ITunes Reloaded – Getting the Shell

There goes our Information Security

This is part 2 of our previous post about the Itunes exploit for windows.

…little did we know that all the payloads being sent have to be pure AlphaNumeric (printable ASCII). The first thing to do is find a Alphanum friendly return address, which was found at 0x67215e2a

return-address

Execution then gets redirected to our 1st stage payload. Due to buffer size and character set constraints, we do not jump over our return address as would usually be done. Luckily, executing the opcode equivalent of the RET address did not mangle the stack or terminate execution.

We then align the stack to the ECX register in order to set up our encoded payload:

register-align

ECX holds our purely alphanumeric first stage shellcode. This shellcode preforms a near jump, back into our buffer.

The following screenshot shows the decoded jump:

jmp-decoded

We next align EDX to point to the second stage encoded shellcode as can be seen here:

edx-align

Our shellcode now gets decoded. A quick stack alignment is required to “reset” ESP and EBP to the total trashing of the stack state…and we get our shell!

getting-the-shell

Previous Post
ITunes Exploitation Case Study
Next Post
Microsoft IIS FTP 5.0 Remote SYSTEM Exploit

Related Posts

Menu
X Close

 

Certified Pentesting
Professional

OSCP
course starting at
$800 USD

Take Penetration Testing with Kali Linux to gain invaluable penetration testing skills and earn your OSCP.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSCP

Certified Pentesting
Expert

OSCE
course starting at
$1200 USD

Take Cracking the Perimeter to take your penetration testing skills to expert levels and earn your OSCE.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSCE

 

Certified Pentesting
Web Expert

OSWE
course starting at
$1400 USD

Take Advanced Web Attacks and Exploitation, to deep dive into web apps to earn your OSWE.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSWE

Certified Pentesting
Wireless Professional

OSWP
course starting at
$450 USD

Take Offensive Security Wireless Attacks to acquire knowledge about Wi-Fi attacks and earn your OSWP.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSWP

Certified Exploitation
Expert

OSEE
course starting at
See
Live Schedule

Take Advanced Windows Exploitation to develop exploits for Windows systems and earn your OSEE.

  • Live training course
  • Includes certification exam fee
  • Maximum instructor interaction
  • Highly challenging
  • Become an OSEE