Max-T

SOAP Calls for UPnP Services in WeMo Devices

Note: this write up doesn't contain any vulnerabilties or exploits!

I was recently taking a look at a few WeMo embedded devices. WeMo Devices are IoT contraptions like light switches, space heaters, and coffee machines that are network enabled. I examined the "Holmes Smart Heater". Both had port 41953 open, which is a common port for UPnP services. I decided to dig a little deeper and figure out a way to interact with the SOAP services which UPnP relies on in order to hunt for bugs. My goal was to retrieve sensitive information, such as the WiFi password, from the device.

Using Miranda's MSEARCH (which comes preinstalled on Kali Linux), I was able to discover the setup.xml file for the service I was examining. This file will always be XML, but the actual file name can change. Another way to discover this initial entry point is to examine the network traffic with WireShark. The MSEARCH HTTP requests are easy

Max-T

#
# zepub.sh 0.1
# Package & Validate ePub Files
# by @robot_media (http://www.robotmedia.net)
# thanks to @lizcastro (http://www.elizabethcastro.com/epub/)
#
# INSTRUCTIONS
#
# Make zepub.sh executable: chmod +x zepub.sh
# Optional: to validate the resulting ePub files change the validator_path variable below.

Max-T

Warning

Following instructions are provided without any warranty, and may even get you in trouble legally. The instructions are provided for testing, and should be use with care. We (including commentators) are not responsible for any damage to your device(s).

Introduction

This may enable additional channels and power (in most cases don't) on ASUS Merlin provided routers.