The ACS is the Auto Configuration Server / Service and the service that uses the infamous TR-069 protocol. Officially it uses the port 7547 / TCP, but may vary depending on the environment. One notable aspect is the fact, that an ACS cannot push configuration to the CPE. Following the standards it can only request a callback which triggers the client to fetch / deliver information. On many devices the callback trigger is protected by some form of authentication (i.e. digest auth).
TR-069
The TR-069 protocol was defined by the broadband forum 2004. It is a simple protocol based on SOAP / XML. It offers access to all possible settings on a CPE and my be extended by the device vendor / operator.
GenieACS
Installation
Best follow the instructions in the GenieACS docs . The install from git is quick and stable. It will fully run using the default configuration.
Running
You will have to start the following binaries:
genieacs/bin/genieacs-cwmpgenieacs/bin/genieacs-fsgenieacs/bin/genieacs-nbi
For the GUI / webinterface you will have to run rails is the genieacs-gui folder.
Getting started
For getting started I’d recommend using an AVM FritzBox and configure it as described here. From there on one has a functioning TR-069 client which can easily be controlled from the ACS. Thus any kind of fuzzing and injection can be performed.
AVM offers the configuration of FritzBoxes using the TR-064 protocol. They offer a very detailed documentation of the interface . One of the documents there covers the TR-069 configuration.
Set ACS
import requests
url = 'http://192.168.178.1:49000'
path = '/upnp/control/mgmsrv'
service = 'ManagementServer:1'
action = 'SetManagementServerURL'
#parameters = '<NewURL>http://192.168.58.5/tr069</NewURL>'
parameters = '<NewURL>http://192.168.58.4:7547</NewURL>'
payload= '<?xml version="1.0"?>'\
'<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">'\
'<s:Body>'\
'<u:' + action + ' xmlns:u="urn:dslforum-org:service:' + service + '">'\
'' + parameters + ''\
'</u:' + action + '>'\
'</s:Body>'\
'</s:Envelope>'
headers = {
'SOAPACTION' : 'urn:dslforum-org:service:' + service + '#' + action,
'USER-AGENT' : 'Evil Hacker',
'CONTENT-TYPE' : 'text/xml; charset="utf-8"',
}
resp = requests.post(url+path,headers=headers,data=payload)
print resp.text
Enable TR-069
import requests
url = 'http://192.168.178.1:49000'
path = '/upnp/control/mgmsrv'
service = 'ManagementServer:1'
action = 'X_SetTR069Enable'
parameters = '<NewTR069Enabled>1</NewTR069Enabled>'
payload= '<?xml version="1.0"?>'\
'<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">'\
'<s:Body>'\
'<u:' + action + ' xmlns:u="urn:dslforum-org:service:' + service + '">'\
'' + parameters + ''\
'</u:' + action + '>'\
'</s:Body>'\
'</s:Envelope>'
headers = {
'SOAPACTION' : 'urn:dslforum-org:service:' + service + '#' + action,
'USER-AGENT' : 'Evil Hacker',
'CONTENT-TYPE' : 'text/xml; charset="utf-8"',
}
resp = requests.post(url+path,headers=headers,data=payload)
print resp.text
Disable TR-069
import requests
url = 'http://192.168.178.1:49000'
path = '/upnp/control/mgmsrv'
service = 'ManagementServer:1'
action = 'X_SetTR069Enable'
parameters = '<NewTR069Enabled>0</NewTR069Enabled>'
payload= '<?xml version="1.0"?>'\
'<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">'\
'<s:Body>'\
'<u:' + action + ' xmlns:u="urn:dslforum-org:service:' + service + '">'\
'' + parameters + ''\
'</u:' + action + '>'\
'</s:Body>'\
'</s:Envelope>'
headers = {
'SOAPACTION' : 'urn:dslforum-org:service:' + service + '#' + action,
'USER-AGENT' : 'Evil Hacker',
'CONTENT-TYPE' : 'text/xml; charset="utf-8"',
}
resp = requests.post(url+path,headers=headers,data=payload)
print resp.text