Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 12:14

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 16 posts ] 
Author Message
 Post subject: XBMC multiple remote buffer overflow :)
PostPosted: 06 Apr 2009 14:49 

Joined: 14 Aug 2007 13:32
Posts: 71
Hey guys how is things im slowly trying to get back into exploit development and maybe learn more programing in the near future,I've released a few exploits recently and thought i would throw them up for you guys.

These exploits have been patched as off now but people running xbmc 8 .10 are still vulnerable.
I managed to overwrite the exception handlers and found a real nice address in zlib.dll and got code execution on vista sp1.

First of poc code.
XBMC 8.10 (GET Requests) Multiple Remote Buffer Overflow PoC
http://www.milw0rm.com/exploits/8337

Exploit 1
XBMC 8.10 (Get Request) Remote Buffer Overflow Exploit (win)
http://www.milw0rm.com/exploits/8338

Exploit 2
XBMC 8.10 (takescreenshot) Remote Buffer Overflow Exploit
http://www.milw0rm.com/exploits/8339

Exploit 3
http://www.milw0rm.com/exploits/8340

Then we have the oday seh overwrite exploit for all win platforms
tested on win xpsp3 and vista sp1.
http://www.milw0rm.com/exploits/8354


Last edited by n00b on 06 Apr 2009 23:20, edited 2 times in total.

Top
 Profile  
 
 
 Post subject: Re: XBMC multiple remote buffer overflow :)
PostPosted: 06 Apr 2009 16:10 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
have you tested (just for fun) also the 9.04 alpha release?
http://downloads.sourceforge.net/xbmc/X ... se_mirror=


Top
 Profile  
 
 Post subject: Re: XBMC multiple remote buffer overflow :)
PostPosted: 06 Apr 2009 23:31 

Joined: 14 Aug 2007 13:32
Posts: 71
Yeah m8 i did i also looked at there trac and changes they made.I don't do allot of open source exploit development it felt like a new challenge to broaden my knowledge of exploit development and debugging and welcomed the challenge to get execution of shell code on vista sp1.


The fix by the developers can be found here.
http://www.securityfocus.com/bid/34334/references

And i come away from this exploit with allot of learning which im happy about :).

Another funny thing is i found a really nice buffer overflow in the last version of opera and never shared any information.

This was because when i found the opera torrent buffer overflow some security company jumped on it and claimed credits for it even after mine was released :).
But i realized in the new release some changes had been made behind closed doors and struggle to replicate the buffer overflow although im still looking into the exception :).


Top
 Profile  
 
 Post subject: Re: XBMC multiple remote buffer overflow :)
PostPosted: 07 Apr 2009 00:05 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
Quote:
This was because when i found the opera torrent buffer overflow some security company jumped on it and claimed credits for it even after mine was released :).

in the security field (and in reality in ANY field) the first public reference to a vulnerability is the first and only. stop.
so if when you published the bug there were no other references about that bug, YOU are the finder of it.
the discovery date inserted by people/companies in their advisories are just bullshits which mean nothing because the public disclosure is the ONLY reference.

is the following the bug about you refer?
http://www.milw0rm.com/exploits/3784
http://labs.idefense.com/intelligence/v ... php?id=535
and is it the "exact" bug?


Top
 Profile  
 
 Post subject: Re: XBMC multiple remote buffer overflow :)
PostPosted: 07 Apr 2009 01:40 

Joined: 14 Aug 2007 13:32
Posts: 71
Well i did email them aluigi m8 and got no response after allot of looking and research about it there was no information given for the vulnerabilities.

So i can not really say if it was or not But i have my suspicions.


Top
 Profile  
 
 Post subject: Re: XBMC multiple remote buffer overflow :)
PostPosted: 07 Apr 2009 10:59 

Joined: 03 Feb 2009 01:40
Posts: 31
Awesome man , you're going to be one of the greatest in the sec field ,keep it up ! :) .Congrats !


