Apple iTunes 8.1.1.10 itms/itcp BOF Windows Exploit
Apple iTunes 8.1.1.10 is vulnerable to a buffer overflow vulnerability when a maliciously crafted URI is sent to the application. The vulnerability can't be exploited simply overwriting a return address on the stack because of stack canary protection. Increasing buffer size leads to SEH overwrite but it seems that the Access Violation needed to get our own Exception Handler called is not always thrown. To increase reliability, the exploit sends two URI to iTunes: the 1st payload corrupts the stack (it doesnt overwrite cookie, no crash) and the 2nd payload fully overwrite SEH to 0wN EIP. Payloads must be encoded in order to obtain pure ASCII printable shellcode. The vulnerability can be triggered from Firefox but not from IE that seems to truncate the long URI.