Blog
Jun 18, 2009
ITunes Reloaded – Getting the Shell
Exploiting iTunes, part 2
3 min read
Author: Matteo Memelli
There goes our Information Security
This is part 2 of our previous post about the Itunes exploit for windows.
…little did we know that all the payloads being sent have to be pure AlphaNumeric (printable ASCII). The first thing to do is find a Alphanum friendly return address, which was found at 0x67215e2a
Execution then gets redirected to our 1st stage payload. Due to buffer size and character set constraints, we do not jump over our return address as would usually be done. Luckily, executing the opcode equivalent of the RET address did not mangle the stack or terminate execution.
We then align the stack to the ECX register in order to set up our encoded payload:
ECX holds our purely alphanumeric first stage shellcode. This shellcode preforms a near jump, back into our buffer.
The following screenshot shows the decoded jump:
We next align EDX to point to the second stage encoded shellcode as can be seen here:
Our shellcode now gets decoded. A quick stack alignment is required to “reset” ESP and EBP to the total trashing of the stack state…and we get our shell!
Cybersecurity leader resources
Sign up for the Secure Leader and get the latest info on industry trends, resources and best practices for security leaders every other week
Latest from OffSec
Enterprise Security
The Role of Leadership in Cultivating a Resilient Cybersecurity Team
Learn about the role that leadership plays in cultivating a resilient cybersecurity team.
Sep 13, 2024
5 min read
Community Spotlight
Navigating the Leap: My Journey from Software Engineering to Offensive Security
A software engineer’s journey into offensive security, sharing insights and tips for transitioning careers and thriving in the infosec field.
Sep 13, 2024
17 min read
OffSec News
Become a Certified Threat Hunter with OffSec’s New Foundational Threat Hunting Course (TH-200)
Everything you need to know about OffSec’s new course and certification – TH:200 – Foundational Threat Hunting.
Sep 9, 2024
4 min read