module
Apple iTunes 10 Extended M3U Stack Buffer Overflow
| Disclosed | Created |
|---|---|
| Jun 21, 2012 | May 30, 2018 |
Disclosed
Jun 21, 2012
Created
May 30, 2018
Description
This module exploits a stack buffer overflow in iTunes 10.4.0.80 to 10.6.1.7.
When opening an extended .m3u file containing an "#EXTINF:" tag description,
iTunes will copy the content after "#EXTINF:" without appropriate checking
from a heap buffer to a stack buffer, writing beyond the stack buffer's boundary,
which allows code execution under the context of the user.
Please note before using this exploit, you must have precise knowledge of the
victim machine's QuickTime version (if installed), and then select your target
accordingly.
In addition, even though this exploit can be used as remote, you should be aware
the victim's browser behavior when opening an itms link. For example,
IE/Firefox/Opera by default will ask the user for permission before launching the
itms link by iTunes. Chrome will ask for permission, but also spits a warning.
Safari would be an ideal target, because it will open the link without any
user interaction.
When opening an extended .m3u file containing an "#EXTINF:" tag description,
iTunes will copy the content after "#EXTINF:" without appropriate checking
from a heap buffer to a stack buffer, writing beyond the stack buffer's boundary,
which allows code execution under the context of the user.
Please note before using this exploit, you must have precise knowledge of the
victim machine's QuickTime version (if installed), and then select your target
accordingly.
In addition, even though this exploit can be used as remote, you should be aware
the victim's browser behavior when opening an itms link. For example,
IE/Firefox/Opera by default will ask the user for permission before launching the
itms link by iTunes. Chrome will ask for permission, but also spits a warning.
Safari would be an ideal target, because it will open the link without any
user interaction.
Authors
Rh0 rh0@z1p.biz
sinn3r sinn3r@metasploit.com
sinn3r sinn3r@metasploit.com
Platform
Windows
Architectures
x86
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.