Luigi Auriemma

Hey guys how is things im slowly trying to get back into exploit development and maybe learn more programing in the near future,I've released a few exploits recently and thought i would throw them up for you guys.

These exploits have been patched as off now but people running xbmc 8 .10 are still vulnerable.
I managed to overwrite the exception handlers and found a real nice address in zlib.dll and got code execution on vista sp1.

First of poc code.
XBMC 8.10 (GET Requests) Multiple Remote Buffer Overflow PoC
http://www.milw0rm.com/exploits/8337

Exploit 1
XBMC 8.10 (Get Request) Remote Buffer Overflow Exploit (win)
http://www.milw0rm.com/exploits/8338

Exploit 2
XBMC 8.10 (takescreenshot) Remote Buffer Overflow Exploit
http://www.milw0rm.com/exploits/8339

Exploit 3
http://www.milw0rm.com/exploits/8340

Then we have the oday seh overwrite exploit for all win platforms
tested on win xpsp3 and vista sp1.
http://www.milw0rm.com/exploits/8354

have you tested (just for fun) also the 9.04 alpha release?
http://downloads.sourceforge.net/xbmc/X ... se_mirror=

Yeah m8 i did i also looked at there trac and changes they made.I don't do allot of open source exploit development it felt like a new challenge to broaden my knowledge of exploit development and debugging and welcomed the challenge to get execution of shell code on vista sp1.


The fix by the developers can be found here.
http://www.securityfocus.com/bid/34334/references

And i come away from this exploit with allot of learning which im happy about :).

Another funny thing is i found a really nice buffer overflow in the last version of opera and never shared any information.

This was because when i found the opera torrent buffer overflow some security company jumped on it and claimed credits for it even after mine was released :).
But i realized in the new release some changes had been made behind closed doors and struggle to replicate the buffer overflow although im still looking into the exception :).

in the security field (and in reality in ANY field) the first public reference to a vulnerability is the first and only. stop.
so if when you published the bug there were no other references about that bug, YOU are the finder of it.
the discovery date inserted by people/companies in their advisories are just bullshits which mean nothing because the public disclosure is the ONLY reference.

is the following the bug about you refer?
http://www.milw0rm.com/exploits/3784
http://labs.idefense.com/intelligence/v ... php?id=535
and is it the "exact" bug?

Well i did email them aluigi m8 and got no response after allot of looking and research about it there was no information given for the vulnerabilities.

So i can not really say if it was or not But i have my suspicions.

Awesome man , you're going to be one of the greatest in the sec field ,keep it up ! :) .Congrats !

Hey guys did you see the head request buffer overflow posted up on milw0rm by
Ive posted on my blog about it have a read .

copy cats uncovered.:)
http://n00b-n00b.blogspot.com/

lately I have noticed that many people on milw0rm see a PoC about a software and then make their version of the PoC or try to find other bugs in the same software.
obviously it's a good thing for people who wants to learn and so they can do their "own" tests but it's a horrible thing for the rest because the result is 1000 unverified PoC/exploits which probably are about the same vulnerability or claim to be buffer-overflow/memory corruption while maybe they are only a stack consuming or a null pointer and so create only a lot of disinformation.

Yeh seams that way aluigi i always found milw0rm to be a respectable place to throw up advisorys.
But i tested a few of the exploits that that guy put up and he has no clue what he is doing.:)

The problem is not searching for buffer overflows in the application go for it even though some one else audited before you then great but don't reproduce bugs that are already been submitted and tested it is obvious this guy has not even tested this on his own machine :). I give str0ke the heads up on the issue any way.

I think by looking and comparing both exploits you can tell straight away there was not enough buffer to overwrite the exception handlers.

http://www.milw0rm.com/exploits/7923
This vs of the soft DOESEN'T even exit.
LOL :))))))))) .
The list goes on.

Obviously some people just are not bothered about posting none working exploits lol @ there reputation.But on a side note it has to be hard for str0ke known which work and what dont.
Personally i have never released a exploit with out testing it a allot of times.

Like for instance when i wrote the seh universal one on a winxp sp3 machine i had drove over 400miles that day visiting familiy.

As soon as i got there i booted up there laptop running vista sp1 to make sure the address was correct.And the address never changed after reboot to make sure it by pass the the Address randomization.

Then i had remembered the address and the exploit i had wrote and knew that it took 1635 bytes to trigger the exception handlers i still download python olldbg and xbmc on the vista machine to make sure.

edited:_)

I prefer if the discussion here stay within the subject of the thread, then it's not good to talk about other people if they can't reply here.

Yeh agreed :)

"Cough"Hate defacers"cough"

Yes ,I have to add that str0ke is making efforts to check programs before posting , I have recorded every thing I sent ,to make things easyer for him , you do a faster job watching a video of 1-2 minutes then spending 10-20 minutes testing the POC.

aluigi m8 i was testing a few things like when i added http://Host:80/default.asp\\
i was able to view the asp source code on the server.

Ok thats fine then i remember an old advisory by you hahah :)
http://www.securityfocus.com/bid/9239

The web server thats used or the library the libgoahead library include in xbmc is vulnerable.They are using this version "GoAhead WebServer 2.1.7"

goahead 2.1.7? wow if I remember well the dinosaurs were still on earth when that version was released :)