Blog

/

ITunes Reloaded – Getting the Shell

iTunes
Exploit Development

Jun 18, 2009

ITunes Reloaded – Getting the Shell

Exploiting iTunes, part 2

OffSec Team OffSec Team

3 min read

Author: Matteo Memelli

There goes our Information Security

This is part 2 of our previous post about the Itunes exploit for windows.

…little did we know that all the payloads being sent have to be pure AlphaNumeric (printable ASCII). The first thing to do is find a Alphanum friendly return address, which was found at 0x67215e2a

return-address

Execution then gets redirected to our 1st stage payload. Due to buffer size and character set constraints, we do not jump over our return address as would usually be done. Luckily, executing the opcode equivalent of the RET address did not mangle the stack or terminate execution.

We then align the stack to the ECX register in order to set up our encoded payload:

register-align

ECX holds our purely alphanumeric first stage shellcode. This shellcode preforms a near jump, back into our buffer.

The following screenshot shows the decoded jump:

jmp-decoded

We next align EDX to point to the second stage encoded shellcode as can be seen here:

edx-align

Our shellcode now gets decoded. A quick stack alignment is required to “reset” ESP and EBP to the total trashing of the stack state…and we get our shell!

getting-the-shell

Stay in the know: Become an OffSec Insider

Stay in the know: Become an OffSec Insider

Get the latest updates about resources, events & promotions from OffSec!

Latest from OffSec

Research & Tutorials

CVE-2024-39914 – Unauthenticated Command Injection in FOG Project’s export.php

Discover details about CVE-2024-39914, a critical unauthenticated command injection vulnerability in FOG Project ≤ 1.5.10.34. Learn how attackers can exploit export.php to execute system commands or deploy persistent webshells.

Jun 26, 2025

2 min read

OffSec News

What It Really Means to “Try Harder”

Discover how OffSec’s “Try Harder” mantra evolved into a mindset, and how it helps learners build grit, creativity, and real-world problem-solving skills.

Jun 23, 2025

7 min read

Research & Tutorials

CVE-2025-3248 – Unauthenticated Remote Code Execution in Langflow via Insecure Python exec Usage

CVE-2025-3248 is a critical RCE vulnerability in Langflow that allows unauthenticated attackers to execute arbitrary Python code via unsanitized input to exec(). Learn how it works and how to protect your system.

Jun 18, 2025

2 min read
View all blogs