Top
 Profile  
 
 Post subject: Re: XBMC multiple remote buffer overflow :)
PostPosted: 08 Apr 2009 11:21 

Joined: 14 Aug 2007 13:32
Posts: 71
Hey guys did you see the head request buffer overflow posted up on milw0rm by
Ive posted on my blog about it have a read .

copy cats uncovered.:)
http://n00b-n00b.blogspot.com/


Last edited by n00b on 08 Apr 2009 18:40, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: XBMC multiple remote buffer overflow :)
PostPosted: 08 Apr 2009 14:53 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
lately I have noticed that many people on milw0rm see a PoC about a software and then make their version of the PoC or try to find other bugs in the same software.
obviously it's a good thing for people who wants to learn and so they can do their "own" tests but it's a horrible thing for the rest because the result is 1000 unverified PoC/exploits which probably are about the same vulnerability or claim to be buffer-overflow/memory corruption while maybe they are only a stack consuming or a null pointer and so create only a lot of disinformation.


Top
 Profile  
 
 Post subject: Re: XBMC multiple remote buffer overflow :)
PostPosted: 08 Apr 2009 15:03 

Joined: 14 Aug 2007 13:32
Posts: 71
Yeh seams that way aluigi i always found milw0rm to be a respectable place to throw up advisorys.
But i tested a few of the exploits that that guy put up and he has no clue what he is doing.:)

The problem is not searching for buffer overflows in the application go for it even though some one else audited before you then great but don't reproduce bugs that are already been submitted and tested it is obvious this guy has not even tested this on his own machine :). I give str0ke the heads up on the issue any way.

I think by looking and comparing both exploits you can tell straight away there was not enough buffer to overwrite the exception handlers.


Top
 Profile  
 
 Post subject: Re: XBMC multiple remote buffer overflow :)
PostPosted: 08 Apr 2009 15:41 

Joined: 03 Feb 2009 01:40
Posts: 31
http://www.milw0rm.com/exploits/7923
This vs of the soft DOESEN'T even exit.
LOL :))))))))) .
The list goes on.


Top
 Profile  
 
 Post subject: Re: XBMC multiple remote buffer overflow :)
PostPosted: 08 Apr 2009 16:01 

Joined: 14 Aug 2007 13:32
Posts: 71
Obviously some people just are not bothered about posting none working exploits lol @ there reputation.But on a side note it has to be hard for str0ke known which work and what dont.
Personally i have never released a exploit with out testing it a allot of times.

Like for instance when i wrote the seh universal one on a winxp sp3 machine i had drove over 400miles that day visiting familiy.

As soon as i got there i booted up there laptop running vista sp1 to make sure the address was correct.And the address never changed after reboot to make sure it by pass the the Address randomization.

Then i had remembered the address and the exploit i had wrote and knew that it took 1635 bytes to trigger the exception handlers i still download python olldbg and xbmc on the vista machine to make sure.

edited:_)


Last edited by n00b on 08 Apr 2009 19:37, edited 2 times in total.

Top
 Profile  
 
 Post subject: Re: XBMC multiple remote buffer overflow :)
PostPosted: 08 Apr 2009 17:13 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
I prefer if the discussion here stay within the subject of the thread, then it's not good to talk about other people if they can't reply here.


Top
 Profile  
 
 Post subject: Re: XBMC multiple remote buffer overflow :)
PostPosted: 08 Apr 2009 18:42 

Joined: 14 Aug 2007 13:32
Posts: 71
Yeh agreed :)

"Cough"Hate defacers"cough"


Top
 Profile  
 
 Post subject: Re: XBMC multiple remote buffer overflow :)
PostPosted: 08 Apr 2009 19:21 

Joined: 03 Feb 2009 01:40
Posts: 31
Yes ,I have to add that str0ke is making efforts to check programs before posting , I have recorded every thing I sent ,to make things easyer for him , you do a faster job watching a video of 1-2 minutes then spending 10-20 minutes testing the POC.


Top
 Profile  
 
 Post subject: Re: XBMC multiple remote buffer overflow :)
PostPosted: 10 Apr 2009 14:06 

Joined: 14 Aug 2007 13:32
Posts: 71
aluigi m8 i was testing a few things like when i added http://Host:80/default.asp\\
i was able to view the asp source code on the server.

Ok thats fine then i remember an old advisory by you hahah :)
http://www.securityfocus.com/bid/9239

The web server thats used or the library the libgoahead library include in xbmc is vulnerable.They are using this version "GoAhead WebServer 2.1.7"


Top
 Profile  
 
 Post subject: Re: XBMC multiple remote buffer overflow :)
PostPosted: 10 Apr 2009 17:35 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
goahead 2.1.7? wow if I remember well the dinosaurs were still on earth when that version was released :)


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 16 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: