.txt
- John
--
Computers: they're really nothing but l's and O's
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- UPnP transaction: ASCII decode John Sage (Dec 27)
- <Possible follow-ups>
- Re: UPnP transaction: ASCII decode Matt Scarborough (Dec 27)