Home OffSec
  • Pricing
Enroll now Sign in Search Contact us
Blog

/

ITunes Exploitation Case Study

iTunes
Exploit Development

Jun 11, 2009

ITunes Exploitation Case Study

ITunes Exploitation Case Study

OffSec Team OffSec Team

3 min read

Author: Matteo Memelli

When masochism just isn’t enough

Our new AWE course is about to go live for the first time, in BlackHat Vegas. We chose the most interesting exploitation cases we’ve encountered, and dove really deep into them. We had many exploits to choose from, some were too easy, and believe it or not, some were just too hard. This blog post is going to be a multipart post, describing our exploitation process of the recent iTunes overflow described here. This is possibly one of our most involved and interesting exploits to date.

An exploit for OSX was released and discussed here. Being naturally inquisitive, we checked to see if this exception would occur in Windows too, and indeed it was!

awe-pic-01

After attaching a debugger to the iTunes process, we noticed it was getting terminated after around 30 seconds. It looked like iTunes had anti-debugging features implemented. Fortunately, Immunity Debugger offers anti-debugging scripts which are useful for situations just like this. Invoking the !hidedebug command within ID allowed the debugger to continue running in hidden mode, bypassing our first hurdle.

awe-pic-02

Using the OSX exploit as a template, we attempted to crash iTunes several times, however the process would keep terminating with no opportunity for code redirection. After inspecting the call stack in one of the crash cases, we saw that one function was calling ZwTerminateProcess.

awe-pic-03

We assumed this was a stack protection mechanism. We placed a breakpoint there. This would halt ID just before the stack cookie check, allowing us to examine the vulnerable function in greater depth, and also to confirm our “stack protection” theory.

awe-pic-04

We soon realised that trying to approach the stack canary head on would be difficult. We attempted to increase the buffer length we were sending in order to get a SEH overflow, which would effectively bypass the canary protection. The Gods of buffer overflows were in our favour – and an SEH overwrite was achieved!

awe-pic-05

From here on, we expected things to get easier. Little did we know….

(to be continued next week …)

Our working exploit can be found here .

 

Stay in the know: Become an OffSec Insider

Stay in the know: Become an OffSec Insider

Get the latest updates about resources, events & promotions from OffSec!

Latest from OffSec

Research & Tutorials

CVE-2024-12029 – InvokeAI Deserialization of Untrusted Data vulnerability

CVE-2024-12029: A critical deserialization vulnerability in InvokeAI’s /api/v2/models/install endpoint allows remote code execution via malicious model files. Exploit risk for AI art servers.

Jul 17, 2025

0

Research & Tutorials

What is Phishing? Introduction to Phishing Demo (for Beginners)

Learn how phishing attacks work and how to spot them. Watch OffSec’s animated video to protect yourself from scams, spoofed sites, and social engineering.

Jul 15, 2025

2 min read

Research & Tutorials

CVE-2025-27636 – Remote Code Execution in Apache Camel via Case-Sensitive Header Filtering Bypass

Discover the critical Apache Camel vulnerability (CVE-2025-27636) that allows remote code execution via case-sensitive HTTP header manipulation in the exec component. Learn how attackers exploit this flaw and how to mitigate it.

Jul 10, 2025

2 min read
View all blogs