How is data copied between different XBMX sub-components

  Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Post Reply
version5 Offline
Junior Member
Posts: 1
Joined: May 2009
Reputation: 0
Post: #1
Hey,

I'm currently building a data flow analysis tool, one of the goals of which is to trace malicious input as it moves through a program. I'm currently testing with XBMC and the 8.10 takescreenshot remote buffer overflow in XBMC\xbmc\cores\DllLoader\exports\emu_msvcrt.cpp (see http://milw0rm.com/exploits/8337 for more info).

I do this by monitoring the x86 instructions mov and rep (and their variants/combinations), but my application is losing track of the data read in by XBMC, somewhere between socketGetInput() and the vulnerability in emu_msvcrt.cpp. From the two stack traces below (one from a breakpoint on recv, and the other on the leave instruction right before the crash occurs) I'm guessing XBMC uses some data passing mechanism I'm missing.

They thread IDs that read the data and eventually execute the vulnerable code are the same, so I'm assuming the data isn't moving between processes. That would seem to indicate the data is being copied by a function that doesn't boil down to something like 'rep movsd' (memcpy, strcpy etc are essentially this).

I guess my question is, does such a function or method of data movement exist in XBMC?

Cheers

=== Stack trace when the data is read ===
#0 0xb7526f50 in recv () from /lib/tls/i686/cmov/libc.so.6
#1 0x08854f88 in socketGetInput (sid=1, buf=0x91fbbf0 "", toRead=2047, errCode=0xb2efdef0) at src/sockGen.c:455
#2 0x08853c52 in socketRead (sid=1, buf=0xb2efdf37 "", bufsize=1) at src/sock.c:172
#3 0x08853d9d in socketGets (sid=1, buf=0xb2efe074) at src/sock.c:235
#4 0x0885aa16 in websGetInput (wp=0x91fd490, ptext=0xb2efe0b4, pnbytes=0xb2efe0b0) at src/webs.c:608
#5 0x0885a4fc in websReadEvent (wp=0x91fd490) at src/webs.c:362
#6 0x0885a466 in websSocketEvent (sid=1, mask=2, iwp=153080976) at src/webs.c:319
#7 0x08855704 in socketDoEvent (sp=0x91fbae8) at src/sockGen.c:935
#8 0x0885559e in socketProcess (sid=1) at src/sockGen.c:877
#9 0x0882a1bb in CWebServer::Process (this=0x918f210) at WebServer.cpp:322
#10 0x08a614a7 in CThread::staticThread (data=0x918f210) at Thread.cpp:206
#11 0x089f5ea9 in InternalThreadFunc (data=0x91e2e08) at XThreadUtils.cpp:126

=== Stack trace when vulnerable code is about to execute ===
#0 0x086f8ab0 in dll_open (szFileName=0x8f7c84c "/tmp/xbmc-nnp/temp.bmp", iMode=-1232806240) at emu_msvcrt.cpp:438
#1 0x086fa28b in __wrap_fopen64 (path=0x8f7c84c "/tmp/xbmc-nnp/temp.bmp", mode=0xb684dea0 "rb") at wrapper.c:195
#2 0xb67cb482 in CxImage::Load () from /usr/share/xbmc/system/ImageLib-i486-linux.so
#3 0xb67a458c in ConvertFile () from /usr/share/xbmc/system/ImageLib-i486-linux.so
#4 0x08552e27 in DllImageLib::ConvertFile (this=0xbf92d338, p1=0x8f7c84c "/tmp/xbmc-nnp/temp.bmp",
p2=0x91154fc 'B' <repeats 200 times>..., p3=0, p4=300, p5=200, p6=90) at DllImageLib.h:111
#5 0x0860722e in CPicture::ConvertFile (this=0xbf92d334, srcFile=@0xbf92d848, destFile=@0xbf92d84c,
rotateDegrees=0, width=300, height=200, quality=90) at Picture.cpp:190
#6 0x08845a7a in CXbmcHttp::xbmcTakeScreenshot (this=0x9120848, numParas=6, paras=0xbf92d900) at XBMChttp.cpp:2751
#7 0x0884934a in CXbmcHttp::xbmcCommand (this=0x9120848, parameter=@0xbf92dd4c) at XBMChttp.cpp:3025
#8 0x084354e0 in CApplicationMessenger::ProcessMessage (this=0x8ccf400, pMsg=0x8e9a258)
at ApplicationMessenger.cpp:440
#9 0x08435b4f in CApplicationMessenger::ProcessMessages (this=0x8ccf400) at ApplicationMessenger.cpp:131
#10 0x0844352e in CApplication::Process (this=0x8cce660) at Application.cpp:5229
#11 0x086c5a02 in CXBApplicationEx::Run (this=0x8cce660) at XBApplicationEx.cpp:210
#12 0x086c650c in main (argc=1, argv=0xbf92e114) at XboxMediaCenter.cpp:117
find quote